Geopolitical risk has focused governments’ attention on the security of their resources and energy supplies — but, now, another risk to these essential commodities is on the rise: hacking and ransom demands.
In the past two years, cybercriminals have increased their attacks on industrial targets in the oil and gas, water, and mining sectors — typically, with the aim of disrupting critical infrastructure, stealing data, and demanding huge payments for its return.
High-profile examples include a 2021 ransomware attack that shut down America’s Colonial Pipeline, which provides fuel to a large part of the US east coast, and, later that same year, a leak of data from oil group Saudi Aramco, which was followed by a $50mn ransom demand.
Last year, in the US, White House national security officials also acknowledged cyber attacks by Iranian hackers on state water authorities — and described them as a call to action for utilities to tighten their cyber security.
At the same time, international mining groups, including Australian iron ore miner Fortescue Metals, have found themselves being targeted by cybercriminals with greater frequency — the industry’s Mining and Metals Information Sharing and Analysis Centre now registers an average of two to three cyber security incidents each month, a doubling of the rate reported in the previous year.
In the case of Saudi Aramco, the data ransom demand was not the first it has suffered. In 2012, the oil producer was the victim of a ransomware attack that infected 35,000 computers and impeded daily operations. Saudi Aramco has since signed a memorandum of understanding with operational technology firm Dragos to help secure its critical infrastructure and assets.
According to Graham Thomson, chief information security officer at national law firm Irwin Mitchell: “The Aramco cyber incidents demonstrate that we are in an era where cyber security is no longer a luxury, but a necessity for all businesses. Aramco’s cyber-destruction attack, and more recent data leak, underscore the magnitude of the threat faced by industries across the globe.”
Cyber attacks targeting physical processes in the industrial sector can inflict more than financial harm.
Jake Moore, global cyber security adviser at cyber security software provider ESET, cites “machinery damage, production stoppages, or even risks to human safety”, as well.
He says that integrating information technology and operational technology systems — whereby the IT systems manage virtual assets such as data and software, and the OT systems control physical environments such as water pipelines — can increase cyber risks. This increased vulnerability has become a “significant challenge” for industrial businesses.
But Moore believes companies can decrease the risks by isolating their critical systems through network segmentation, so that large computer networks are divided into smaller ones, with security protocols updated as often as possible.
As well as IT and OT vulnerabilities, Moore warns industrial organisations to be vigilant about insider threats, which may include “both intentional and unintentional actions by employees or contractors with access” to critical systems. Companies can spot these by promoting a transparent culture in which “everyone knows how their colleagues operate”, he advises.
But, equally, employees can inadvertently add to the threat and make systems vulnerable to cyber attacks by “accidentally introducing malware, or failing to follow security protocols”. Both risks can be reduced by providing cyber security awareness training, Moore says.
Ransomware attacks — where hackers steal sensitive data and threaten to post it online unless the victim pays a ransom — are now the most prevalent threat to large industrial businesses from commercial hackers.
Evgeny Goncharov, head of industrial control systems within the cyber response team at security group Kaspersky, observes that every sixth ransomware attack succeeds in disrupting product lines or deliveries.
“Ransomware attacks on large organisations, unique product suppliers and logistics companies can have severe economic and social consequences,” he says. “And the potential evolution of cyber threats into infrastructure attacks — similar to the Colonial Pipeline incident in 2021 — is likely to further amplify these repercussions.”
One way for employers to mitigate ransomware attacks is by educating staff in how to spot phishing emails containing suspicious links and attachments, which are used to spread the ransomware.
However, the attack surface — the number of possible unauthorised entry points — is being increased by the interconnected nature of energy and industrial companies, and the range of technologies they use. With everything from video surveillance to communications systems now part of their day-to-day operations, they “face cyber risks on many fronts”, warns Damian Lewis, who works on the insights & market development team at communications company Viasat.
Companies can try to mitigate these risks by deploying digital protective measures, such as firewalls, cyber probes and event management systems, which will enable them to “collect and monitor data as it moves across platforms”.
Investing in a security operations centre (SOC) — a team of internal or external cyber security experts — is also a way to detect and mitigate potential threats around the clock. Lewis says the approach taken by Viasat’s SOC involves “analysing active feeds, establishing rules, identifying exceptions, enhancing responses and monitoring possible vulnerabilities”.
But it is not easy: the OT systems used by industrial businesses are “often outdated” with “specialised vulnerabilities” that are harder to spot or fix, points out.
Lewis Duke, a threat intelligence expert at IT security company Trend Micro. This makes them an “an attractive target to nation-state actors, cyber criminals and hacktivists”, he warns.
To stay one step ahead of threat actors, he recommends that businesses adopt a threat intelligence system and collaborate with cyber security companies, just as Saudi Aramco has done with Dragos.
And the threats will keep coming.
Nick Smith, business development manager at security intelligence company Genetec, expects serious industrial cyber attacks such as the Colonial Pipeline case to “increase over time”, unless companies take the right precautions.
He says there still needs to be an “urgent change in mindset and strategy” across the industrial landscape. Businesses must tackle both “physical and cyber vulnerabilities” as part of a “single unified plan”, he advises.