Three out of four oil and natural gas companies fell victim to at least one cyberattack last year as hacking efforts against the industry become more frequent and sophisticated.
That’s the finding from a report released on Monday by industry consultant Deloitte. Technology advances, such as Royal Dutch Shell’s recent control of operations in Argentina from an operating centre in Canada, offer new openings for hackers, the authors wrote.
At the same time, older equipment that must be retrofitted for cybersecurity, including the pumps known as nodding donkeys, make it tougher to defend against sophisticated attacks. Less than half of drillers use any monitoring tools on their upstream operations networks, the report found. Of those, only 14% have fully operational security monitoring centres.
When the authors visited the oil fields it “was like walking into the 1980s, with shared passwords and passwords written down on paper”, said Paul Zonneveld, a senior partner at Deloitte in Calgary, by phone.
A 2011 cyberattack dubbed “Night Dragon” stole exploration and bidding data from oil majors including Exxon Mobil and BP. Past assaults in 2012 and 2014 crippled companies throughout the Middle East and Europe with disk-wiping malware and advanced Trojan Horse attacks.
The report suggested that industry concern over cyberattacks may be low because of a feeling it would be an unlikely target. But with the motives of hackers fast evolving — from cyberterrorism to industry espionage to disrupting operations to stealing field data — risks are rising fast, along with the stakes, the report found.
Companies have to defend a complex system comprising assets decades old as well as state-of-the-art digitised technology. To make matters more difficult, these assets are overseen by a wide array of companies and partners and spread across different fields and regions. Protecting the entire system just isn’t feasible, Zonneveld said.
While the cost of cybercrime is estimated to average about US$15m in the industry right now, major assaults can cost hundreds of millions of dollars, and risk deaths and environmental damage.
Company executives are waking up to the threat posed by cybercrime. “The culture needs to change, and that’s happening, but it takes time,” said Andrew Slaughter, executive director at the Deloitte Centre for Energy Solutions in Houston, in a telephone interview. “This report serves as a call to arms.” — Reported by Giacomo Tognini, (c) 2017 Bloomberg LP