WASHINGTON — Last year the hacker group Anonymous broke into computer systems of oil companies including Shell, Exxon Mobil and BP as a protest against Arctic drilling. The next month , a different set of hackers infected the computers of Saudi Arabia’s national oil company with a damaging virus that knocked 30,000 workstations offline.
Security analysts and U.S. government officials say such strikes are just the beginning, and that energy is by far the most attractive industry target for cyberattackers.
“The threat is huge,” said Joseph McClelland, who leads a U.S. federal office created last year in an attempt to blunt attacks on energy infrastructure. “The activity is already high and it’s increasing.”
The energy industry was the target of 53 percent of all cyberattacks reported to the Department of Homeland Security between October 2012 and May 2013. Manufacturing was the next highest American industry targeted, suffering 17 percent of the attacks.
Alert Logic, a Houston-based network security company, said in a recent report that two-thirds of its more than 50 energy industry clients experienced “brute force” attacks, where hackers seek out points of vulnerability. The attackers often are looking to steal the company’s trade secrets, according to the firm, or to damage or destroy data used in energy exploration.
Sixty-one percent of the firms had malware attacks, Alert Logic reported, which involve seeking access to systems that control pipelines and other operations.
The stakes are higher in the energy industry than with other businesses, said Stephen Coty, director of security research for Alert Logic.
“It experiences a greater magnitude of security threats that could have global repercussions for years to come,” Coty said.
An infiltrator could in theory be able to shut down the flow of natural gas through a pipeline, trigger an explosion at a petrochemical facility or do damage to an offshore drilling rig that could lead to an oil spill, according to a recent Council on Foreign Relations report. That has the potential to disrupt the energy supply and cause environmental damage.
Arguably the most successful campaign so far against Western oil companies was dubbed “Night Dragon” by the cybersecurity firm McAfee, the Council on Foreign Relations said. Chinese hackers for years stole confidential data from five unnamed major companies, according to McAfee, obtaining sensitive information on operations and project financing in an operation that apparently extended into 2011.
Viruses also can spread by mistake. Stuxnet, a virus widely believed to have been developed by the United States and Israel and used against Iran’s nuclear enrichment facilities, also infected the computer systems of the American oil company Chevron but did not do any damage, according to the Council on Foreign Relations, a nonprofit think tank based in New York City and Washington.
The Council on Foreign Relations said the potential for attacks to inflict damage on critical infrastructure is growing and cited malware unintentionally downloaded by workers incapacitating networks on some rigs and platforms in February.
The Federal Energy Regulatory Commission has a new office created to combat attacks on energy infrastructure. McClelland, who leads the office, said this week that his staff members have personal experience with cyberwarfare.
“We have staff that comes to us from all over government. And in many cases, this was staff’s job for years when they were in other agencies. They were the folks that would put the black hat on and they were the ones who would actually plan and help execute attacks around the world,” McClelland said.
McClelland told a natural gas industry gathering in Washington this week that his agency is assessing what are the highest value targets that need to be defended. Knocking out a pipeline has little consequence if there are other pipelines that serve the same area or a backup fuel supply, he said. But it’s a different story if there’s an attack on infrastructure that has no backup.
“I focus my attention more on that area,” McClelland said.
Email: firstname.lastname@example.org; Twitter: @seancockerham