According to an alert issued last year by the U.S. Department of Homeland Security, hackers using a tactic called “spear phishing” sent targeted emails to insert malware in computers belonging to natural gas sector organizations. In a separate series of attacks, intruders attempted to obtain information from oil and gas companies about drilling projects and bids.
Around the world, the natural gas industry, and utilities in general, continue to be targets of cyber intruders, and companies increasingly are working to fortify their cyber security systems to protect their critical infrastructure.
In Australia, a spokesperson for the country’s Department of Resources, Energy and Tourism, said the agency was ”constantly under cyber threat from a number of external sources with some level of attempted penetration occurring daily.” Even former U.S. Defense Secretary Leon Panetta has weighed in on the issue, saying attacks to the U.S. power grid could, “paralyze and shock the nation and create a profound new sense of vulnerability.”
In Black & Veatch’s inaugural “Strategic Directions in the U.S. Natural Gas Industry Report,” Cathy Ransom, a Senior Consultant for Black & Veatch’s cyber security practice, writes, “The dependence on key operational and informational technology for natural gas transportation and storage is a key part of the U.S. critical infrastructure supporting both residential and commercial customers. Therefore, it is important that gas technology infrastructure be protected from cyber attacks that could disrupt or damage operations.”
GLOBAL IMPACT OF CYBER CRIMES
UK-based ABI Research calculated that “cyber security spending on the oil and gas critical infrastructure will reach $1.87 billion by 2018. This includes spending on IT networks, industrial control systems and data security; counter measures; and policies and procedures.” The firm noted that “Realization of the financial implications of persistent cyber threats will boost cyber security spending.”
In its 2012 “Cost of Cyber Crime” study, the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, found that the average annual cost of cybercrime for U.S. organizations was $8.9 million in 2012, a 38 percent increase over the 2010 average.
For the UK, Germany, Australia, and Japan, the combined average cost was $4.4 million. Further, the study found, “The average annualized cost of cyber crime appears to vary by industry segment, where defense, utilities and energy and financial service companies experience higher costs than organizations in retail, hospitality and consumer products.”
GROWING AWARENESS AND PROPOSED STANDARDS
Ransom said she was surprised that respondents to the Black & Veatch natural gas report did not list cyber security among the top 10 issues of importance to the industry. She speculated that future reports may show a marked change as recent high profile incidents, coupled with regulator interest and proposed legislation, have increased awareness of cyber security threats to critical infrastructure.
In particular, the North American Electric Reliability Corporation (NERC), the U.S. Federal Energy Regulatory Commission (FERC) and The Council of Europe have proposed standards designed to protect and defend energy infrastructure from attacks. In February, U.S. President Barack Obama issued an Executive Order entitled “Improving Critical Infrastructure Cyber Security” in an effort to protect the U.S. and its economy from cyber threats targeting critical infrastructure.
Ransom asked, “In the face of potentially dangerous and escalating risks, the real question is, can the industry afford to not proactively address cyber security concerns?”
PLANNING AND RECOVERY
The Black & Veatch natural gas report found that level of cyber protection within the industry was dependent upon the number of customers served. For instance, 90 percent of organizations serving more than a 1 million customers said they have formal cyber security programs in place. But for customer bases of less than 100,000, only 43 percent have formal protection. Ninety-four percent of respondents that serve the global markets said they have a cyber security program.
Dan Rueckert, Associate Vice President for Black & Veatch’s Management Consulting Division, and current chair of Black & Veatch’s Cyber Security Practice Roundtable, also recommends utilities adopt a proactive approach to cyber security protections. This includes training and hiring professionals with cyber security expertise and integrating security risk management into the organization’s overall planning.
Rueckert said safeguarding critical infrastructure is a matter of “pay now or pay later, only in the pay later scenario, there is almost always a crisis to recover from.” Utilities must account for data security in the planning business and system stages or accept the oftentimes financially damaging consequences of addressing issues and containing breaches after the fact, he said.
Published originally on Black & Veatch Solutions.