The oil and gas sector is susceptible to security vulnerabilities as it adopts digital communication methods that help power energy production and distribution. To understand the cyber threats to the oil and gas industry, there exist approximately 1,793 natural gas-powered electricity plants in the U.S. and they generated 34% of the nation’s electricity in 2018. Much of how we live and work is dependent upon the energy produced from oil and gas production, including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. Therefore, even the smallest cyber attack on one of the thousands of interconnected and digital systems can pose a serious cyber risk to oil and gas production.
A company that goes through an attack can experience a plant shutdown, equipment damage, utility interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of surveyed oil and gas senior executives have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.
Cyber Attacks on Oil and Gas, Energy, Utilities Companies in History
Security threats to the oil and gas industry have already manifested across facilities worldwide with no signs of slowing down.
- In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
- In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computers and resulted in an immediate shutdown of the company’s internal network.
- National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
- Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.
- In December 2018, Saipem fell victim to a cyber attack that hit servers based in the Middle East, India, Aberdeen and Italy.
These examples show other oil and gas companies the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.
How Circadence Can Help
To manage security risks in the oil and gas sector while lessening the attack surface, cyber security teams need to be prepared to address all possible scenarios that can occur in order to effectively protect and defend infrastructures.
Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in the oil and gas industry. Further, targeted training can be achieved from the library of mission scenarios to work on specific skill sets.
Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kind of learning include:
- Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
- Opportunities to close skills gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
- Risk mitigation and improved problem-solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.
By placing the power of security in human hands, cybersecurity teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Users are the last line of defense against threat actors so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cybersecurity in oil and gas sectors.
This solution coupled with proper collaboration between IT and OT divisions to share real-time threat intelligence information will do wonders for companies looking to stay out of the negative news headlines and stay safe against an attack.
Download our Infographic “oil and gas cybersecurity” for more details on cyber readiness and training.
November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to protect our Nation’s critical infrastructure. Circadence’s mission is to build awareness about how next-generation cybersecurity education and training can improve cyber preparedness. This month is an excellent time to talk about that in relation to critical infrastructure.
“We are seeing government agencies and companies work to make systematic, holistic, and cultural changes through improved cybersecurity standards, best practices, processes, technology, and workforce,” said Josh Davis, Director of Channels. “The massive, distributed, and legacy infrastructure we have today demands a layered security approach that focuses on building a true understanding of what’s at risk within critical infrastructure systems —and that requires a targeted focus on the people who operate these systems both digitally and physically.”
We know critical infrastructure as the power we use in our homes and businesses, the water we drink, the transportation systems that get us from place to place, the first responders and hospitals in our communities, the farms that grow and raise our food, the stores we shop in, and the communication systems we rely on for business as well as staying connected to friends and family. The security and resilience of this critical infrastructure is vital not only to public confidence, but also to the Nation’s safety, prosperity, and well-being.
During November (and year-round), Circadence focuses on engaging and educating public and private sector partners to raise awareness about the security posture of the systems and resources that support our daily lives, underpin our society, and sustain our way of life. Safeguarding both the physical and cyber aspects of critical infrastructure is a national priority that requires public-private partnerships at all levels of government and industry.
Managing risks to critical infrastructure involves preparing for all hazards and reinforces the resilience of our assets and networks.
This November, help promote Critical Infrastructure Security and Resilience Month by:
- Training your cyber teams on realistic cyber ranges like CyRaaS™ to train on platforms like Project Ares®
- Educate employees on cyber awareness best practices using our solution inCyt™
- Take part in the Hometown Security effort
- Engage with your community partners or support long term investments in critical infrastructure.
Our virtualized cyber ranges-as-a-service (CyRaaSTM) provide public/private entities the opportunity to train in realistic cyber environments that mirror their actual interconnected, internet-of-things networks. These virtualized ranges can model the digital footprints of companies, agencies, entire city networks and even Nation State operation exercises, into living physical and fifth domain environments. Teams can collaborate and train together to test and improve their cyber skills in protected environments that can scale and flex as their organizations’ inter-connected structure does, but without impacting live systems and networks.
By combining Circadence’s Project Ares®, Orion Mission Builder™, and StrikeSet™, your organization can learn and grow without impacting your operations. This next-generation combination transforms traditional lecture-based learning, taking it out of the classroom and into interactive real-world environments, at any scale, anytime, anywhere.
We all need to play a role in keeping infrastructure strong, secure, and resilient. We can do our part at home, at work, and in our community by being vigilant, incorporating basic safety practices and cybersecurity behaviors into our daily routines, and making sure that if we see something, we say something by reporting suspicious activities to local law enforcement.
To learn more, visit www.dhs.gov/cisr-month.