• Natural Gas News

    [NGW Magazine] Bracing for Cyber-Attacks

Summary

This article is featured in Volume 3, issue 13 of NGW Magazine - Energy infrastructure has escaped hacking so far; but as digitisation and connectivity grow, the industry risks being attacked in a way that costs little but which could have very serious consequences.

by: Beatrice Bedeschi

Posted in:

Natural Gas & LNG News, World, Premium, NGW Magazine Articles, Volume 3, Issue 13, Corporate, Political, Infrastructure

[NGW Magazine] Bracing for Cyber-Attacks

Energy infrastructure has escaped hacking so far; but as digitisation and connectivity grow, the industry risks being attacked in a way that costs little but which could have very serious consequences.

Digitisation in the energy industry means that companies need to step up their cyber-security strategy. However many of them still remain highly exposed to attacks as the industry adapts to the implementation of a European Union directive that is seen as the “cornerstone” of the EU’s cyber-security strategy, a conference heard in London late June.

“What drives [the commitment to] cyber-security is either being hacked or government regulation,” the business development manager at Siemens, Jeff Foley, said.

Speaking at the second annual Europe cyber-security conference organised by the American Petroleum Institute (API) and the International Association of Oil and Gas producers (IOGP), Foley said that cyber attacks on energy companies were becoming commoner owing to “lax network connection policies” and “the use of security solutions that are easily breached.” 

Human error remains a key vulnerability for oil and gas companies, particularly around issues such as setting passwords and the use of USB drives, among others. 

“If you have connectivity you’re going to have some issue of cyber-security,” he said, adding that digitisation and automated processes were the Achilles’ heels of corporations. 

Potential “threat sources” include “malicious insiders” as well as terrorists; state-sponsored agents; governments; hacktivists; and rebels, explained Siv Hilde Houmb, CTO of Norwegian cybersecurity solutions provider Secure-NOK.

However, the most common ones remain the “unknowing insider” – an employee, vendor or contractor – who is used by cyber-criminals to breach a company’s security, as well as organised cyber-crime organisations, which may target companies for money, she explained.

Nevertheless, material damage to energy assets is no longer theoretical since the Stuxnet virus infecting the Natanz nuclear plant in Iran in 2010, explained Ed Turkaly, cyber security leader at Baker Hughes. In that instance, attackers were able to gain control of the plants' centrifuges, making them accelerate until they broke. “As an industry, overall we need to move more quickly and we need to have more preventative controls, as operators in the field don’t have time to be security engineers,” Foley said.

“Detecting a cyber incident could be too late,” he stressed, adding regulation is one key tool to help drive “the development of risk management, crisis management and lifecycle planning.”

Implementing the EU NIS Directive 

Regulation of cybersecurity in energy is however still fragmented. While in the US the North American Electric Reliability Corporation's critical infrastructure protection (NERC CIP) framework has been in place since mid-2000, Europe’s legislation is progressing at a much slower pace, as the directive on security of network and information systems (NIS) was set to be transposed into national law by member states by May 9 this year.

The NIS Directive, which is aimed at providing legal measures to boost the overall level of cyber-security in the EU, stipulates member states have to set up a national authority and a single point of contact for firms to report attacks, as well as a co-operation group and unified response team between states.

Moreover businesses in the energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure that are identified by member states as “operators of essential services” will have to take appropriate security measures and to notify serious incidents to the relevant national authority.

The NIS directive “is the cornerstone of the EU approach to cyber-security,” said a partner at Sidley Austin law firm, Edward McNicholas. It has been drafted “in a way that reflects member states autonomy and variety of approaches,” he added.

However, implementation into national law is progressing at a different speed in different countries, with some states having put more resources into the establishment of a central authority and response team and others lagging behind, he said.

“The UK has tremendous capability and robust response teams,” as do Germany and France, he said, adding however that “others are incredibly poorly resourced, lacking in expertise and have not much to offer in terms of defence for member states,” so there’s “great unevenness.”

However, “most attacks are not limited to a specific country so there’s a bit of a free-rider issue in that if Germany, France, the UK or the US develop a very good response to an attack, other countries can benefit from that,” he pointed out. 

Providers of essential services

One key aspect of the NIS regulation is the identification of providers of essential services such as energy utilities. This affects the energy industry in varying degrees.

In the UK, the NIS directive was transposed into the network and information systems regulation, which came into effect on May 10 and sets specific thresholds for operators to be listed as providers of “essential services.”

These are defined as: 

  • Suppliers of electricity and gas to more than 250,000 customers;
  • Electricity generators that hold a capacity greater than 2 GW;
  • Gas transmission system operators with “a potential to disrupt delivery” to more than 250,000 final customers;
  • Holders of interconnector licences relating to gas pipelines having the technological capacity to input more than 20mn m³/day to a transmission system and operators of LNG facilities with an input capacity greater than 20mn m³/day.
  • Operators of upstream petroleum pipelines with a throughput of more than 3mn metric tons of oil equivalent/yr;
  • Operators of refining and storage facilities for more than 500,000 mt of crude oil.

“Operators of essential services have to report breaches to regulators” as “each member state has to have a contact to whom breaches are reported,” McNicholas explained.

This means “there will be a lot more information about hacks coming out,” although the information becoming of public domain will vary by member state, he said. Companies operating in the US will also see breaches listed in their filings to the Securities and Exchange Commission, he said.

There “will be a sea-change in the industry as information on cyber intrusion will become visible, so companies need to be able to respond to that not just as a cyber-security event, but also a legal and public relations event as well,” he said.

Nevertheless, despite recent efforts of legislators to improve cyber-security standards, experts warn that this might not mean assets are secure.

“Compliance does not equal security,” he said, adding being compliant would only give a “snapshot” of whether a security program meets specific requirements at a given time.

Moreover, while the US NERC CIP is “very prescriptive”, the NIS directive establishes rules on a more general level, and doesn’t touch on how to protect industrial control systems,” the typical target of hackers, Siv Hilde Houmb told NGW on the sidelines of the conference. “Regulators are trying to understand how to regulate such a moving target” as threats are constantly evolving, making any legislation quickly obsolete if it’s not constantly updated, she said.

Beatrice Bedeschi