In 2017, a Russian hacker came within a whisker of causing what could have been a “catastrophic” and deadly attack on a US oil refinery, according to a Department of Justice indictment. The hacker got into the refinery’s systems and deployed malicious software with a view to causing severe “physical damage” — but, instead, triggered safety systems and automatic shutdowns of the refinery.
In March, the hacker — an employee of the Russian defence ministry’s research institute — was charged by the DoJ, alongside three other Russian government employees who allegedly targeted energy companies across more than 135 countries between 2012 and 2018.
These charges reflect an increasingly strident approach by the
US government in its pursuit and prosecution of cyber adversaries. However, they also reveal the ongoing appetite among nation-state hackers to target energy companies, to cause maximum disruption. While the energy sector has long been a top target for hackers, cyber security experts are now warning of heightened threats amid the Russian invasion of Ukraine, and are urging the industry to take more decisive action.
Russia is treating cyber as an “additional theatre of warfare”, explains Stuart McKenzie, senior vice-president of Mandiant Services in Europe, Middle East, and Africa.
Targeting critical energy infrastructure is “how you can have the biggest impact — it’s an ability to really show an extension of your power”, he says. More than causing disruption, it can “really erode the public’s perception about your ability to protect”.
Early this year, the discovery of “wiper” malware in Ukraine, which permanently deletes data on infected computers, sent shockwaves through the energy community and raised fears it could spread across borders. Then, in April, the Ukrainian government also revealed that it had thwarted an attempt by attackers from Sandworm, a Russian cyber-military unit, to hack high-voltage electrical substations. In a research note, analysts at Moody’s warned that, given the interconnected nature of European electricity grids and gas pipelines, “there is increased risk of a cyber event impacting multiple countries” if systems are breached.
Meanwhile, in the US, authorities have alerted companies to new malware targeting industrial facilities and systems that control machinery, and called on energy groups to harden their defences.
Vinnie Liu, co-founder of Bishop Fox, a cyber security testing company, reports a flood of inquiries from oil and gas companies since economic sanctions were imposed on Russia. Many have expressed concern that Russia will try to disrupt their operations, to increase dependence on Russia’s own supply. “We are being asked to make sure the company is not a soft target,” Liu says. “Companies are thinking ‘Let’s not be the one that gets hacked’.”
Some hacks have been successful, though — and had real-world consequences. In late 2016, for example, Russia is believed to have been behind an attack that led to a power blackout in the Ukrainian capital of Kyiv. Others have been near misses. Last year, a hacker came close to poisoning the water in a treatment facility in Florida.
Energy plants are particularly vulnerable, though, because they rely on both IT systems and operational technology (OT), which can be older and harder to update. An electricity supplier cannot simply switch off a city’s power while it upgrades its systems.
McKenzie notes that much of the energy sector is also catered to by local and regional providers, as well as a supply chain of third-party stakeholders with limited resources. “That’s where there’s still considerable risk,” he says.
Cyber criminals are also joining nation-state hackers in this “lucrative” space, McKenzie adds.
As a result, energy companies need to ensure they are “bolstering intelligence and enhancing monitoring of usual suspects, watching for changes in [tactics] and hunting as they change”, says Simon Hodgkinson, former chief information security officer at BP and a board adviser at the IT security group Reliance acsn.
Beyond the “basics” — which include updating and monitoring systems and having the necessary backups in place — energy companies need to undergo “crisis exercising”, he says. “Prepare for the worst and ensure recovery and mitigation plans are robust.”
Danielle Jablanski, an OT cyber security strategist at Nozomi Networks, says avoiding public panic when an attack takes place is essential, too. Social unrest can be as disruptive as an actual attack, and lead to unintended consequences.