Energy sector sees threat of hackers rising amid ‘new dimension’ of online attacks
Hackers are bombarding the world's computer controlled energy
sector, conducting industrial espionage and threatening potential global havoc
through oil supply disruption.
Oil company executives warned that attacks were becoming
more frequent and more carefully planned.
"If anybody gets into the area where you can control
opening and closing of valves, or release valves, you can imagine what
happens," said Ludolf Luehmann, an IT manager at Shell Europe's biggest
"It will cost lives and it will cost production, it
will cost money, cause fires and cause loss of containment, environmental
damage - huge, huge damage," he told the World Petroleum Congress in Doha.
Computers control nearly all the world's energy production
and distribution in systems that are increasingly vulnerable to cyber attacks
that could put cutting-edge fuel production technology in rival company hands.
"We see an increasing number of attacks on our IT
systems and information and there are various motivations behind it - criminal
and commercial," said Luehmann. "We see an increasing number of
attacks with clear commercial interests, focusing on research and development,
to gain the competitive advantage."
He said the Stuxnet computer worm discovered in 2010, the
first found that was specifically designed to subvert industrial systems,
changed the world of international oil companies because it was the first
visible attack to have a significant impact on process control.
But the determination and stamina shown by hackers when they
attack industrial systems and companies has now stepped up a gear, and there
has been a surge in multi-pronged attacks to break into specific operation systems
within producers, he said.
"Cyber crime is a huge issue. It's not restricted to
one company or another it's really broad and it is ongoing," said Dennis
Painchaud, director of International Government Relations at Canada's Nexen
Inc. "It is a very significant risk to our business."
"It's something that we have to stay on top of every
day. It is a risk that is only going to grow and is probably one of the
preeminent risks that we face today and will continue to face for some
Luehmann said hackers were increasingly staging attack over
long periods, silently collecting information over weeks or months before
attacking specific targets within company operations with the information they
have collected over a long period.
"It's a new dimension of attacks that we see in
Shell," he said.
Article continues on
In October, security software maker Symantec Corp published
a report on a mysterious virus, discovered and named Duqu by Hungary's
Laboratory of Cryptography and System Security, that contained a code similar
Experts said it appeared to be designed to gather data to
make it easier to launch future cyber attacks.
Other businesses can shut down their information technology
(IT) systems to regularly install rapidly breached software security patches
and update vulnerable operating systems.
But energy companies cannot keep taking down plants to patch
up security holes.
"Oil needs to keep on flowing," said Riemer
Brouwer, head of IT security at Abu Dhabi Company for Onshore Oil Operations
"We have a very strategic position in the global oil
and gas market," he added. "If they could bring down one of the big
players in the oil and gas market you can imagine what this will do for the oil
price - it would blow the market."
Hackers could finance their operations by using options
markets to bet on the price movements caused by disruptions, Brouwer said.
"So far we haven't had any major incidents," he
said. "But are we really in control? The answer has to be 'no'."
Oil prices usually rise whenever tensions escalate over Iran's
disputed nuclear programme - itself thought to be the principal target of the
Stuxnet worm and which has already identified Duqu infections - due to concern
that oil production or exports from the Middle East could be affected by any
But the threat of a coordinated attack on energy
installations across the world is also real, experts say, and unlike a blockade
of the Gulf can be launched from anywhere, with no US military might in sight
and little chance of finding the perpetrator.
"We know that the Straits of Hormuz are of strategic
importance to the world," said Stephan Klein of business application
software developer SAP.
"What about the approximately 80 million barrels that
are processed through IT systems?," said Klein, SAP vice president of oil
and gas operations in the Middle East and North Africa.
Attacks like Stuxnet are so complex that very few
organisations in the world are able to set them up, said Gordon Muehl, chief
security officer at Germany's SAP, but it was still too simple to attack
industries over the internet.
Only a few years ago hacking was confined to skilled
computer programmers, but thanks to online video tutorials, breaking into
corporate operating systems is now a free for all.
"Everyone can hack today," Shell's Luehmann said.
"The number of potential hackers is not a few very skilled people - it's