In December 2015, hackers shut down power for thousands of Ukrainian electricity customers for six hours in an attack that compromised three power plants.
It was the first known destructive cyberattack against a power grid, and researchers found the lack of detection capability was key to the hacking group’s strategy. Forensic evidence showed the hackers had prowled through systems undetected for more than six months before the attack.
As in Ukraine, the majority of U.S. oil companies still do not have the capability to detect or track malicious activity happening inside industrial control systems and devices like sensors and industrial computer controls, federal cybersecurity officials and security specialists say.
The lack of detection capabilities is perhaps one of the greatest weaknesses in the cyber security of oil and gas companies, government and private security specialists said, potentially allowing intruders to infiltrate networks unseen to seek weaknesses, collect sensitive information and lie in wait to disrupt operations later.
“There are a number of issues occurring out there that we’re just not seeing because no one is looking,”said Mark Bristow, deputy division director for Homeland Security’s National Cybersecurity and Communications Integration Center.
Forty-six percent of cyberattacks against energy companies have gone undetected because of a lack of detection and monitoring technologies and personnel, according to a February survey of nearly 400 U.S. oil employees who specialize in industrial cybersecurity, by the Ponemon Institute, a nonprofit research group specializing in data and and information security. Sixty-one percent said their companies lack adequate cyber defenses to protect the technologies that run oil and gas facilities.
To penetrate industrial controls, time is critical. Oil and gas control systems are complex, typically designed by several engineers, each putting a unique stamp on how a plant, drilling rig, or pipeline operates. The longer hackers can stay undetected, the more likely they can learn and understand how systems work in the real world — and how to disrupt them.
“We’re in a dark room,” said Damiano Bolzoni, chief executive of Dutch security firm Security Matters. “Nobody is switching on the light.”