Martin Clark reports on a recent panel hosted by IT billionaire Eugene Kaspersky, who believes that energy firms must up their game if they are to combat the increasingly sophisticated threat of cyber terrorism
Recent events have shown that energy companies and their critical installations – everything from oil rigs to micro grids – can no longer ignore the threat of cyber attack. That was the message from Eugene Kaspersky, the Russian billionaire founder of Kaspersky Labs, one of the world’s top producers of anti-virus software systems.
It is a threat that originates from multiple sources: from highly sophisticated and well-funded criminal gangs to state-sponsored attacks and terror groups. Motivations also vary from national interests down to ransomware, designed to get a victim to pay a ransom fee to the malware operators.
At a recent panel on cyber security and energy, Kaspersky noted that the oil and gas industry and the electricity networks are both particularly vulnerable. Attacks by a group calling itself Dragonfly in in 2014, last year’s hacks which shut down parts of the Ukraine power grid and the high-profile 2011 virus that wreaked havoc on Saudi Aramco’s computer network all illustrate the possible consequences. Although in the case of the latter the virus did not affect oil production, it was deemed the first significant use of malware in a so-called “hacktivist” attack, and served as a major wake-up call to the industry.
Kaspersky’s warning is of course a new opportunity for cyber security firms too; his company is launching a new cyber security solution specifically aimed at industrial systems.
In a world where IT and process automation systems are integral to modern industrial facilities, including power plants and refineries, safeguarding these processes is absolutely vital to their smooth operation. But unlike traditional corporate IT networks, where confidentiality is the top priority, industrial control systems demand faultless continuity and consistency.
In many cases, a threat emerges where systems and equipment have not kept pace with the rapid advance of technological change and the internet.
“An increasing number of systems are using devices and channels that interact with the outside world,” said Kaspersky. “Sometimes they use equipment that was never intended for external access, not to mention software that was created decades ago and has not been upgraded since. This is a very serious issue, because not only is the continuity of the production process at stake; the environment and even human lives can be at risk.”
The issue of outdated security is especially acute in regions where production is being extended. As DNV GL noted in a recent energy cyber security report, the average 15-20 year lifespan of a Norwegian offshore installation means that many will operate through several generations of technology. With low oil prices increasing the prevalence of life extension programmes, the threat of vulnerability becomes even greater.
Yet sometimes it is these outdated structures that can also lead to a solution.
In the recent example in Ukraine – where hackers gained entry to systems controlling electrical substations and plunged parts of the country into blackouts – Kaspersky said the crisis was resolved after resorting to a manual override option that had been built into the system. In more sophisticated power infrastructure set ups, such as in the US or Western Europe, there is typically no such facility.
What is more, the sheer complexity of modern day industrial IT systems means that solutions which can guard against such attacks are unlikely to be easy to deploy – or cheap. “It’s not a product to deploy; it’s a project,” Kaspersky said.
Another speaker at the press conference, SolutionsPT industrial control systems security expert Cevn Vibert – who has worked on projects with EDF, Sellafield, RWE, National Grid, BP, KOC and Royal Dutch Shell among others – agreed. “Due to the complexity of the systems, and the complexity of the attacks, this can’t be done overnight,” he said.
But understanding of these threats has increased in recent years, experts reckon. Certainly, the Aramco attack five years ago helped focus minds among oil and gas executives.
“After the Saudi attack, cyber security is one of the top priorities for oil and gas companies,” Kaspersky noted. Indeed, he attended a dedicated oil and gas stream himself at the World Economic Forum in Davos to discuss cyber security issues. “Don’t worry about the oil and gas industry,” he assured the panel – “They are aware of the problem.”
Greater awareness has meant the problem is also becoming better understood across the board. “Years ago I had to explain industrial security, but not anymore. Now people understand. The situation is much better than years ago, though it’s still early days,” he said.
Indeed, he noted that Russia had just launched a new cyber security training facility specifically to help the oil and gas industry counter the threat. Oil engineers are now invited to the Moscow site to develop a greater awareness and understanding of the risks and how to face them.
Even where some countries, such as the UK, are acutely aware of the cyber problem – companies like National Grid are exploring extra resilience measures on an ongoing basis – implementing those protective measures is an altogether different challenge from a practical perspective.
The threat to electricity distribution was specifically highlighted following the UK’s rollout of 27 million smart meters to every home across the country. Because these are essentially connected to an external network there is an inherent threat – something Vibist posited when he asked: “Smart meters: should we be concerned about it? Yes – but there is a lot of work going into that.” These devices could potentially be used for ransomware, where an attacker shuts down domestic systems demanding money. “It’s not science fiction because it’s happening,” Kaspersky commented. “To hijack a smart house and ask for a ransom, why not? Sometimes it’s very hard to trace [the perpetrators].”
Funding such large IT security projects represents another hurdle, of course. Surprisingly, Kaspersky noted that there was still money in the bank to fund cyber security work, even at a time when budgets are being cut. While general IT infrastructure work may have been frozen, cyber security initiatives are still moving forward – in no small part thanks to the Aramco attack, which continues to serve as a major warning to oil firms.
The scale and complexity of the problem remain a huge challenge, however. “It’s not easy, and it’s not cheap, and we don’t have enough engineers – but we need to do it,” Kaspersky said.
An important step forward is making sure any installation knows whether it has been hacked in the first place, Kasperky said. This is not always straightforward. In some larger facilities or organisations, the culture may be one where different departments do not communicate at all.
Kaspersky believes that state governments should take more responsibility for critical infrastructure, to help educate industries and collectively design common cyber strategies. The lack of regulation in this area – essentially companies design their cyber systems any way they want to – may be another area where governments could take the lead. This was again echoed in DNV’s energy-focused report, which stated: “Supervisory authorities should issue functional requirements stipulating that barriers to digital vulnerabilities must be established. Digital vulnerabilities must be included in relevant risk analysis.”
“Companies must create a culture for reducing digital vulnerabilities in the same way as there is a culture for preventing fires and explosions,” it added. It is fair to say that this cultural shift is beginning, but as each new technological advance brings its own new set of threats and vulnerabilities, energy firms will need to work harder than ever before to stay one step ahead.
TEXT BOX FOR ARAMCO HACK In August 2012, hackers gained entry to Saudi Aramco’s internal IT network and wreaked havoc, shutting down around 30,000 workstations in a matter of hours – about 75% of the company’s IT infrastructure. Timed to coincide with Ramadan when much of the company was on holiday, this was a co-ordinated attack by a group which called itself “Cutting Sword of Justice,” and which used a variant of the now-infamous Shamoon virus.
The virus erased files and wiped entire computers, leaving them unbootable. The destruction of files and equipment is a notable tactical difference compared to other malware attacks, which traditionally seek to remain undetected, enabling the hackers to view and/or steal data – although reportedly the hackers did have the ability to extract information from the files.
The virus spread internally around Aramco’s global headquarters, leaving engineers pulling Ethernet cables out of machines to disconnect them from the internet. With only internal mail and typewritten paperwork – digital payments, invoicing and contracts were all compromised – Aramco’s offices were catapulted back in time to the 1970s. Unable to sell oil to domestic fuel suppliers, it eventually began giving away oil for free to ensure local supplies.
The clean-up operation was equally substantial. Aramco pulled in an army of IT contractors from around the world to secure and reboot its offices over a period of around five months. It also went directly to component manufacturers in Southeast Asia and, in one move, bought an entire line of replacement hard drives. The 50,000-unit purchase was made at a premium to overtake all existing orders, and raised global prices for the component for the next six months.
As far as has been made public, the hackers were never caught.