The Fuel-and-Energy Security Gridlock

Criminally ill-prepared for cyber attacks, two of the most hacked industries can still fight back. But they're running out of time.

A little more than a year ago, 60 Minutes aired a warts-and-all report about China “looting” American Superconductor, a wind-turbine business pulling in roughly $500 million a year. Their software code was so valuable that executives made sure it wasn’t accessible through the Internet. Regardless, a Chinese firm (co-owned by its government) attempting to corner the market on clean energy, stole that code by bribing a company employee.

As a result, American Superconductor nearly went out of business, laying off 600 people and losing more than a billion dollars in revenue. “I think part of the strategy in all this,” CEO Daniel McGahn told 60 Minutes, “was to kill us.”

Much awareness has come since then. If there is an upside, it’s that we now know any upward-moving organization must have proactive security hard-wired into their strategy. These analytics actually exist, guarding against insider threats and vigilant thieves, while providing actionable intelligence. The bad news: American Superconductor is merely one example of how oil, gas, and electricity enterprises are increasingly under attack—yet few are using this advanced-analytics technology.

Homeland Security recently warned the lucrative refineries along Texas’ Gulf Coast that they may be sitting ducks. “There are actors that are scanning for these vulnerable systems and taking advantage of those weaknesses when they find them,” Marty Edwards, director of Homeland Security’s Cyber Emergency Response Team, tells the Houston Chronicle in a must-read story.

Sources: Houston Chronicle, Security Week

Firewalls, anti-virus software, and an assortment of security patches cannot keep up with morphing attacks. A rogue employee methodically stealing from the inside and an outside threat swiftly infiltrating an enterprise each require quick, accurate, eyes-everywhere protection that can only be achieved through machine learning. Personnel changes, malware infection, systematic data-staging, endpoint getaways—nothing escapes its expansive visibility.

Hackers typically target energy and fuel providers due to their “strategic and economic importance,” Bloomberg points out. Built on intricate infrastructures, these companies offer several access points for breaches: “Thousands of interconnected sensors and automated controls that run oil and gas facilities remain rife with weak spots,” notes the Houston Chronicle.

Additionally, companies are saddled with weak software and negligent employees which are detriments to their growth. Upgrading outdated security software is expensive and time-consuming enough that it can pause operations. At the same time, there is dire need for IT and HR teams to properly train employees in best practices as obvious as implementing password strength/protection and spotting phishing attempts.

These shortcomings have needlessly dragged on for years. In 2011, Chinese hackers accessed the networks of five multinational organizations, “focusing on financial documents related to oil and gas-field exploration and bidding contracts,” Reuters reports. They did this through the companies’ public websites and by phishing executives.

Three years later, the New York Times reported that hackers, allegedly supported by the Russian government, targeted more than 1,000 energy companies in at least 84 countries. The thieves dispatched emails with malware attachments (focusing on executives, in particular) and infected websites commonly visited by employees. In this case, they gained access to control systems, seemingly to create disruptions for ransom or political purposes.

Those incidents are not isolated—they’re just the most high-profile ones. Energy and utility organizations are not required to disclose incidents. Although those companies have no public accountability, government officials have nonetheless been pressing them to immediately button-up business-security imperatives.

In 2013, the Department of Homeland Security warned power companies about “an alarming trend of hackers, possibly from the Middle East….determin[ing] how to take control of key processing systems.” A year later, the director of the NSA spoke to Congress about his growing concern that nation states can force power outages. They would know a breach’s potential: The U.S. and Israel were behind the famous Stuxnet attacks on Iran in 2008, deploying malware to derail a nuclear facility. (It worked.)

A recent Ponemon report ranked the energy and utilities industries as second only to finance in incurring cybercrime-related costs. They’re spending an average of $14.8 million each year, which is a $2 million increase over 2015. Optimizing their security architecture, however, would incur just a small fraction of that cost.