Many energy companies lagging in cybersecurity efforts, expert says

Energy companies are continuing to be hit by cyberattacks, in large part because of complacency by executives who don’t understand the threat, a Verizon executive said Thursday.

Many energy companies have not adjusted their security efforts, often getting hit by attacks before realizing they are vulnerable, said Sean McGurk, Verizon’s global managing principal for industrial control systems cybersecurity.

“We usually get the same answer,” said McGurk, who added that oil executives sometimes don’t alter their security protocols because they say, “We’ve always done it that way.”

McGurk made his comments while speaking on a panel at the Bloomberg Oil & Gas Conference, held in a room below dinosaur fossils and energy exhibits at the Houston Museum of Natural Science.

While the energy industry has emphasized employee awareness for behavior that improves physical safety, few companies have made the same efforts in the realm of computer security, McGurk said.

Malware: Shutdown means more delays on cybersecurity

That has left many energy companies with huge ranks of employees extremely vulnerable, he said.

For example, even though some companies have told employees not to use removable USB drives in computers, workers continue to plug cell phones into their machines, McGurk said.

“These are network-enabled, wirelessly available platforms that people are bringing into an operational environment and they are plugging them in for power,” he said.

Cell phones can carry malicious files, just as USB drives can, McGurk said.

But companies have done such a poor job at educating employees about online risks that even when companies have blocked out USB ports with epoxy, workers have found other ways to plug in cell phones and devices, he said.

“They remove the keyboard USB cable and plug the device in the back of the computer,” McGurk said.

He said educating employees about the risks of poor computer habits is the most important step companies can take toward protecting themselves from risks.

And the risks of online attacks are serious. An attack last year targeting the world’s largest oil producer — Saudi Aramco — was aimed at stopping its production operations and ripped through 30,000 computers. Malware has infected offshore rigs and forced some to shut down for weeks, at a potential cost of millions of dollars in lost productivity.

“An informed, educated prepared workforce is your first line of defense,” McGurk said.

Companies need to also think less about a “perimeter mentality” toward Internet security and focus on threats from within the company, said Emile Trombetti, senior vice president for Booz Allen Hamilton.

That’s because hackers and malicious code is making it onto company networks, despite their efforts to keep attackers out, Trombetti said.

“You cannot assume anymore than hackers and malware are not in your system,” he said. “They are… The issue now becomes how do you track unusual activity within your environments to find out if intellectual capital has been stolen?”

Major challenge for companies today are social engineering and spear phishing, which attackers use place malicious links in emails to company workers that are crafted using personal information about employees’ lives, Trombetti said.

“I had one of these emails just a few weeks ago,” he said. “They found out my daughter’s name. They found out what school she went to. And they found out her yahoo address. And I get an email that says, ‘Dad, it’s an emergency.’”

Trombetti said he was sifting through dozens of emails at the end of the day and nearly clicked on the link.

“I could just see individuals who were very busy clicking on these things,” he said. “And the minute you do that, you’re infected. And it is so easy to get infected it’s incredible.”