In a recent report, ABI Research, a technology/market intelligence analysis firm, found that the U.S. oil and gas industry will likely invest $1.87 billion in anti-cyber threats by 2018.
The report highlighted the vulnerabilities of the multi-billion dollar industry involved in the international trade of one of the world’s most expensive and critical commodities. “The lack of appropriate security has already allowed a number of destructive cyber-attacks to lay waste to some of the most high-profile companies in the industry,” said ABI’s senior cybersecurity analyst, Michela Menting.
The report found that little attention has been paid to the cyber vulnerabilities of hydrocarbon pipelines, rigs, refineries, storage facilities and other critical infrastructure. The ABI report highlighted a lack of direction on the part of the industry to address these security risks. “Many of these attacks have caused significant financial damages – and yet the industry is painstakingly slow in deploying proper cybersecurity measures adapted to the infrastructure,” said Menting.
A specific cyberattack could target capital investments, such as an expensive piece of machinery or could have greater economic, environmental and supply-side significance by causing a catastrophic release of hydrocarbons. The report notes that no longer are attacks likely to enter the system via email; as motors, pumps and even valves become “smarter,” they have also become potential targets. The report notes that no specific attack of this caliber has yet been delivered but the report says the risk is growing.
In the shadow of the 2010 Deepwater Horizons disaster and accompanying public backlash, including a multi-part South Park episode, it is likely the hydrocarbon energy sector will take notice and begin investing in greater cybersecurity. The events in the Gulf further impressed the negative perception on the industry by the American public. In a 2012 Gallup Poll, Americans again rated the oil and gas industry in last place for favorable impressions. A September 2010 paper by Gene L. Theodori of Sam Houston University and Douglas Jackson-Smith of Utah State University found that citizens of Tarrant County Texas, where the industry is heavily invested, found that “members of the general public distrust the intrusion of the gas industry and dislike certain potentially problematic social and/or environmental issues perceived to accompany development.”
The sector is well aware of the potential public relations nightmare that a cyberattack could generate, especially if it caused a massive, uncontrollable spill of a highly flammable and/or toxic material near a population center or highly valuable economic area.
The report does not enumerate if the most likely threat is bored hackers, a foreign government, competitive firms or terrorist organizations. However, the attacks announced on January 31st, 2013 by The New York Times apparently carried out by the Chinese government show that foreign governments are capable of and willing to target institutional targets in foreign countries. The attack was precipitated by The New York Times publishing a story decrying the financial gains of members of former Premier Wen Jiabao’s family to the tune of $2.7 billion.
Despite other high-profile attacks like the one on The New York Times, the oil and gas sector has been a regular target. According to a January report by Greenwire, the energy industry reported more cyberattacks to the Department of Homeland Security than any other sector in 2012.
The report did offer hope. Menting suggested that security is likely to improve if implementation of safeguards does not interrupt normal business operations. Some safeguards would include activation of specific properties already present on devices or the installation of external safeguards.
It is now imperative to ensure that industry achieves the highest possible level of cybersecurity either through self-imposed best practices or governmental incentive, regulations and/or mandate.
One option would be for the Pipeline and Hazardous Materials Safety Administration within the Department of Transportation to undertake a rulemaking to mandate cybersecurity safeguards. Congress could also amend the tax code to offer a tax incentive to firm’s investing in cybersecurity practices and devices; however recent public criticism of the oil and gas industry’s tax breaks means any tax breaks would need to involve the expiration of other deductions. Additionally, the government could work with industry groups, likely the American Petroleum Institute in a voluntary cooperation agreement to ensure universal implementation of best practices for cybersecurity.
Regardless, the stakes are too high for the government to fail to ensure implementation for infrastructural cybersecurity safeguards for the domestic oil and gas industry.