Cyber Darkness: Energy Sector Security Challenges

By Brian Finch & Tom Kellermann

Editor’s Note:  Brian Finch is a partner with Dickstein Shapiro LLP and Tom Kellermann is a managing director with Alvarez & Marsal Holdings, LLC.  Thanks to Mr. Finch and Mr. Kellermann for allowing us to publish their insightful article.  

The year 2014 will be remembered as the year that criminals truly migrated into cyberspace. According to Interpol, all major organized crime groups have developed business models around cybercrime. Cyber risk has now emerged as a high-profile problem; so much so, it has climbed to No. 3 on the Lloyd’s Risk Index 2013.¹


Given the increasing volume of transactions and information available online, it is no surprise that valuable data is the target of increasingly sophisticated cyber attacks.  In the unfortunate and extraordinarily broad world of cyber-attack victims the energy sector has drawn more than its fair share of assaults, whether for economic gain or simple malice.  

The list of infamous attacks includes Operation “Night Dragon,” reported by McAfee, Inc. in 2011. As McAfee researchers noted in their report, Chinese hackers stole sensitive intellectual property from energy companies over long periods of time—in some cases nearly four years. These were equal opportunity attacks as companies in the oil, gas and petrochemical sectors were all targeted. The attacks were pulled off using the relatively well-known tactic of “social engineering,” whereby innocent-looking emails were delivered to energy company employees. When opened, these disguised emails provided the malfeasors with routes to various energy company systems.

Other malicious events in the energy sector followed Night Dragon.  In 2012, Saudi Aramco, the oil giant responsible for a huge portion of the world’s crude oil, acknowledged that it had suffered a serious cyber attack.  In that case, unnamed foreign nations (with strong hints of Iranian involvement) also deployed social engineering tactics to infiltrate Saudi Aramco’s information technology infrastructure. Instead of seeking to steal corporate secrets and intellectual property, this attack was aimed at disrupting oil production. As a result, nearly 30,000 Aramco computers were rendered inoperable. Considering that we live in a world where minor skirmishes in the Gulf can shoot the price of oil skyward, one can imagine the disastrous economic impact a cyber attack would have if oil production were disrupted. 

However, during the past decade, since the infamous August 2003 power outage that plunged millions of Americans and Canadians into darkness—an event which was said to have been caused by a software bug—the energy sector has made significant strides in preserving resiliency and business continuity. Yet business continuity plans create greater access and connectivity to what were once very insulated systems. This juxtaposition must be appreciated for it has become paramount to understanding that the benefits of business continuity efforts must be balanced with a focus on protecting the integrity and access to Supervisory Control and Data Acquisition (SCADA) systems.

While the motivations and methods driving these cyber attacks are varied, one thing is clear; their potential for both physical and economic disruption is nowhere near fully realized.  Cyber attackers grow in numbers every day, and the sophistication of their malicious tools is outstripping defenses being deployed by both the public and private sectors. Most disconcerting is that fact that for every weakness or vulnerable entry point that is addressed, cyber criminals find multiple new avenues of access.  

One of the current invasion tactics is referred to as “island hopping.” With this approach, the cyber attack targets a trusted third party of the enterprise and then transits into the target’s systems via a third-party’s less secure connections. Island hopping has become a wide-spread phenomenon in the retail industry and was noted as one of the means of gaining access to company systems in several recent high-profile attacks.

A vulnerability that requires careful consideration and proactive protection is in the energy trading market.  In the world of energy futures and commodities trading lightning-quick trades and bets on the availability and price of energy resources drive a huge part of the global economy, and vast networks of financial exchanges form the backbone of these operations.  Enormous amounts of money move back and forth in these markets on a regular basis, and the overall health of the global economy can be measured—and often dictated—by swings in these markets.

Therein lies the problem.  These financial exchanges are as vulnerable to cyber attacks as those present in any other sector of our economy. Indeed, the World Financial Exchange (the global trade association for exchanges) released a report in 2013 noting that more than half of the world’s financial exchanges had suffered some form of cyber attack in the prior year.²   These attacks, while thankfully not yet resulting in any massive losses, highlight the vulnerability of even the most sophisticated and relatively well-protected financial systems from cyber attacks. The world’s financial exchanges have responded by increasing cyber-defense exercises and working more closely with law enforcement to detect and deter such attacks.  

One can imagine the impact of a successful cyber attack on an energy exchange. Disruptions in pricing and delivery of commodities could have disastrous effects on the global economy, setting wild speculation on prices as well as incredibly violent price swings. Energy prices could skyrocket quickly, and the lack of confidence in these markets could create an even greater “fear” or “risk premium” in energy prices.  If the last decade has taught us anything, it is that the global energy economy is incredibly sensitive to world events.  Fear over the availability of accurate pricing—much less supply—would no doubt result in disastrous spikes in prices, with the potential to drive the world economy back to the brink of another recession.

The fact that the world’s exchanges are beefing up their security is a good sign, as is the general awareness of the problem. What exchanges, investors and energy companies need to realize is protecting those markets from cyber attacks is just as important as protecting the technology that controls production and supply from such attacks. Cyberspace is not a specific place, and dictates greater investment in cyber security technologies and an alignment of policies and procedures that would manage the damage caused by the inevitable incident.  The ability to share information and analyze it in ways never before imagined has led to incredible breakthroughs in efficiency and knowledge.  At the same time, we have added many more links into the global economic chain, one which includes a virtual supply chain that must be protected. These realities demand that important sectors of our economy like the energy sector, must examine every link in their chain for vulnerabilities. Failure to do so can easily lead to consequences that could cost them dearly.

In 2014, the energy sector must recognize that network and data security is a critical part of conducting business in the hostile world of cyberspace.  Sustainability is dependent upon evolving their risk management strategies to encompass prevention and mitigation of cyber attacks.

Brian Finch, a partner in Dickstein ShapiroLLP's Washington, D.C. office, is head of the firm’s Global Security Practice. Mr. Finch focuses his practice on data and physical security issues, counseling clients on regulatory and government affairs matters involving Congress and various federal agencies. He is a leading authority on the SAFETY Act, having crafted numerous applications for clients seeking liability protections for a wide variety of products and services, ranging from security guards and vulnerability assessments to software programs and security screening devices. Mr. Finch authors a weekly cyber security column on the Fox Business Network™ website, and also appears regularly on the channel as a cyber-security expert.  He also serves as a senior advisor to the Homeland Security and Defense Business Council and an adjunct professor at The George Washington University Law School.

Tom Kellermann, managing director at Alvarez & Marsal Holdings, LLC,is a strategic information security specialist with more than 17 years of experience. He focuses on emerging cyber threats, financial sector risk management, cyber strategy development and incident response.  Before joining A&M, Mr. Kellermann was senior vice president of Cyber Security for Trend Micro Inc., where he led their cyber-threat intelligence practice and coordinated all long-term cyber investigations with international law enforcement. Mr. Kellermann served as a Commissioner on The Commission on Cyber Security for the 44th Presidency and is currently an adviser to the International Cyber Security Protection Alliance and the National Board of Information Security Examiners Panel for Penetration Testing.  Mr. Kellermann is a professor at American University’s School of International Service and Kogod School of Business. He is a Certified Information Security Manager (CISM).  In 2003, he co-authored the book: E-Safety and Soundness: Securing Finance in a New Age.

¹ Lloyds

² ZDNet, July 18^th, 2013:  As NASDAQ’s site was hit by hackers, report says half of world's exchanges suffered cyber attacks.