Regular readers may recall that back in March I discussed a recent study from Ponemon Institute that warned of the potential dangers of rapid digital advancements. The study found that the deployment of cyber security measures in the oil and gas industry are failing to keep pace with the growth of digitalisation in the sector’s operations.
Register for a free trial »
Get started absolutely FREE in 2 minutes, no credit card required.
Fast forward a few months and the threat of cyber attacks has been cast well and truly into the spotlight. As I write this, a global manhunt is underway to find the creators of the WannaCry malware, which wreaked havoc across the world in May. Here in the UK, the National Health Service (NHS) was hit hard as services and records were taken offline. Other high profile victims reportedly included Telefónica, Iberdrola and Gas Natural in Spain, Renault in France, and US delivery company FedEx.
The cyber attack used a type of virus known as ransomware. Simply put, the malicious software blocked customers from accessing their data unless they paid a ransom. The virus is believed to exploit a flaw in Microsoft Windows that was developed by – and stolen from – the US National Security Agency (NSA).
Microsoft has said that the cyber attack should be treated as a “wake-up call” by governments around the world.1 And it’s time for the energy industry to sit up and pay attention too – especially as many oil and gas facilities currently use networks run by the very same (out-of-date) operating systems that were targeted during this attack. A recent report by the Houston Chronicle into cyber security readiness in the oil and gas industry along the US Gulf Coast found that facilities often use Windows XP or earlier versions of the Windows operating system from the 1990s.2
The report also notes that while strict cyber security regulations govern power, chemical and nuclear facilities in the US, there are currently no federal laws to impose standards in the oil and gas industry. The US Department of Energy (DOE) may have developed a model of best practices, but oil and gas companies are not legally obliged to report cyber security incidents. This lack of transparency is one of the key issues that should be addressed following the WannaCry cyber attack, according to the President and Chief Legal Officer of Microsoft, Brad Smith, who said: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem […] We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cyber security attacks.”
It is essential that oil and gas facilities act now to protect themselves against the imminent threats that come hand-in-hand with the huge benefits offered by digitalisation. While prevention is not cheap or easy, it is always better than cure. The potential implications of cyber attacks in the oil and gas industry are truly devastating, especially if hackers gain access to control systems.
This month’s cover feature from Honeywell Industrial Cyber Security (p. 20) takes a timely look at industrial control system (ICS) cyber threats and the importance of urgent, ongoing, proactive protection.
- SMITH, B., 'The need for urgent collective action to keep people safe online: lessons from last week's cyberattack', Microsoft, (14 May 2017).
- EATON, C., 'Hacked: energy industry's controls provide an alluring target for cyberattacks', Houston Chronicle, (March 2017).