In the months since a virus ripped through 30,000 of Saudi Aramco’s computers, the world’s largest oil company has become the canary of the industry, warning others of the serious threats already lurking on their systems.
Although the attack did not disrupt Saudi Aramco’s oil and gas operations, the company’s top man warned, in a recent interview with FuelFix, that the risk to the industry remains high.
Chief Executive Officer Khalid Al-Falih said that despite aggressive efforts by Saudi Aramco and others to guard against online threats, operations throughout the energy industry will remain in danger unless all companies adopt strong Internet security measures
“What happens to one company affects us all,” Al-Falih said.
Saudi Aramco, which is wholly owned by the Kingdom of Saudi Arabia, produces more hydrocarbons than Exxon Mobil, Chevron and BP combined.
But even though the mammoth energy company has increased its focus on Internet security, it continues to deal with a high volume of threats, Al-Falih said.
Deep-water danger: Malware threatening offshore rig security
“Every company today that you talk to will tell you that they are being tested every day by hackers,” Al-Falih said. “So it’s nothing new for us. We have been attacked hundreds of thousands of times before this attack penetrated us.”
While Saudi Aramco’s security measures have protected it from any interruption in its oil production, delivery or other fundamental operations, companies with less robust cybersecurity efforts may be at greater risk, he said. And that presents a threat to other oil and gas companies, Al-Falih said.
“We provide our petroleum to systems that are run by other companies,” he said. “So in an extreme case, if refineries are hacked and disrupted, that will impact demand on us and our petroleum. And the reputation of the industry as a whole is important to us.”
Oil companies use computer systems to manage and control massive operations, and to monitor them for safety. A computer infection on one of those control systems could cause a company’s entire operation to malfunction.
In such a case, the results could be disastrous, with the possibilities including grid failure, leaks at chemical plants or refineries, explosions of pipelines, offshore oil spills and lost human lives. While those outcomes are remote, the danger of malicious attacks does exist.
And recent infections of energy industry computer systems have shown that there is reason to worry. Last year, 40 percent of cyberattacks were on energy infrastructure, according to the U.S. Department of Homeland Security.
During a keynote address at the IHS CERA-Week energy conference in Houston this month, Al-Falih emphasized the need to seriously address threats that malicious attacks posed to their computer systems.
He said in the interview that companies need to invest in computer security and pay more attention to the growing risk.
“We need to act collectively to protect the petroleum industry to make sure that we elevate our image as a reliable, safe, environmentally sound supplier of energy,” Al-Falih said. “And ensuring security of our system – physical and virtual – is part of that responsibility.”
Though many attacks on energy companies are unsuccessful, a report released last month by Internet security firm Mandiant tied the growing occurrence of cyberattacks to activity from a group that Mandiant said probably is backed by the Chinese government.
In some of its attacks, the group had used a malicious file that unsuspecting workers in the oil and gas industry might have downloaded. It was called, “Oil-Field-Services-Analysis-And-Outlook.zip,” according to the Mandiant report.
U.S. government role?
Government-backed attacks against private companies, even well-financed oil giants, put the businesses at a severe disadvantage, said Michael Hayden, former director of the Central Intelligence Agency, who spoke at IHS CERA-Week.
Yet the role of the U.S. government in protecting companies from such attacks remains ambiguous because of indecision and disagreements among politicians and businesses, Hayden said.
A unit of the Department of Homeland Security, called the Industrial Control Systems Cyber Emergency Response Team, helps to analyze and respond to attacks.
But a more proactive approach would involve regular government access to private computers and networks, Hayden said. Companies aren’t sure how much access to their systems they want to allow to the government, even for Internet security purposes, Hayden said.
Asked about how the government might assist in defending against a malware attack on an oil company, Hayden said: “Nobody knows.”
On their own, companies are attempting to improve security, but many in the energy industry remain vulnerable.
“It seems to me that they need to work very hard on their defense,” Hayden said.