A cyber attack dubbed Night Dragon shed light on the dangers that security breaches can cause the oil and gas sector when foreign hackers stole sensitive information from several major energy companies about five years ago.

Today, growing criminal enterprises continue to compromise systems globally, keeping the need for cyber security at the forefront of operations. Just this week, the U.S. Department of Justice announced the indictment of five Chinese military hackers accused of computer hacking, economic espionage and other offenses targeting the U.S. nuclear power, metals and solar industries.

Among the alleged misconduct: stealing confidential and proprietary technical and design specifications, information about cash flow, manufacturing metrics, costs and privileged attorney-client communications; sending spearphishing emails to company employees that led to the installation of malware on company computers; accessing company networks to steal employees’ network credentials; and creating a secret database to hold corporate intelligence. Among the victims: Westinghouse Electric Co. and the U.S. subsidiaries of SolarWorld, U.S. Steel Corp., Allegheny Technologies Inc. and Alcoa Inc.

Other cyber attacks have hit several more companies in the energy sector.

“We’re seeing these bad guys go after different types of information. They’re using very different types of techniques for different purposes, and they are targeting not just your technology networks but also your operational networks—your SCADA systems, your integrated control systems—and that’s where the danger really starts to increase,” Greg Bell, principal for KPMG, said May 21 during the company’s Global Energy Conference.

Michael Assante, director of SANS Institute, added that hackers are going after intellectual property and R&D information as well as companies’ operating processes and product pricing—anything that can help give a competitive advantage. And when they are successful, it’s because they plan and understand the actions of their targets well. For example, a hacker might use a watering hole technique, he said, infecting websites where employees visit to gain access to a company’s system.

Cyber security is not just about protecting data; it’s about understanding the risks of potential attacks to businesses as well as having protocols and conversations among various departments within a company, according to Lisa Gauthier, vice president and chief information officer for Rowan Companies. A breach on the right piece of equipment could cause significant problems.

“What if there was a breach that caused us to have to take our new drillship that’s billing at about $600,000 a day out of service? That’s a significant revenue stream impact,” she said, also pointing out that breaches could lead to environmental damage and loss of assets and lives.

“It is no longer a conversation with our network engineers about password protection and resetting things, sniffing the networks to see what data are leaving. It’s about educating engineers and vendors who are going out to modify our equipment on the role that they play,” Gauthier continued. She added that something as simple as an infected USB drive can compromise rig-based security and process control networks.

Moreover, as new technology makes way for increased efficiency, such technology can also introduce new risks, especially when IT departments aren’t involved in the discussion on the front end, panelists said.

Further complicating the problem for some companies is that they operate in many countries, each with different rules about what type of information is protected legally, and contractual obligations for confidentiality can create huge issues, added Mark Thibodeaux, an attorney for Sutherland, Asbill & Brennan.

“We’re not up here to scare you but I hope you are a little scared,” Bell said.

Panelists offered some advice.

“Cyber is not always the answer to a cyber risk,” Assante said. “We have to think way more holistically,” understanding that someone could gain access to these systems and making better technology decisions and architecture choices to minimize consequences and prevent attacks.

However, in some instances, reducing the risks for cyber attacks is quite simple.

If someone is passing out free USB drives that say “made in China” at a conference, don’t take one, Gauthier said.

Giving another example, she said one of the company’s vendors wanted to connect to a system remotely for diagnostic work, but it didn’t need the connection all the time. To eliminate risks, the connection is terminated when work is not being done, and the process is heavily monitored when in use. Companies can also use services like those provided by PhishMe to assess their vulnerabilities and increase employees’ awareness to possible cyber threats.

“Some pretty simple things can make a pretty big impact,” she said.

Contact the author, Velda Addison, at vaddison@hartenergy.com.