U.S. oil and gas companies are ‘still trying to catch up’ on cybersecurity, experts say


March 6, 2017

Digital systems and internet networks belonging to U.S. oil and gas companies have increasingly come under attack from hackers in recent years, experts tell CyberScoop.

The Homeland Security Department received — between 2011 and 2015 — roughly 350 reports from domestic energy companies who were concerned about hackers probing or breaking into their systems, according to the Houston Chronicle, which cited data from the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). In this context, the term “incidents” refers to times people called the agency rather than actual breaches.

Nearly 900 “security flaws” were discovered by DHS during that timeframe — a figure which some private sector cybersecurity experts claim appears low.

Making sure that industrial control systems, or ICS, are secure has become an especially important mission for Gulf Coast oil, gas and petrochemical companies in addition to the local Coast Guard, the newspaper reported. Industrial equipment often used by these companies is interconnected by a network of digital sensors and controls, making it vulnerable to potential digital sabotage.

“This sector is still trying to catch up,” said Justin Fier, director for cyber intelligence and analysis at the cybersecurity company Darktrace. “Most [ICS] companies have very little visibility into what’s going on within their networks.”

Fier said the tally of 350 reports over several years seems low, and it “would not be irregular” for a single large company to top more than that in one year.

“I would question that number, especially if it includes threats to corporate networks and not just ICS,” he said.

Multiple high-profile ICS attacks have occurred during the aforementioned four-year timeframe. For example, two well-known hacking groups, dubbed Dragonfly and Sandworm by security researchers, targeted electric energy and some petrochemical companies in the U.S., Ukraine, Spain, France, Italy, Germany, Turkey and Poland. Sandworm has been linked to Russian hacking activity while attribution for Dragonfly remains less clear.

“The ICS-CERT would have reasonably seen an uptick in activity related to at least the Dragonfly campaign,” said Robert Lee, the CEO of Dragos Inc, an ICS-focused security firm. “[But] the incidents the ICS-CERT sees are often small insights into the larger problem.”

“There is a perceived, and often times accurate, risk in sharing such information with the government,” Lee said. “Oil and gas community members are in a position where their infrastructure is heavily targeted but they must constantly weigh the benefits of security investments against the cost and risk reduction obtained. From my perspective we will see more investment into security in this space based on the need but it is often more about the potential impact than the probability of it occurring.”

Read full story…