Earlier this year I received a notice from the bank that issues a credit card that I carry. It almost went straight into the shredder as I figured it was simply an advertisement. But, for whatever reason, I opened it and read that I was soon going to receive a replacement credit card in the mail.
There was no evidence that my card number had been stolen, but the bank was taking this step as a precautionary measure because in late 2013 I had purchased items at large U.S. retailer Target.
Just after Thanksgiving, with the Christmas shopping season in full swing, 40 million credit card numbers and 70 million names, addresses, phone numbers and other information were sucked from Target’s servers – the biggest hack the retail industry had ever seen, reported Bloomberg Businessweek Technology on March 13.
The type of breach to which Target fell victim is becoming increasingly common, with more than 800 million data records stolen last year, according to The Economist, which dedicated a special report in its July 12 issue to the subject of cyber-security.
In reading this special report, what I found most astonishing about the Target breach was that the firm “spent a fortune each year on cyber-security, but was attacked via a heating and air-conditioning supplier whose defenses were apparently not robust enough to keep the hackers out.”
That gives new meaning to the concept of supply chain vulnerability.
And retailers aren’t the only targets in the ever-more-connected world we live in. The energy industry is also looking at its vulnerability to cyber-attack.
Back in 2001, shortly after the terrorist attacks of Sept. 11, I found myself in Washington, D.C., working on energy and cyber-security issues for former Rep. J.C. Watts Jr. (R-Okla.), who at the time was chairman of the House Republican Conference, a member of leadership of the U.S. House of Representatives.
The nation was reeling after the attacks, trying to understand what had happened, and where we were vulnerable to subsequent attack. And here I was, a young geologist serving as a Legislative Fellow funded by the American Geosciences Institute, tasked with helping my boss and our nation’s lawmakers understand the chinks in the armor of U.S. energy systems.
I recall sitting in a meeting listening to a telecommunications CEO recount the story of his company’s role in rebuilding the fiber optic and communications systems to enable the New York Stock Exchange to resume operations within a week of the collapse of the World Trade Center.
But, he warned, our communications systems were designed principally for usability, and not with security in mind, resulting in very porous defense systems.
One sobering example he gave was a SCADA system – the supervisory control and data acquisition system – used to monitor the U.S. electricity grid. At the time of the 9/11 attacks the security measure in place to protect the website used to access this system was a simple alphanumeric password.
The ability to crack that password would reveal to a hacker the state of the nation’s electrical grid, particularly those nodes under the stress of peak load that could be tempting targets.
Mindful of these vulnerabilities, the Idaho National Laboratories of the U.S. Department of Energy began to focus on energy security, particularly SCADA systems. Its Aurora project conducted in 2006 is one such effort, The Economist reports.
A group of would-be hackers remotely gained control of a large diesel generator through a SCADA system and proceeded to destroy it. A quick Google search takes you to a video as the generator begins to heave, seize and smoke – a vivid example of what we don’t want to have happen in an energy installation.
Just because you can do it doesn’t make it easy, The Economist is quick to point out, noting that “squirrels and falling branches have done more damage” to the U.S. electrical grid.
Still, it is a risk.
And, according to a report by the U.S. Department of Homeland Security, 40 percent of the cyber-attacks the department handled last year targeted the energy sector, reported The Hill in a July 15 article.
Recall, too, as The Hill reports, that in 2011 many international energy companies around the world were targeted by hackers based in China, and in 2012, Saudi Aramco was the target of a massive cyber-attack.
This is not an abstract risk. It’s real.
In response, our industry last year established the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC). It’s a membership-based organization where firms join in order to share and obtain information on cybersecurity and threats.
Membership is open to oil and natural gas companies, both upstream, midstream and downstream, as well as the service industry that supports these firms and appropriate associations. As its website states, there are four cornerstones around which ONG-ISAC is built:
- Anonymous submissions
- Authenticated information sharing
- Industry owned and operated
- Protection from Freedom of Information Act (FOIA) disclosures and anti-trust violations
It is an industry-lead initiative to protect itself from cyber-attacks.
How are you working to protect your company’s information systems and physical assets?
How are you working to protect your own digital information and assets?
Both are critical infrastructure.