Doha - Hackers are bombarding the world’s computer
controlled energy sector, conducting industrial espionage and threatening
potential global havoc through oil supply disruption.
Oil company executives warned that attacks are becoming more
frequent and more carefully planned.
“If anybody gets into the area where you can control opening and
closing of valves, or release valves, you can imagine what happens,” said Ludolf
Luehmann, an IT manager at Shell Europe’s biggest company.
“It will cost lives and it will cost production, it will cost
money, cause fires and cause loss of containment, environmental damage - huge,
huge damage,” he told the World Petroleum Congress in Doha.
Computers control nearly all the world’s energy production and
distribution in systems that are increasingly vulnerable to cyber attacks that
could put cutting-edge fuel production technology in rival company hands.
“We see an increasing number of attacks on our IT systems and
information and there are various motivations behind it - criminal and
commercial,” said Luehmann. “We see an increasing number of attacks with clear
commercial interests, focusing on research and development to gain the
competitive advantage.”
He said the Stuxnet computer worm discovered in 2010, the first
found that was specifically designed to subvert industrial systems, changed the
world of international oil companies because it was the first visible attack to
have a significant impact on process control.
But the determination and stamina shown by hackers when they attack
industrial systems and companies has now stepped up a gear, and there has been a
surge in multi-pronged attacks to break into specific operation systems within
producers, he said.
“Cyber crime is a huge issue. It’s not restricted to one company or
another it’s really broad and it is ongoing,” said Dennis Painchaud, director of
International Government Relations at Canada’s Nexen. “It is a very
significant risk to our business.
“It’s something that we have to stay on top of every day. It is a
risk that is only going to grow and is probably one of the preeminent risks that
we face today and will continue to face for some time.”
Luehmann said hackers were increasingly staging attack over long
periods, silently collecting information over weeks or months before attacking
specific targets within company operations with the information they have
collected over a long period.
“It’s a new dimension of attacks that we see in Shell,” he said.
Not in control
In October, security software maker Symantec Corp said it had found a mysterious virus that contained code similar to Stuxnet, called Duqu, which experts say appears designed to gather data to make it easier to launch future cyber attacks.
In October, security software maker Symantec Corp said it had found a mysterious virus that contained code similar to Stuxnet, called Duqu, which experts say appears designed to gather data to make it easier to launch future cyber attacks.
Other businesses can shut down their IT
systems to regularly install rapidly breached software security patches and
update vulnerable operating systems. But energy companies cannot keep taking down plants to patch up
security holes.
“Oil needs to keep on flowing,” said Riemer Brouwer, head of IT
security at Abu Dhabi Company for Onshore Oil Operations .
“We have a very strategic position in the global oil and gas
market,” he said. “If they could bring down one of the big players in the oil
and gas market you can imagine what this will do for the oil price - it would
blow the market.”
Hackers could finance their operations by using options markets to
bet on the price movements caused by disruptions, Brouwer said.
“So far we haven’t had any major incidents,” he said. “But are we
really in control? The answer has to be ’no’.”
Oil prices usually rise whenever tensions escalate over Iran’s
disputed nuclear programme - itself thought to be the principal target of the
Stuxnet worm and which has already identified Duqu infections - due to concern
that oil production or exports from the Middle East could be affected by any
conflict.
But the threat of a coordinated attack on energy installations
across the world is also real, experts say, and unlike a blockade of the Gulf
can be launched from anywhere, with no US military might in sight and little
chance of finding the perpetrator.
“We know that the Straits of Hormuz are of strategic importance to
the world,” said Stephan Klein of business application software developer SAP.
“What about the approximately 80 million barrels that are processed
through IT systems?,” said Klein, SAP vice-president of oil and gas operations
in the Middle East and North Africa.
Attacks like Stuxnet are so complex that few organisations in
the world are able to set them up, said Gordon Muehl, chief security officer at
Germany’s SAP, but it was still too simple to attack industries over the
internet.
Only a few years ago hacking was confined to skilled computer
programmers, but thanks to online video tutorials, breaking into corporate
operating systems is now a free-for-all.
“Everyone can hack today,” Shell’s Luehmann said. “The number of
potential hackers is not a few very skilled people - it’s everyone.”