With hackers hacking everything from the presidential campaign to online stores to my own Facebook account (on a regular basis, it seems), it’s just a matter of time before the oil industry gets hit in a big way. And the results could be a lot harsher than me having to tell people not to accept friend requests from me when we’re already friends.
The results could be disastrous.
The cybersecurity risks that oil and gas companies face are continuing to grow. According to a report issued earlier this year, data breaches within our industry grew from just 12 percent in 2012 to 74 percent in 2016, with cybersecurity proving to be a moving playing field as hackers develop increasingly sophisticated hacking methods.
A couple years ago, the hacktivist group known as “Anonymous” (you probably know them from their scary clown-mask icon), put out a threat to the oil and gas industry which said they would strike hard with a cyberattack. They even gave a specific date, which came and went without incident.
The would-be hackers declared in a video that the attack would target the US, Canada, England, Israel, China, Italy, France, Germany, Russia, and the governments of Saudi Arabia, Kuwait, and Qatar. All the specifics of how this attack would happen weren’t revealed in the video (a tradition very typical of this specific group) but it did indeed raise the hackles on many people in our industry.
According to industry insiders, this particular attack could have meant anything from releasing sensitive information from private or publicly traded companies, to private conversations between producers. And in a worst-case scenario, the hacks could also be full-blown attacks where some of these services and websites could be knocked offline, potentially compromising these companies completely.
Last year, there was a cyberattack on Saudi Aramco. This attack clearly demonstrated the capability of hackers to penetrate what were once thought of as impenetrable systems. In the Saudi attack, hackers released a virus which ended up affecting over 30,000 workstations. Subsequently, the CEO of Saudi Aramco said in a news release that the company’s preventive procedures helped mitigate the cyber threats from spiraling. But still, normal operations didn’t resume for another ten days after the attack.
Saudi Aramco officials said the attack was aimed at the Saudi economy with the failed objective being to stop the flow of Saudi oil to local and international markets.
But all is not lost. There are some easy things to do on a regular basis which don’t cost anything, but could save tons of money in the long run.
First, have your marketing or communications department regularly monitor social media. The one thing that has been mutual in most of the planned and actual attacks, is that the groups or persons responsible telegraph their punches, most often through social media sites like Twitter or Facebook. Regular monitoring of these sites using keyword alerts can sometimes catch these in advance.
Also, have your IT department monitor your company website, generally the weakest line of defense in a company. There are inexpensive tools which allow an IT person to see who has been on your site, how long they stayed there, where they came from, and where they went after they left your site.
Sometimes, cybersecurity is compromised inadvertently from within. Some offshore rigs have internal computer systems which are tied via satellite to corporate headquarters and main office systems. If you’re someone working on the rig and you’ve just returned from your 28-days off and brought with you a flash drive full of your email and maybe a movie or two, that drive may have gotten infected when you plugged it into your home computer. When it’s brought back to the rig and plugged into the rig’s computer network, Voila. Instant infection of the rig’s systems.
The simplest solution is just to be aware. It’s not always foreign governments. Sometimes (to quote President Trump), it’s a 300-pound kid in his mom’s basement just looking for some way to make trouble.
But having spent the last 40+ years in this industry, I want to make sure it doesn’t happen to me. I already have enough friends on Facebook, and I don’t need any more wearing scary clown masks.