Energy companies aren’t doing much to defend against soaring cyber attacks – bloomberg gas efficient suv 2015


In 2012, Saudi Aramco production was locked down during the disk-wiping Shamoon incursion, and the company was hit again by the same group in November 2016, said Bill Wright, director of government affairs and policy counsel for Symantec in Washington. In 2015 and 2016, Ukraine was hit with blackouts by state sponsored groups, a blow to the economy as well the healthy and safety of its citizens. Tracking Dragonfly

In the U.S., Symantec has been following another group, nicknamed Dragonfly, that’s been around since at least 2011. Last year, the group became “a lot more aggressive,” with the goal of soliciting information on how energy companies work and figuring out how to maintain stealth access on their systems, according to Wright.

The industry needs to be more involved in defending itself moving forward, according to Michael Hayden, a retired four-star general and now a principal at The Chertoff Group in Washington. The reason: the government is hindered by constitutional issues, as well as “political culture, concern about privacy, speed and agility,” he said.

Over the last few years, the industry has been quickly adding electronic sensors and other monitoring capabilities to track data from 900,000 oil and gas wells, and 300,000 miles of pipelines. Complex computer algorithms at every level of the industry are constantly adjusting the flows of everything from oil and natural gas to electrical power, with automatic valves in place that can shut down flow at a moment’s notice in the case of an accident with no human action needed.

“This equipment is fairly wide open from a security perspective,” said Matthew Stegall, director of IT assessments at Precision who performs such assessments for Deloitte & Touche LLP and KPMG LLP. “Companies are starting to more and more look at this. But they are still very much in the infancy stage.”

Many of these operations run on separate networks, offering an “air gap” that energy companies often cite as a shield against wider ranging intrusions. But that’s also created a false sense of protection, according to Gent Welsh, commander of the 194th Wing of the Washington Air National Guard who’s long been involved in developing cybersecurity capabilities.

Companies are aware of the need protect raw data, but they’re often less sophisticated about the need to protect recently computerized systems for operational assets, according to Stegall. “When you get to a discussion on locking down the operations issues, they kind of look like deer caught in the headlight,” he said.

Based on analysis developed over 15 years, energy companies that earn $1 billion in revenue a year generally spend about $1 million for cybersecurity, Precision found. In comparison, companies within the financial industrial with $1 billion in revenue could spend as much as $3 million. according to the data. Financial services and retailers have been in the limelight for data breaches.

Walker, who works directly with energy executives, said he’s found it surprising how many believe the Defense Department or Homeland Security is defending them. They can’t, Walker said, because the government lacks the capability, expertise and, importantly, the legal standing to defend civilian assets before they’re attacked. Limited Access

“Our adversaries well know that the soft underbelly of the United States is our critical infrastructure and key resource sectors, from power, to water, to transportation,” said Welsh, who has testified in front of Congress on multiple occasions. “What our adversaries are really doing is relentlessly probing for weakness than can be exploited down the road for political, economical, and military gain.”

In 2014, the Snohomish County Public Utility teamed up with National Guard cyber operators to test its defense. They were given two weeks. After the meeting adjourned, it took less than 30 minutes to break into a drinking water treatment facility using a phishing email.

The approach to cybersecurity also is affected by the normal siloing of departments within individual companies, the experts said. At many companies, IT security will typically fall under the purview of the chief information officer while operations security staff report to a different boss, Walker said. The result: a communications gap.