Companies are still overlooking the potential threats from cyber crime despite the multi-thousands and even multi-million dollar bills a successful attack could cause.
Furthermore, attacks have and continue to penetrate process control systems and take control of physical processes.
"It's not if, it's when," Lockheed Martin's head of process security Andrew Wadsworth told delegates to an Aberdeen and Grampian Chamber of Commerce breakfast session today (September 2).
Image: Andrew Wadsworth. Photo by Rory Raitt/RawFormat.
"In the North Sea, more than 50% of installations surveyed by Lockheed Martin have been found to have viruses in their control systems," he said.
According to research in the US, supported by the US Department of Homeland Security (DHS), 20,000 industrial control systems in the states we're found to be directly accessible on the internet.
"Every company should set out with the attitude that every company will come under threat from an attack and that it will probably be successful," says Wadsworth.
The number of incidents is increasing, he says. In 2009 there were under 50 reported incidents to the DHS. By 2013 this had increased to more than 250, with 59% of the total targeting energy companies, including offshore upstream operators. But, Wadsworth says this is just the tip of the iceberg, as reporting incidents is voluntary. Anyway you look at it, the trend is clear, he says.
There have been a number of high profile cases. Lockheed Martin was itself a subject of the Titan Rain attacks in about 2003 - attacks which have been linked to the Chinese military and which targeted US defense contractors.
Other attacks include Night Dragon, which sought to steal multi-gigabytes of information from energy companies about commercial deals, licensing rounds, and subsurface information. Stuxnet, one of the most well known attacks, was used to directly attack Iran's uranium enrichment program and resulted in physical damage to plant, without the hackers having had direct access to it. The Shamoon attack saw 30,000 hard discs wiped at Saudi Aramco. "A lot of the attacks are about capturing information. This attack went back to the early days of malware trying to damage a system," said Wadsworth.
The cost of a successful attack can be high. According to data from the Repository for Industrial Security Incidents (RISI), cited by Wadsworth, the financial impact of an attack has been as high as more than $40 million for a single incident. About 14% of attacks cost more than $10 million, 30% cost $10-100,000, and 35% under $10,000.
Insurance against attacks is also currently limited, and does not exist in the case of physical damage, although industry, including Lockheed Martin, is working with insurance companies to address this, says Wadsworth.
Attacks are not limited to operators either. Attacking a supply chain company can give attackers access to a larger corporation, which was seen when hackers accessed Google's systems through a facilities management company which provided online access to Google to its facilities.
It can also take considerable time for attacks to be discovered, says Wadsworth. According to the DHS, the time from a successful penetration of a control system to discovery is 18 months, he says. "Which means for 18 months attackers have had access to your control system and you didn't know about it for 18 months," says Wadsworth.
But, while the "attackers" actively share information about the systems they are attacking, the "defenders," i.e. energy companies and others, are reluctant to share information, says Wadsworth. There are now platforms where operators can share information about attacks, including CISP (www.cert.gov.uk/cisp) and the Oil & Gas Security Information Forum.
The challenges for energy companies, when dealing with attacks, is also compounded by the complexity off the oil business, with joint ventures, multinational corporations with differing approaches to dealing with cyber crime, and, not least, ageing assets with equipment more than 15-20 years old, especially in the North Sea.
There are also many myths about cyber security, says Wadsworth. A large number of attacks come from inside companies. Some 22% of attacks are from staff or ex-staff, with 49% of those intentional, according to RISI. The most likely culprit are 31-45 year old male permanent members of staff, says Wadsworth, citing a study by the Centre for Protection of National infrastructure, which looked at all cyber attacks.
Other myths include air gaps, or systems not being connected, meaning systems are safe (not the case, says Wadsworth) and that hackers do not know about control systems.
It's not all doom and gloom, however. Lockheed Martin has developed its Cyber Kill Chain, which sets out seven stages an attack has to go through. If at any of the seven stages the attack is caught, it can be stopped.
So what can be done? Wadsworth says: "Like safety, you cannot just put a tick in a box and say you have done security. First, we need to recognise there is an issue. Then, we need to look at where and what are the problems. Then we start getting in to detail. We need to look at security policies, we need to know what you have got, so you can manage it - we have yet to work with a company that can hand over a complete and accurate inventory of its systems - and how are things connected; what is communicating with what, etc. From that, you can start getting in to 'what are the risks and gaps and what can be done about them?' followed by remediation and then ongoing management.
"This is a constant changing environment, with new vulnerabilities and new attackers emerging."
Subscribe
