Energy companies will need to significantly increase their focus on cyber security in the next three to five years if they wish to keep ahead of the increasing risks to their business from direct cyber attack and malware.
The Oil and Gas sector will need to invest around $1.87 Bn USD into upgrading its SCADA* and general corporate systems to defend against direct cyber attack and malware, according to technology intelligence company, ABI research.
There have been several attacks targeted at oil and gas firms in the last two years, including:
- Night Dragon in 2011. Originating from China according to McAfee. The attacks were a mixture of social engineering and unsophisticated hacks with the aim of gaining access to corporate forecasts and market intelligence from petrochemical firms. Most alarming was the assertion by McAfee that it had been undetected for up to four years.
- Shamoon targeted Saudi Aramco in 2012, taking out up to 30,000 workstations. This attack has been linked to (and disputed by) Iranian interests.
The examples given are or attacks on energy companies’ corporate systems. The fear is that issue motivated groups or nation states might now choose to attack poorly protected SCADA systems owned by oil and gas companies. The ability to do this has been demonstrated in the wild with Stuxnet, but not on energy installations.
What are the key security issues surrounding SCADA systems?
- The general observation that SCADA systems are built for throughput, and security is bolted on as an afterthought, rather than being built in at the design stage.
- An overemphasis on security through obscurity, with the belief that the use of specialised protocols and proprietary hardware provides more than cursory protection against cyber-attack. Better to assume the enemy knows or will know the system.
- Over-reliance on physical security to provide protection
- An assumption that the SCADA system can be kept unattached to the Internet and therefore will be secure.
A bit of background.
SCADA systems have been around since the mainframe era. However, these systems were based on proprietary hardware and software and they weren’t connected to open systems. The main threat to these systems was the ‘trusted insider’, such as when a disgruntled contractor, Vitek Boden used his knowledge and some ‘acquired’ proprietary hardware to cause sewage to overflow in a plant in Maroochy Shire, Queensland.
In the 1990’s, SCADA systems began to be built using the same technology as the Internet (TCP/IP) and early this century, companies began to connect these systems to the Internet. In 2010, Stuxnet apparently caused centrifuges to spin out of control and self-destruct in nuclear processing plants at Natanz in Iran. Attribution is difficult, but the finger is alternately pointed at Israel and the USA (or both).
Organisations, particularly in the oil and gas industry need to change their approach to cybersecurity and take a holistic and strategic view. This starts at the board level and requires a cultural change. This does not necessarily mean buying the latest machine that goes ‘ping’. It does mean thinking about how to integrate security at the core of the business, just like finance and HR.
More info from ABI research
SCADA – Supervisory Control and Data Acquisition
Photo: Matthew Dance, used under creative commons – http://www.flickr.com/photos/gpmarsh/page4/