Two prominent security consultant firms estimate that energy companies, ranging from drillers to pipeline operators to utilities, invest less than 0.2 percent of their revenue in cyber security. For context, that’s at least a third less than the corresponding figure for banks and other financial institutions, according to the consultants, Precision Analytics and the CAP Group.
What makes the lack of investment even more worrisome is that the number of hacker groups targeting the energy sector is soaring. Symantec says it’s tracking at least 140 groups, up from 87 in 2015, some with links to foreign countries. And it’s just one of many security firms working with the industry.
“It’s scary," said Brian Walker, a former head of Marathon Oil’s global information technology IT and now an independent consultant. Executives making funding decisions “aren’t necessarily millennials who intuitively understand” how cyberthreats reach seemingly disconnected units, he said.
“It’s guys my age that are the problem," said Walker, who said he’s in his early 50s. “We’ve been 30-years trained in a world that doesn’t work this way anymore.”
These risks were on full display 4 weeks ago when at least seven pipeline operators from Energy Transfer Partners to TransCanada said their third-party electronic communications systems were shut down. Five of them ultimately confirmed the service disruptions were caused by hacking.
Though the attack didn’t disrupt supply, it served to underscore an ongoing vulnerability to electronic sabotage. It showed how even a minor attack can jump between systems with ripple effects, forcing utilities to warn of billing delays and making it more difficult for analysts and traders to predict a key government report on gas stockpiles.