Cybercrime becomes bigger threat to energy industry than terrorists

In years past, discussions about security in the energy industry usually focused on protecting refineries from terrorist attacks and overseas workers from kidnapping.

Today, the greater threat is the digital theft of competitive information or technical data by outside hackers or unscrupulous employees, speakers at an FBI-sponsored event on energy security said Wednesday.

“The shift from physical security to data security has been a significant one for all of us,” said Russell Cancilla, Vice President and Chief Security Officer at Baker Hughes. “Theft of intellectual property, state-sponsored corporate espionage, those kinds of things have grown exponentially in recent years.”

A few well-known incidents in the energy industry occurred in 2008, when computer systems owned by oil companies including ConocoPhillips, Marathon Oil and Exxon Mobil were reportedly hacked by outside forces seeking oil and gas lease bidding information.

Sections of the U.S. power grid were also probed by outside forces in recent years, although it does not appear any damage was done.

But the energy industry tends to be tight-lipped about such breaches.

Even at Wednesday’s event, the second annual Energy Security Awareness Symposium, sponsored by the Houston FBI office as a way to promote information sharing between industry and government, two speakers asked beforehand they not be identified in any stories about the event; at one point the two reporters at the event were asked to wait outside during a counter-terrorism presentation since not all of the information had been vetted for the public.

Cybercrime costs about $400 billion globally in lost assets and time, according to a recent survey by security software maker Norton.

Financial services, technology and retail firms are the most likely victims of cybercrime, according to a Ponemon Institute survey, with the energy and utilities sector seeing some of the smallest volumes of activity.

But the energy and utilities industries see some of the highest average annual costs due to cybercrimes, according to Ponemon, with an average cost of $19.78 million in 2011. Only the defense industry sees higher cybercrime costs, with an average cost of $19.93 million annually.

Houston has symbolic significance as the heart of the U.S. oil and gas business, said Stephen Morris, special agent in charge of Houston’s FBI office. He cited ongoing concern about “the physical safety” of refineries and chemical plants in the region.

“But,” he added, “the fact that you haven’t heard of any significant events is a testament to what the industry is doing and the constantly evolving practices.”

Cancilla agreed.

“I don’t think there’s a lot of hand-wringing about it here,” he said.

Cancilla said one reason for the growing concerns over digital espionage is the rise of oil-exploration and production firms owned and operated by foreign governments.

In decades past, the governments of developing countries looking to expand their oil and gas production would typically contract the work out to Western oil majors as Exxon Mobil, BP or Shell.

Since the collapse of the former Soviet Union, however, many oil-rich nations have developed national oil companies with capabilities to do more of the work themselves. But those companies still have to turn to Western oil-field services firms such as Baker Hughes, Halliburton or Schlumberger for expertise.

The complexity of the technologies needed to extract oil and gas from increasingly difficult-to-reach locations is making the information held by these service providers even more attractive to thieves.

In the past, Cancilla said, security organizations spent most of their time and effort responding to security breaches. Now, most of the effort is spent on assessing risks, managing risks and maintaining the capability to respond to threats if needed.

“If you’re spending more than 10 to 20 percent of your time responding to situations, then you most likely don’t have the right risk assessment programs in place,” Cancilla said.