12 March 2017

Hacked: Energy industry's controls provide an alluring target for cyberattacks

by Collin Eaton

A ship docked along the Port Arthur Ship Channel Wednesday, Jan. 11, 2017, in Port Arthur.

A Coast Guard cutter glides along the waters of the Sabine-Neches waterway, conducting sweeps for unprotected wireless signals that hackers could use to gain access to oil, gas and petrochemical facilities.

Four massive refineries sit along the 79-mile channel that cuts through this stretch of Gulf Coast. It's one of the largest concentration of refineries, pipelines, chemical plants and natural gas terminals in the United States - and an alluring target for espionage, disruption or worse.

"There are actors that are scanning for these vulnerable systems and taking advantage of those weaknesses when they find them," said Marty Edwards, director of U.S. Homeland Security's Cyber Emergency Response Team for industrial systems.

As national attention focuses on Russian cyberattacks aimed at influencing the last presidential election, oil and gas companies face increasingly sophisticated hackers seeking to steal trade secrets and manipulate industrial sensors and operations.

Nowhere is the threat more consequential than in Houston and Southeast Texas, where the world's most celebrated names in energy produce, refine and transport fossil fuels, including Exxon Mobil, Royal Dutch Shell and Phillips 66.

The operation aboard the Coast Guard cutter, a joint effort with Houston Police last April, was one of the first of its kind in the U.S. to focus on cyberattacks by sea.

The U.S. Department of Homeland Security, responsible for protecting the nation from cybercrime, received reports of more than 350 incidents at energy companies between 2011 and 2015. In most cases, a hacker infiltrated or tried to infiltrate the control systems of energy firms. During that period, the agency identified nearly 900 security vulnerabilities within U.S. energy companies, more than any other industry.

The vastness of oil and gas operations makes it difficult to secure. Thousands of interconnected sensors and automated controls that run oil and gas facilities remain rife with weak spots.

Much of this equipment was designed decades ago without security features. In recent years, companies have linked devices that monitor pressure, control valves and initiate safety procedures to computer networks and - sometimes inadvertently - the internet.

Those connections expose refineries, pipelines and offshore oil platforms to online threats.

"You could mess with a refinery or cause a vessel to explode," said Richard Garcia, a former FBI agent who became a cybersecurity specialist.

The Coast Guard has received several reports that foreign ships attempted to probe the wireless networks of industrial facilities along U.S. waterways, federal authorities say. Homeland Security, which oversees the Coast Guard, declined to confirm details of any operation and intelligence but acknowledged a growing effort to protect oil, gas and chemical systems from hacking.

Many energy companies, however, lack the technology and personnel to detect whether hackers have broken into operational systems using sophisticated malware that can take over controls or extract data.

In fact, many oil and gas facilities still use networks run by Windows XP, a 2003 system that Microsoft no longer updates, according to federal authorities and cyber security consultants. Others use even earlier versions of the Windows operating system from the 1990s; in rare cases, a few still use MS-DOS, the precursor to Windows.

"More often than not," Edwards said, "we find that there's been corners cut or they haven't taken a hard look at security when they designed those networks."


'What we don't know'

Strict cybersecurity regulations govern power, chemical and nuclear facilities, but no federal laws impose such standards in the oil and gas industry.

When oil and gas companies have been infiltrated by a hacker, they aren't required to report the incident. And if they turn to federal authorities for help, the specifics are typically kept secret because companies disclose information in exchange for anonymity and discretion.

Homeland Security publishes data on cyberattacks, but with no reporting requirements, the data represent only a small share of the cyberattacks against the energy industry.

"We only know what's reported to us," Edwards said. "We don't know what we don't know."

Most companies are loath to talk publicly about the security of computer systems and industrial controls for fear of providing information that could be used to exploit their operations.

More than 20 of the nation's largest oil companies, including Exxon Mobil Corp. and ConocoPhillips, refiners Phillips 66 and Valero, service companies Halliburton and Baker Hughes, and pipeline operators Kinder Morgan and Enterprise Products Partners, declined to comment or did not respond to multiple requests for comment. The American Petroleum Institute, the national trade association of oil and gas, declined comment as well.

The Department of Energy has developed a model of best practices while trade groups such as the American Petroleum Institute have adopted industry standards, but none is mandatory.

In recent years, forward-looking oil companies have treated potential cyberattacks on critical assets as a major financial risk, but others haven't taken the threat as seriously, said Charles McConnell, executive director of Rice University's Energy and Environment Initiative.

Oil companies tend to rush to deploy new computer technologies that make operations more productive, he said, but only afterward consider ways to mitigate online threats.

"The pace of change of the technology we've adopted is every step of the way more and more vulnerable to cyberattack," said McConnell, who spent 35 years in the energy industry and served for two years as assistant secretary of energy.

Of nearly 400 U.S. oil employees who specialize in industrial cybersecurity, 61 percent said their companies lack adequate cyber defenses to protect the technologies that run oil and gas facilities, according to a recent survey by the research firm and consultancy Ponemon Institute. Almost seven of 10 respondents said their companies experienced a security breach within the last year, and yet, less than half believe their companies have met industry standards and guidelines for cybersecurity.

Oil and gas companies generally have gotten better at securing their information and data systems, Edwards said, but it would be "dangerous" to characterize the progress as universal.

Some companies have begun to install firewalls, anti-virus and anti-malware programs and require stricter security measures from equipment manufacturers, among other improvements, cyber security consultants said.
In regulatory filings, Exxon Mobil said its cybersecurity programs block 64 million emails, 139 million internet access attempts and 133,000 other potentially malicious actions each month.

