The Colonial Pipeline ransomware attack was a wake-up call about the current shortcomings in industrial cybersecurity. Many of today’s oil companies use more connected technologies that aid in data gathering and overall improved operational oversight. However, as those entities become more dependent on the internet in their workflows, the opportunities for devastating cyberattacks rise.
Here are some reasons why oil cybersecurity must get more robust without delay.
Hackers Are Targeting the Oil Industry More Frequently
Cybercriminals love to wreak maximum havoc with their attacks. Given the world’s dependence on oil, it’s no surprise that the industry is an attractive target. However, you may not realize that many types of cyberattacks have recently become more prevalent in this sector.
The Digital Universe Study from Obrela Security Industries takes an ongoing look at how the cybersecurity landscape has shifted over the last quarter. Its most recent data examines trends from April-June 2021 and how they stack up to that same quarter in 2020. The statistics show some worrisome changes associated with attacks in the oil and gas industry.
There was an 18% increase in cloud-based attacks affecting users or endpoints. The data showed a 22% rise in attacks on the cloud infrastructure itself occurring in the industry. It also pinpointed a 12% climb in attacks on IT infrastructure, as well as a 29% jump in system or perimeter breaches.
The report also mentioned the upward trends for certain kinds of attacks in the oil and gas industry. For example, it had a 22% increase in malware and advanced persistent threats (APT). There were also 12% more attacks associated with malicious insiders and inadvertent actors. However, the news was not all bad. The data indicated a 73% decrease in email attacks and a 4% drop in brand-related cyberattacks.
The information doesn’t clarify, but you could safely assume there’s some overlap between the categories. For example, although the report does not confirm what constitutes a brand-related attack, it’s easy to conclude that cyber incidents in other groups would impact a brand. These statistics drive home why oil company leaders can’t afford to overlook cybersecurity, especially with attack rates rising.
Industrial Cybersecurity Must Improve Along With Innovations
Technology brings new possibilities to the oil industry that was previously out of the question. Consider the example of BP, which created virtual copies of all its production systems. Comparisons occur every hour between the models and the real data to detect irregularities. Plus, engineers can use the virtual data to see the impact of certain procedures before carrying them out. Company representatives also said the system added 30,000 oil barrels to production in a year.
In another instance, BP had to shut down a pipeline in Trinidad and Tobago to perform maintenance. Crews simulated the procedure first, which showed them how to reroute the flows and at which speeds. That approach allowed protecting a large segment of production that would have otherwise been out of commission for the three days of upkeep.
These examples show that it pays off for oil companies to aggressively pursue digitization strategies. Doing that should make them more competitive now and into the future. However, such investments could backfire without sufficient cybersecurity, particularly since attacks are costly to remedy, even when a company is not the direct target.
In one instance, FedEx lost $300 million due to a cyberattack on TNT Express, its daughter company. Besides the immediate costs associated with fixing the damage after an incident, cyberattacks could disrupt current or upcoming projects, causing the affected companies to fall behind schedule.
It’s exciting that companies in the petroleum industry are getting on board with advanced technologies to streamline their operations. However, as decision-makers move ahead with those choices, they must also allocate sufficient resources for oil cybersecurity preparedness. Otherwise, hackers will find and exploit the weaknesses.
Adequate Cybersecurity Requires an All-Encompassing Audit
After a cybersecurity attack happens in the oil industry or elsewhere, there’s often a scramble to figure out what happened and how to prevent a repeat offense. When Colonial Pipeline CEO Joseph Blount stood in front of U.S. Senate committee members, he confirmed that the attack occurred via a legacy VPN tool that did not have multifactor authentication enabled.
Blount continued by saying, “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.” He also said the company had invested $200 million to improve its IT infrastructure over the past five years, including enhancing cybersecurity. However, the executive admitted that the company did not have a specific ransomware mitigation response strategy.
That shows a major oversight, especially considering how ransomware is a worsening problem that can quickly accelerate once a hacker gets into a company’s network. One recent study of victims showed that 56% reported that perpetrators took control of data and demanded ransom within just 12 hours. Another 30% said those things happened within 24 hours.
In another study about ransomware striking industries, 66% of companies reported revenue losses, while 53% cited brand and reputational damage. There were also some unexpected effects. For example, 32% said they lost C-level talent as a direct result of cyberattacks.
Ransomware is not the only industrial cybersecurity risk, of course. However, it’s one that’s gained above-average attention in the oil industry due to recent events. When company representatives attempt to tighten cybersecurity, they’ll get the best results by conducting a detailed audit to see where weaknesses lie. That makes it easier to prioritize those issues and address them.
Third-Party Providers Get Targeted, Too
Improving industrial cybersecurity in the oil industry is not only about changing a company’s internal practices. That’s a great start, but staying protected also means holding third-party companies accountable for having appropriate cybersecurity measures in place.
In July 2021, oil company Saudi Aramco confirmed that hackers stole 1 TB of proprietary data and put it up for sale on the dark web with a negotiable $5 million price tag. Company representatives blamed third-party contractors for the incident and said it did not affect operations.
A threat actor group known as ZeroX claimed responsibility for the attack, which involved data from 1993 to the present. However, the hackers did not verify which vulnerability they exploited to gain access.
However, other details about the attack show the forethought of those responsible. For example, the group posted a sample of the oil company’s information on a data breach market forum in June 2021 with redacted details. They did that to raise interest in the material before orchestrating the full hack.
Additionally, a countdown timer of 662 hours accompanied the forum post. Negotiations for the data would start only after the clock ran down. The hackers also said the 662 number was an intentional choice that presented a puzzle for the victims to solve. They did not elaborate, however.
Oil Cybersecurity Taking Priority
This overview highlights why oil company executives must take cybersecurity seriously. Besides upgrading their defenses accordingly, it’s crucial to monitor for new threats and respond accordingly.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.