Energy companies are facing a rapidly evolving threat from online attackers, some of whom are highly sophisticated, and executives need to pay attention, a defense expert said at a Houston event on Thursday.
Neil Siegel, chief engineer of information systems at Northrop Grumman, discussed online security at a breakfast event hosted by Hart Energy’s Executive Energy Club.
The discussion came as U.S. Energy Secretary Ernest Moniz told reporters in Washington that cyber security is the Energy Department’s “biggest focus,” particularly related to disruption of the electric grid.
The threat to energy businesses extends across the sector, however, from oil fields and refineries, to pipelines and power plants.
Online threats: Malware offshore: Danger lurks where the chips fail
Although oil and gas companies use some of the most advanced technologies to analyze and extract resources, they are facing an increasingly dangerous threats online, Siegel said.
“The problem is that the cyber threat is also very sophisticated, very motivated and moving very fast and has a lot of resources to apply — whether they are sophisticated criminal organizations or actual other nation-state resources,” Siegel said. “And the oil and gas industry is a very attractive target.”
Some oil and gas executives at the event voiced skepticism about an online attacker’s interest in damaging one of their facilities in a way that might harm people or the environment, but speakers said it was well within the realm of possibility.
Computer security: Cyberattack risk high for oil and gas industry
Criminal organizations may take such a step to gain a financial benefit in the stock market or otherwise, said Donald L. Paul, executive director of the University of Southern California’s Energy Institute and the former chief technology officer at Chevron.
“One motivation for an attack on our industry might be to have an adverse affect on the people and countries who use your products,” Siegel added.
To better address online threats, companies should stop thinking about how to prevent attacks and start thinking about their computer security the way they have grown accustomed to thinking about safety in operations, Paul said.
“It has technical roots…but fundamentally it’s a management problem and the analog that comes to mind is safety and the elements that go into safety,” Paul said.
Aging systems: Outdated software could cause offshore troubles
By establishing a corporate culture that emphasizes secure technology operation, or by using technology that enables better security, oil and gas companies can better manage computer security, he said.
He said companies should set out goals to establish leadership, effective processes, culture and technology to improve security.
Siegel said a company’s efforts to address computer security should start with a deep look at what an attacker might want to target.
“You need to rigorously think through the question of what are the items that you need to protect,” Siegel said. “This is a good indication of why you can’t give a problem to the (information technology) department, because the IT department is not going to understand the operations enough to know.”
Cyber security: Malware threatening offshore rig security
The second big question is gauging how the company is vulnerable to an online attack that might target those items that need to be protected, he said.
“This is a very complex thing,” Siegel said. “It changes every day.”
But determining how vulnerable or secure a company is to an attack is an intense process that cannot rely on antivirus software or internal personnel alone, he said.
“It is probably the most important step,” Siegel said. “It’s one that most organizations will need outside help to deal with.”
Jennifer A. Dlouhy contributed reporting from Washington