While cyber-attacks aren’t anything new and are part of everyday business risk, the increased number of attacks against the Oil and Gas industry is alarming. Traditionally when companies get “hacked”, for the most part it’s software bots scanning the internet for companies that have unpatched servers or open security holes (for example, Equifax was hacked due to an unpatched Apache Strut vulnerability). When it comes to Oil and Gas, the stakes are higher, and so is the payoff. Hence, why more and more businesses in the energy sector are coming under attack.
When there’s a specific target the above methods are still employed, however there’s the added vector of the individual and human factor actually putting effort in to compromising the systems. The added human factor bringing potential social engineering, expertise, and putting all their effort into a single target, with sometimes numerous individuals, is what makes this so dangerous. Finally, actual hacker groups often have access to “0-Day vulnerabilities”. These are vulnerabilities that haven’t been discovered to which the software developer hasn’t created a patch for. These are often used when groups are specifically targeting an organization, person, or entity.
With the decline and recession of the energy industry from 2014 to 2017, numerous companies have reduced (and in some rare cases even completely cut) their IT budgets. This includes laying off staff which actively monitor these systems, changing IT providers, and even moving to external resources (such as cloud providers) so that the company doesn’t have to maintain their own systems.
This dynamic and changing approach to IT has had its own consequences. Numerous businesses have removed most of their IT infrastructure just because they have moved to the cloud, removing all their internal IT security systems which are still required no matter where their data is stored. These systems include centralized endpoint (computer) protection, perimeter protection (corporate firewalls and unified threat management systems), active monitoring systems (monitoring the environments and security), and the infrastructure that make all these systems work. Even though some of these companies now have small or no data on their actual physical network, their credentials have become very easy to compromise, which allows attackers to access their cloud resources. They’ve essentially stripped away numerous security layers.
The recent hack on Deloitte brings emphasis to the ease of compromising some cloud based systems. The attacker gained access to their Microsoft-hosted e-mail mailboxes by getting access to the main single administrative account (username and password) which controls everything. I firmly believe in general situations that staff actively monitoring these systems could identify and stop intrusions, even stopping them from ever occurring. I also believe it would have been a different story with everything on-premise, restricted behind firewalls, perimeter security, and the complexity of the attacker not knowing or being familiar with the internal corporate network.
In addition to the move to cloud resources to save costs, companies have changed IT providers for low-cost “discount” providers. These companies advertise as providing the same services that a company is accustomed to receiving but at a fraction of the cost. These providers often don’t provide the same services, outsource support/services to other 3rd party companies (sometimes in other countries), store sensitive information on 3rd party servers, and don’t take security seriously since they focus on the number/volume of their client base and not on the quality of their work. With the added pressure of clients restricting budgets, these companies can sell and implement incorrect solutions that are often sized for a different type of business. All of this contributing to their security vulnerabilities.
Traditionally, Oil and Gas has always been big bucks! As situations and issues have arisen, money was often thrown at these issues to resolve them, this also being true with their IT systems. Over years and years, management at these companies would rarely get involved, just paying bills expecting it to work. With the decline and recession in the industry, they just assumed that they could get the same service when switching to discount providers mentioned above or migrating to cloud based resources.
Oil and Gas has always had strict IT requirements. This is due to the sensitivity of the data, compliance requirements (with regulatory bodies, associations, health and safety), value of intellectual property, adhering to governmental privacy and information acts, and investments they’ve made in big data. Additionally, due to political factors and human factors (such as environmentalism), the industry has always been under heavy scrutiny for liability (which requires even more care in maintaining and protecting data and records). This all adds to the need to protect this data.
So here we are approaching Q4 of 2017 at a time when the industry is finally picking up. Cash is starting to flow, as well as the oil in pipelines, and with the growing cyber security risk on the rise, it’s a dangerous combination that businesses need to be aware of.
Businesses and organizations need to pay special attention to their IT systems. Management needs to be actively involved, educated, and asking relevant questions. When things don’t seem right, it’s for a reason.
Not having a proper budget or resources for IT is like removing the insurance policy on millions of dollars worth of assets and equipment. You wouldn’t do the latter, so why do the former. Why would you put your IT systems that run your business and operations at risk?