Bloomberg
‘Arm Waving’ Response to Hackers Makes Oil Industry Easy Prey
(Bloomberg) — A few years back, a private equity firm hired the cybersecurity company Mission Secure Inc. to inspect its oil and gas operations in West Texas to make sure they were secure.Everyone from the facility managers to the private equity owners assumed that the plant’s computer network was “air-gapped” — a term referring to computers that aren’t connected to the internet or another unsecured network. But when Mission Secure installed monitoring devices to check, they discovered that a worker on the night shift was connecting his Roku device to the internet to watch episodes of “CSI: Miami.”The incident reflects a historically lax cybersecurity culture in the oil and gas industry — one that is now in the spotlight after the massive ransomware attack against Colonial Pipeline snarled fuel supplies along the East Coast. The sector has long resisted cybersecurity regulation or substantial investments in part because they haven’t seen much of a need, according to industry and cybersecurity experts.The oil and gas industry, which includes the companies that own wells, pipelines and refineries, has long been a laggard in security spending and that gap has only widened in the last three years versus financial services and telecom industries, said Brian Walker, a principal at The CAP Group in Dallas, a risk advisory firm.Small energy companies spend about 0.25% of their revenue on security, compared to 0.75% for big electric companies, Walker said. Big tech companies and banks, which generate significantly more revenue, spend about 1.5%.“The industry is struggling with self motivation to initiate action to defend themselves,” Walker said, adding that there is no “real” regulation. “There is still only discussion and arm waving.”Colonial Pipeline became aware of the attack about May 7, after attackers had stolen nearly 100 gigabytes of data and encrypted at least a portion of the company’s IT network — the portion of its network most of its employees use to check their email, review contracts or write and distribute invoices. However the company also took much of its operational systems offline – the side of the network where machines talk to machines to actually push gas up and down the pipeline. There is no evidence Colonial’s operational technology systems — which isn’t connected to its IT system — were compromised by the attack, the company said.A ransomware group called DarkSide is believed to be behind the attack.In a response to questions from Bloomberg, Colonial, which operates the biggest U.S fuel pipeline, defended its cybersecurity practices, saying it has increased overall spending on information technology by 50% since 2017, when a new chief information officer was appointed. Colonial uses more than 20 different and overlapping cybersecurity tools to monitor and defend the company’s networks, and its third-party investigator “has acknowledged many of the best practices we had in place prior to the incident,” according to a statement provided to Bloomberg.“Colonial Pipeline takes its role in the United States infrastructure very seriously,” according to a statement. “We had and continue to have robust protocols in place to detect and address threats proactively and reactively.”In addition to relatively meager spending on cybersecurity, the oil and gas industry is governed by different agencies and rules. The Federal Energy Regulatory Commission was given authority to set cybersecurity standards for electric grids by Congress in 2005. Fuel pipelines, meanwhile, fall under the jurisdiction of the Transportation Security Administration — part of the Department of Transportation — which has provided voluntary cybersecurity guidelines.“The power sector at least has defensible infrastructure, even if it’s not being adequately defended across the board,” said Rob Lee, founder of the infrastructure security firm Dragos Inc. “The gas sector is under-resourced and hasn’t been as high a priority for the federal government.”Tom Fanning, chief executive officer of the electric utility Southern Co. and a member of the Cyberspace Solarium Commission, said it would be better if the energy sector all fell under the umbrella of the Department of Energy and had the same reliability standards. He said he worries that the problem may get worse as solar and wind get integrated into the system, making the job of avoiding cyber-attacks more complex.“Because of the interconnectedness, we need to reimagine how we work together and how we defend ourselves in conjunction with — this is a joint relationship between the private sector and the federal government. That’s the big point,” he said.Attacks on energy infrastructure have been a persistent worry of U.S. officials for the better part of the last decade, as foreign adversaries have shown the desire and ability to do it.In 2013, for instance, Iranian hackers breached the control system of a small dam in Rye Brook, New York, but weren’t able to operate the gate that controls water levels because it had been manually disconnected for maintenance. Russia, meanwhile, has repeatedly hacked into Ukraine’s electrical system.It’s not yet clear whether the ransomware attack against Colonial Pipeline will force major changes in the oil and gas industry, either with additional regulations or cybersecurity spending. David Drescher, co-founder and board member of Mission Secure, was skeptical that it would become a “digital Pearl Harbor.”“You’ve got to get the culture change at the top where the board is getting updated on their cybersecurity posture as often as production and revenues and EBITDA,” he said.For more articles like this, please visit us at bloomberg.comSubscribe now to stay ahead with the most trusted business news source.©2021 Bloomberg L.P.
