Recently, U.S. security officials and private cyber security researchers noted that computer hacking is on the rise at energy companies; perhaps, much more than we may realize. Moreover, due to the industry’s relatively high degree of automation and interconnectedness, the effects of a cyber attack could be highly damaging to these companies. These effects can include the loss of equipment (for example, failed pressure-valve systems), the loss of competitive advantage (through the loss of, for instance, confidentiality of production data or possible drilling sites), and even the loss of life.
According to the Department of Homeland Security, it received reports of 59 cyber incidents at energy companies in 2016, up one-third from the previous year. The agency worked to mitigate 290 incidents last year across more than a dozen industries that rely on computer controls to run industrial sites, including manufacturing sites, power-generation facilities, refineries, chemical plants and nuclear facilities.
More than one-fourth of the intrusions came from so-called spear phishing emails that hackers use to dupe people into downloading infected attachments or clicking on virus-laden links. More than one in 10 of the intrusions came from network probing and scanning.
“Every year, adversaries develop increasingly sophisticated attacks against control system networks,” Homeland Security's Industrial Control Systems Cyber Emergency Response Team said.
The increased number of intrusions into energy computer controls in 2016, according to Homeland Security data, brings the number of such incidents in the industry to more than 400 since 2011. However, security specialists note that this number is most likely on the low end because energy companies aren’t required to report cyber attacks to the U.S. government. In fact, in another report by San Antonio-based Dragos Security, researchers believe computer controls at industrial facilities, including in the oil industry, get infected by non-targeted malware at least 3,000 times a year. Dragos Security, cites the Houston Chronicle, “arrived at this conservative estimate of worldwide industrial cyber attacks after studying 30,000 samples of infected control system files submitted over the past decade and a half to a publicly available database called VirusTotal, a web service owned by Google.”
Furthermore, the findings from Dragos Security show malware that isn't even tailored to industrial controls finds its way into critical technology. Some of the malware can spread through these systems with ease, and some were designed many years ago. This happens particularly when a company is not vigilant about cyber hygiene and can end up being infected by a virus written years ago.
It’s important to note when looking at the number of incidents cited that it’s not very clear how many of these infected industry facilities found by Dragos Security were tied to the energy industry, but it does reveal that oil companies that rely on automated computer controls to run refineries, pipelines and offshore platforms must take the threat of cyber risk seriously and invest more in security.
As one of the largest MGA/Underwriting Manager/Wholesalers in the country, RPS partners with leading insurers to provide custom insurance solutions for the energy industry, including for oil and gas operators, petrochemical operations, and alternative and renewable energy companies.