A cyber-threats expert from the US Federal Bureau of Investigation (FBI) told an audience at the recent American Petroleum Institute Cybersecurity Conference in The Woodlands, Texas, that oil and gas companies are at risk from potential cyberattacks and must do more to protect themselves.
Speaking on 7 November at a conference session on cyberattacks and emerging threats, FBI Computer Scientist James Morrison said that all companies need to be prepared to defend their enterprise and operating systems against such attacks of all kinds. Based in Houston, Morrison is a technical expert on information technology (IT) who works on cases that come into the bureau.
“Too many companies are thinking they’re not targeted,” Morrison said. “That is not the reality. Every single one of you will be attacked, if you have not already been attacked, and you’ve got to protect your data. You’ve got to protect the industrial control systems behind that data.”
Attacks on the Rise
During 2016, 75% of oil and gas companies had at least one cyberattack incident, according to Morrison. Attacks are on the rise to the point where “we’re actually getting a little numb about too many attacks,” he said.
More than 200 groups worldwide, including some linked to national governments, are thought to be involved in cyberattacks on US installations. The number appears to be growing, Morrison said, with the rise of criminal activity on the dark web.
“I as a nation state don’t even have to develop my own ransomware anymore,” he said. “I can actually hire somebody to develop ransomware and have it brought to me.” Which has lowered barriers to entering cyberattack activities.
“And from an oil and gas standpoint, they’re not just targeting you, they’re targeting your subcontractors, and they’re targeting your law firms,” he said. “We’ve seen a number of law firms get hit because of the contract information that they have on you.”
ImageTest Your Backups
Companies should make sure to test their system backups, yet they often fail to do so and don’t know for sure whether they will work if needed. Lack of certainty is likely to force the company to pay a ransom.
If the company is attacked with ransomware, and the CEO asks the head of IT whether there are backups, Morrison said, “‘I think so’ is not the right answer. You’d better know.”
Another threat on the increase is ‘hactivism,’ Morrison said. “‘Hactivists’ are all over those oil and gas pipeline issues. It’s not just people on the ground anymore,” he said. “They’re attacking you through cyber and they’re trying to exploit your networks.”
The attackers “are going to do as much as possible to give out disinformation,” which includes putting out information on a company’s employees on the web—a tactic called doxing—in an effort to discredit the company, Morrison said. Construction contractors and subcontractors may also be targeted because of their relationship with the company.
Protect Software Downloads
Software downloads are another target of hackers. Entering the download functions of several European companies, hackers infected the companies’ industrial control systems with the Havex virus, which enabled potential espionage and threatened the sustainability and integrity of operations before the virus was discovered.
“For an industrial control system, you should never download to an active system,” Morrison said. “You should have a test system, where you can download the software and do a test on it before you go live with it.”
Although it did not involve an oil and gas company, the recent system breach of the credit bureau Equifax “should have taught all of us the importance of keeping our software up to date on our servers and our machines,” Morrison said.
He urged audience members to have their organizations join InfraGard, a public-private partnership between US businesses and the FBI. The partnership facilitates information-sharing and intelligence between businesses, academic institutions, state and local law enforcement agencies, and other participants to prevent hostile acts against the US.