Cybercrime is no longer what happens to “the other guy,” and it doesn’t just break the banks of industry giants. With a whopping 67% increase in incidence rate and a startling 72% rise in cost per company over the past five years, hackers are hunting us all, individuals and industries large and small.
Threats are growing along with impacts, Accenture reported following its Cost of Cybercrime study of 16 industries across 11 countries. Some are even calling the crimes “an act of war.”
And if that’s the case, what kind of defenses are we mounting?
In a perfect world, a company would have an internet-of-things (IoT) laboratory network where it could validate attacks on others and assess its own vulnerability, and then disclose these findings to shareholders and boards of directors.
But even when the information is available, as it is through an organization such as ONG-ISAC, the central reservoir of cyber threat information for the oil and natural gas industry, companies have to pay attention to the disclosures and heed the warnings from others.
In the recent IoT attack known as Ripple 2.0, 19 vulnerabilities were found in the TCPIP library on IoT devices. The question, Morrison said, “is when something like this is reported, how many oil and gas companies use that information to determine if they are vulnerable or not? Are they really paying attention?”
The good news is that research companies are scrambling to mount a defense. In mid-June, Siemens announced a collaboration with SparkCognition on DeepArmor Industrial, a system designed to protect endpoint, or remote, operational technology (OT) assets by leveraging artificial intelligence (AI).
“Machine learning (ML) understands what constitutes a threat,” said Leo Simonovich, global head of Industrial Cybersecurity for Siemens. “What we’ve done is … trained ML models to understand the types of attacks that can happen in the OT environment, along with the severity and potential impact of threats.”
Even though there are many vendors already using AI and ML to protect ICSs and endpoints, the company claims this is the energy industry’s “first solution capable of detecting and protecting remote assets against cyberattacks.”
Still, while some researchers are making inroads to developing detection and prevention technologies such as encryption of data in motion and hardened endpoints, many companies do not have plans to deploy these technologies.
Forensic cyber and user behavior analytics have the potential to save $1.72 million across all industries; however, only 32% of organizations have deployed these technologies enterprisewide. Clearly, a wider level of adoption could realize greater cost benefits from these technologies. This according to a 2019 Ponemon survey of 2,647 individuals conducted in 355 companies in 11 countries.
“Several of the majors in Houston do have good cybersecurity groups, but oil and gas typically doesn’t put a ton of money into OT. Their interest is more on the exploration, production, and research side of things, it seems,” said James M.T. Morrison, distinguished technologist in cybersecurity with Hewlett Packard Enterprise.
“Right now, they feel somewhat immune to the attacks. Invulnerable almost.”
The Costs and Consequences
Across all industries, from 2018–2019 the cost of malware attacks increased by 11%, and the cost of ransomware by 21%. In the energy industry alone, cybercrimes cost on average $17.84 million a year per utility in 2018, more than in any other industry except the financial sector (Ponemon 2019).
Hacking attacks impact not just the bottom line but also a company’s productivity when the workflow comes to a halt.
“Disruptions in oil and gas are more than just fiscally fatal events. If you have something that breaks in a big midstream process someplace, shutting it down and bringing it back up is not just like rebooting your Windows PC,” said Chris Bronk, assistant professor in the College of Technology at the University of Houston.
In addition to business disruption, lost revenues due to reputational damage, and the cost of preventive threat hunting, there are even worse consequences to human and environmental safety in the form of ruptures, explosions, fires, toxic releases, and spills.
Consider these scenarios:
For example, if a cyberattacker were to obstruct the video stream that enables operators to monitor offshore drilling operations, or delay well-flow information that is necessary for blowout preventers to stop fluid eruptions—including the release of hazardous materials (e.g., chemicals, crude oil)—the impacts could be devastating.
Or, by altering commands sent from internal optimization controllers, a hacker could vary the motor speed and thermal capacity of a sucker rod pump—slowing down or even halting the drilling process.
In another scenario, if a hacker were to fly a drone over a segment of remote pipeline in west Texas, what information could he glean from those sensors, such as wireless emanations?
Alternately, the attacker could buy one of these sensors for himself—after all, the supply chain does not necessarily know that he is not a petroleum company employee—and then take it into his lab and ‘sniff’ it for potential vulnerabilities. If he breaks one password on a segment of an oil pipeline, he will likely have access to an entire OT network because a company is not going to use separate passwords for separate sensors.
Worse, once on the OT network, the attacker could roam for days under the wire. “Would you have any way of detecting me?” Morrison asked. “We can never assume at any point in time that those networks are completely secure.”
Reference
Ponemon, L. Ninth Annual Cost of Cybercrime Study 2019, (accessed May 2019).