"There are definitely some leaders that have done a lot to stand out," said Robert Lee, a former Air Force cyber warfare operations officer and chief executive of security firm Dragos in San Antonio. "But that's not representative of the industry. It's clear a lot of sites haven't done the minimum for security, and there are many more in the middle."

'Boom in the night'

Devices running automated processes within plants - known as operational technology - were designed years or decades ago before the advent of serious online threats. Security experts say even newer models of sensors and automated controls can't automatically block intrusions.

Marc Othersen, former chief information security officer of New York oil producer Hess Corp., says equipment makers must do more to develop adequately secured devices.

"The technology offered to us has not closed the gap," he said. "We will always be behind."

Last year, Exxon Mobil and Lockheed Martin announced plans to advance automated systems for refineries and chemical facilities with built-in cyber defenses. The initiative, which includes collaboration with 40 other companies, was prompted primarily because devices with protections strong enough to thwart the most skilled hackers aren't widely available, said Joe Weiss, managing director of the international cybersecurity standards body ISA99.

Photo: James Nielsen, Staff

With a refinery that could be vulnerable to hackers behind it, a ship navigates through Buffalo Bayou heading to the Houston Ship Channel earlier this year.

"Ironically, it's the most important (of the systems) but the least secure," he said. "That's where you go boom in the night."

If hackers, for example, figured out how to exploit devices running along 2.6 million miles of U.S. pipeline, they could tell a monitoring system the flow of oil and gas has stopped along a pipe, prompting automated systems to begin pumping until they cause a pressure blast.

When such systems malfunction, it can lead to disasters on the scale of the 2005 Texas City refinery blast, which killed 15 people and injured 180 more. In that tragedy, there was no malicious intent, but devices were incorrectly calibrated and provided erroneous readings, which, investigators concluded, were major factors leading to the blast.

"There are a lot of people out there who would love to disrupt (a pipeline) for visual effect … terrorists or other people who want to see black smoke or flames," said Philip Quade, who recently retired as chief of the National Security Agency's cyber task force. "The more strategic threat is what nation-states can do to affect the psyche of the American public."

'In a dark room'

The majority of U.S. oil and gas companies don't have the capability to find or track malware or viruses that have already penetrated control systems, according to Homeland Security, including devices such as sensors and industrial computers.

This means hackers can gain access to the systems and root around for months or years seeking weaknesses, collecting sensitive data and lying in wait with viruses that can disrupt operations.

"We're in a dark room," said Damiano Bolzoni, chief executive of Dutch security firm Security Matters. "Nobody is switching on the light."

Cyber criminals have tried to steal money by sending employees fake invoices. Other hackers lured workers to download malicious software designed to lock people out of computers or other devices until they pay a ransom.

In many cases, oil and gas companies wait to react to problems, said Chris Sistrunk, a consultant with Mandiant, which specializes in cybersecurity. For example, he recalled how an oil company's cybersecurity team was alerted to a security breach, in which a 7-year-old computer worm had been discovered in a Windows operating system. Its presence suggested that the company hadn't updated protection software in at least seven years.

"Security people are putting out fires instead of hunting for evil on the network," Sistrunk said.

The most sophisticated threats come from hackers backed by foreign governments. Cybersecurity researchers say both Russia and China have sponsored hacking groups, often recruited from the cyber-underworld, to probe industrial control systems in the United States and Europe.

More recently, hackers allegedly from Russia and China have used phishing emails, infected USB drives and other techniques to penetrate computer networks in broad espionage campaigns against U.S. energy companies aimed at siphoning information about industrial control systems, according to the National Security Agency and cybersecurity firms.

"These attackers are adaptive and intelligent," said Michael Assante, former chief security officer of the North American Electric Reliability Corp., which regulates the security of electric grids. "That's a scary thing to be up against."

For the most part, federal officials said, cyberattacks against energy companies appear aimed at stealing trade secrets to boost foreign industries and economies. But some officials anticipate that hacker groups may try to gain footholds in pipelines, refineries and power plants, should the day come when a rival nation or extranational group has reason to hold assets hostage or launch a disruptive attack.

"When the day comes and they need leverage in negotiations or a full-blown act of war, it's not hard to imagine how they might use such a capability," said Barak Perelman, chief executive of the Israeli cyber security firm Indegy.

Photo: James Nielsen, Staff

A refinery along highway 225 Wednesday, Jan. 25, 2017, in Dear Park. ( James Nielsen / Houston Chronicle )

Quade, the former chief of the NSA's cyber task force, said the threat is more than theoretical, pointing to two viruses launched at energy operations: Stuxnet, which damaged thousands of centrifuges at an Iranian nuclear facility in 2010, and Shamoon, which wiped out computer files in Saudi Arabian oil and gas facilities two years later.

"In the last five years, we've had repeated demonstrations in the willingness of certain nation-states or other actors to actually use this stuff," Quade said.

It's unlikely that Russia or China would sabotage the nation's energy infrastructure because of the probability of retaliation, but these two world powers have honed their abilities to hold key U.S. assets hostage and use cyber capabilities to thwart U.S. military responses to online assaults on domestic soil, the U.S. Department of Defense said in a report last month.

"This emerging situation threatens to place the United States in an untenable strategic position," the Defense Department said.

But security professionals say a major cyberattack against the United States remains a distant possibility, at least for now.

"They're waiting for a rainy day," said Margrete Raaum, who leads the Norwegian computer emergency response team for the energy sector.

No comments: