It was every company’s worst nightmare. On Aug. 15, while thousands of Saudi Aramco employees were preparing for a Muslim holiday, someone with privileged access to Saudi Aramco computers launched a virus that wiped out three-fourths of its corporate PCs. When employees logged back on, their files were replaced by the image of a burning American flag. This was not an isolated incident. Within the past two or three years, Telvent, Adobe, and even Google have been the targets of highly sophisticated cyber attacks.
Protection against this type of attack is not easy, nor is it inexpensive. But the alternative is so crippling that it could put some companies out of business.
Cyber attacks
These types of attacks are not simple worms or viruses that require a trip to the local computer shop to repair. In the attack on Google and Adobe, several pieces of malware and several levels of encryption were used to dig into networks, according to an article on . Not only did the perpetrators attack the networks, but they also succeeded in avoiding detection methods through their encryption efforts.
This new type of cyber threat poses serious concerns for oil companies. “The Saudi Aramco situation is interesting because it wasn’t just stealing information; it was actually damaging infrastructure,” said Dave Aitel, CEO of Immunity Inc. “The general impression is that the threat is not that bad. Some groups steal information and may destroy your company solely by undercutting all of your bids, but they’re not doing it by destroying all of your IT infrastructure the way the Saudi Aramco team did it. The worst-case scenario is that they’ve lost the ability to continue their business.”
Aitel’s company focuses on doing security assessments for major companies. It has a strong focus on mobile and web application areas.
Who is behind these attacks? In the case of Google, it was traced to hackers in China. Aitel said Google did the only thing it could do under the circumstances – it left the country. “They got lucky in a way because they suffered an attack, and after that they simply pulled out,” he said.
Immunity consultant Mark Wuergler performs a wireless assessment. (Image courtesy of Immunity Inc.)
“They felt it wasn’t possible for them to maintain a secure infrastructure in China and do business.”
Oil companies that come under attack may need to consider the same strategy. Even nation states might attempt cyber attacks if it’s in the country’s interest to do so. “You have huge amounts of money and power at risk,” said Aitel. “Therefore, nation states are willing to put a large portion of their aggressiveness toward attacking other countries and other companies.”
Given this concern, oil companies might need to think twice about moving into a new geographical area, even though the licenses are enticing. Aitel said companies need to understand how to spread geographically but segment their businesses properly to avoid putting their companies at risk.
Cyber security
Aitel outlines several steps that can help companies avoid being targets. First is a term called “whitelisting.” This is a simple procedure that ensures that an individual’s computer only runs certain programs. For instance, a company CEO might need only four or five applications, whereas an engineer might need dozens.
Second is monitoring. “It sounds simple, but it’s amazing how few people do actual monitoring of what their executives do,” he said. Obviously executives don’t want their Internet searches being checked out by their IT departments. But in light of cyber threats, it’s important to monitor their activities.
Exfiltration monitoring is a way to catch hackers at their game. By looking for websites that are only visited by one person within a company, it’s possible to ferret hackers who might be sending in data.
Network segmentation is also a useful exercise. Aitel described network segmentation as a way to segment different business sections – IT or SCADA, for example – to make that data less accessible to others. “The IT administration staff needs to be segmented on their own networks, and their machines should be unreachable by other machines in the network,” he said. “Sounds like very commonsense advice. But IT networks actually have hardly any segmentation whatsoever.”
Perhaps the most critical activity a company should undertake is to develop “situational awareness.” “A lot of executives in the energy industry don’t want to know how bad it is because if they knew, they’d have to do something about it,” Aitel said. “There is an executive order in the US that is forcing companies to develop situational awareness. But you shouldn’t have to force them; they should want to know how bad it is.”
He added that, while some of this process can be automated, it still requires IT professionals to keep a company’s data and infrastructure safe. “They’re not cheap people, but it’s cheaper than losing all of your data,” he said.
Fear factor
A simple step in the right direction is to check a small piece of a company’s network for a kernel rootkit, which represents an active penetration. Aitel said it can be done blindly on just a few machines.
“If you find one, you have a serious, serious problem,” he said. “It’s something that has no return on investment in the short term, but it’s a step toward developing situational awareness.”
Another simple precaution is not to leave devices unattended in hotel rooms. “If you’re traveling around the world, it might be best to consider that the devices you leave in your hotel room have had visitors,” said Justin Seitz, senior security researcher at Immunity Inc. “Even thinking about this and giving yourself nightmares about it can be a useful exercise.”
In fact, a healthy dose of fear seems to be exactly what the energy industry needs when contemplating this issue. Some of these cyber attacks are not that sophisticated technically. “It doesn’t have to be technically sophisticated as long as it’s psychologically sound,” said Seitz.
Added Aitel, “I think the main thing your readers need to know that this is a problem that’s happening right now. It’s not something they can put off for next year. If they want to talk in depth with us about their own corporation, we’ll be happy to do demos for them that will scare their pants off.”
Recommended Reading
U.S. Shale-catters to IPO Australian Shale Explorer on NYSE
2024-05-04 - Tamboran Resources Corp. is majority owned by Permian wildcatter Bryan Sheffield and chaired by Haynesville and Eagle Ford discovery co-leader Dick Stoneburner.
The One Where EOG’s Stock Tanked
2024-02-23 - A rare earnings miss pushed the wildcatter’s stock down as much as 6%, while larger and smaller peers’ share prices were mostly unchanged. One analyst asked if EOG is like Narcissus.
Oil and Gas Chain Reaction: E&P M&A Begets OFS Consolidation
2024-04-26 - Record-breaking E&P consolidation is rippling into oilfield services, with much more M&A on the way.
Kimmeridge Fast Forwards on SilverBow with Takeover Bid
2024-03-13 - Investment firm Kimmeridge Energy Management, which first asked for additional SilverBow Resources board seats, has followed up with a buyout offer. A deal would make a nearly 1 Bcfe/d Eagle Ford pureplay.
Uinta Basin: 50% More Oil for Twice the Proppant
2024-03-06 - The higher-intensity completions are costing an average of 35% fewer dollars spent per barrel of oil equivalent of output, Crescent Energy told investors and analysts on March 5.