The oil and gas industry is worth trillions of dollars. It employs hundreds of thousands of people and it, quite literally, powers the global economy. Like many industries it has transformed over the last decade to become more data and insights driven in order to bring about efficiencies to its operations. It has also diversified, with giants such as Shell and BP investing heavily in the future of renewable energy.

Despite all this transformation, one thing has not changed – how the industry views cyber security. In the US, Precision Analytics LLC and the CAP Group estimated earlier this year that energy companies, ranging from drillers to pipeline operators to utilities, invest less than 0.2 per cent of their revenue in cyber security. Perhaps it is no surprise then that Deloitte revealed the sector to be the second most attacked vertical after retail in 2016.

So, what’s the issue here? Oil companies have ramped up their use of digital technologies, deploying technologies from sensors to artificial intelligence, but have done little to protect this infrastructure from nation-state attacks, ransomware, corporate espionage or insider threats. In an industry driven by innovation, this is a serious blind spot with potentially serious ramifications.

Where do the weaknesses lie?

To see where the weaknesses within oil and gas systems lie, you only need to look at the history of recent attacks. For many of the incidents, the industries Industrial Control Systems are frequently targeted, such as with the monumental attack on Saudi Aramco’s systems in 2012 – an attack few know about, but in comparison dwarfs major attacks such as the Sony and Yahoo Breaches of the last few years.

A great deal of this comes from the use of legacy systems as well as the continual upgrades and additions seen once an organisation wants to use more connectivity and automation. It’s always going to be easier and substantially more economical to add new systems on top of old ones, rather than completely replace legacy machinery and controls. This convoluted network of differing systems means that, once a backdoor is established and the threat has gained access to the network, they can roam about for months with little in the way of evidence – known as APT lateral movement. It’s within these tangled webs of different connected systems that attackers can lurk and move.

What issues do the oil and gas industry face?

There are several different types of cyber-attacks which are faced in the energy sector. Some of these have existed for decades while others are more recent developments as people look to oil and gas systems for illicit gain.

One of the most substantial issues facing the energy industry is that of nation-state attacks. These can take the form of the unofficial, dark-arts of a country looking to destabilise another region (2017’s NotPetya attacks against the Ukraine) or nation-developed weapons that have fallen into the wrong hands (the Shadow Broker’s leaking of EternalBlue and the impact this had on the NHS through WannaCry). For oil and gas companies, they need to be protecting themselves against these attacks for two reasons. Firstly, the ability of attackers to move between different systems once they have gained access means that oil and gas companies are a good target for getting into government networks; many organisations in the sector are closely intertwined – or run by – government departments. Secondly, critical infrastructure is the top target in regards to destablilising a country or region. Shut down the banks and people will be able to get by for a little bit. Shutting down the power supply for heating and cooking in the middle of winter is a completely different prospect.

The second area issues can stem from is the insider threat, both malicious and accidental. The term, Insider Threat, encompasses anyone using legitimate details to gain access to a network, so from a stolen laptop being used by a third party through to a deliberate misuse of network privileges by an employee, the attacks are widespread and – due to their legitimate credentials – much more difficult to spot. A prime example of the devastating impact of an insider threat attack came from the recent Tesla headlines, with Elon Musk emailing the rest of his company to alert them to the theft and alteration of crucial IP and code by an employee. This resulted in both the employee being sued and the Tesla share price falling by over 5 per cent. All caused by one employee with a grudge and the right details to access the systems; something not far-fetched in the volatile oil and gas industry.

The last and most recent development is the use of infrastructure systems in order to mine bitcoin. Lucrative in the extreme if done properly, bitcoin mining – the solving of complex mathematical equations in order to receive the currency – takes up a huge amount of power in order to be successful. That is why instances of cryptomining have been seen in critical infrastructure. The recent discoveries at an unnamed Water Facility in France show how the power of utility sites are being targeted.

How can organisations protect themselves?

For many organisations, the signs of a major nation-state attack or cryptomining will become clear: a major attack would lead to severe disruption in the systems and possibly a complete shutdown of productivity. Meanwhile, cryptomining takes up a large amount of CPU power from systems, be it the ICS systems or individual endpoints such as laptops. This would be picked up by the vast majority of general tests and checks carried out on a daily basis. The real problems with identifying issues comes from the insider threat.

To this end, user entity and behaviour analytics (UEBA) technology can help organisations of all sizes monitor their networks for suspicious activity – even when it’s happening off the network. UEBA builds a picture of ‘normal' user behaviour for all employees, in order to subsequently identify abnormalities in these patterns, without compromising on privacy. When deployed, such technology will flag suspicious instances – for example, an oil rig driller using their company login details to access recruitment and procurement data in the middle of the night.  

Education is also a fundamental piece of the puzzle, and so intelligent approaches to training are a must. But education is just a surface-level tactic; it’s something that should be dealt with from company culture upwards. Think about the way oil and gas organisations approach health and safety – it’s rigidly engrained within any oil and gas field operation. There is no reason that the same approach cannot be engrained in regards to online savviness. From penetration testing and emergency drills through to visuals such as posters across locations, there is plenty of good practice from health and safety that can be used for cyber health too.