Oil companies put cybersecurity initiatives on hold while crude prices languished at multi-year lows in 2015 and 2016, falling behind in hardening their systems while state-sponsored hacking groups only got more proficient at probing U.S. energy networks, security experts say.
As oil companies cut thousands of jobs and pared back drilling operations in the downturn, cybersecurity teams faced funding shortfalls for projects to secure computer networks that run rigs, pipelines and other oil field assets, increasing pressure for a field already challenged by finite resources and competing priorities.
In an oil bust, “projects, capabilities and needs that aren’t exactly on top of mind go to the bottom of the pile,” said Paul Berger Jr., a cybersecurity professional at Houston oil field services firm Baker Hughes, a GE company.
But among federal agencies and security professionals called in to respond to online attacks, there’s no longer any doubt foreign adversaries in Russia, Iran and North Korea have planned and executed attacks to plant themselves in U.S. critical infrastructure, which includes pipelines, refineries and petrochemical plants.
Still, these experts said, there’s little evidence of a political push in Congress to address the problem; there are still no regulations governing cybersecurity standards in the U.S. oil and gas industry, as there are for power, nuclear and chemical sectors.
Homeland Security said has begun gathering information on the recent cyber intrusions that shut down the electronic data systems used by four U.S. natural gas pipeline operators. But the agency doesn’t disclose information that companies share, said Scott McConnell, a DHS spokesman.
“For way too long, the U.S. government did not want to talk about that,” said Galina Antova, co-founder and chief business development officer at cybersecurity firm Claroty.
Still, though, most industrial security teams still lack the technology and personnel to monitor for cyberattacks affecting computer controls that run critical functions at energy and industrial plants, and many of these industrial control devices have been in operation for years or even decades, designed without security features.
“You’ll be lucky if your windows machines are running on something better than Windows XP,” Antova said.
Even companies that spent hundreds of millions of dollars on cybersecurity protections, she added, have become collateral damage of the accidental spillover of attacks on industrial networks, as was the case last summer when Merck & Co. and FedEx Corp. confirmed cyberattacks compromised their computer systems, intrusions that cost them hundreds of millions of dollars.
“We have to do better,” Berger of Baker Hughes said. Hacking groups, he added, “could cause the United States a lot of grief, and a lot of grief in a hurry.”
This article first appeared on the Houston Chronicle – an Energy Voice content partner. For more from the Houston Chronicle click here.