February 12, 2011, 9:23 PM — The recent news reports on the Stuxnet virus have helped highlight the importance of security in process industries like oil and gas. Recently, McAfee released a report describing coordinated covert and targeted cyber-attacks on the oil and gas industry which they attribute to Chinese hackers. Unlike a Stuxnet type virus which threatens to disrupt processes, the McAfee report uncovered attempts to hack into commercially sensitive data for competitive intelligence - attempts which McAfee has named "Night Dragon". These types of reports are typically issued by security vendors to inform but also as a vehicle to market their specific products. However, often it is the security vendors that act as the catalyst for more investigation by the FBI or Homeland Security.
Security is a top priority for the oil and gas industry. In fact, security is often cited by oil and gas companies as a barrier to outsourcing or sending data outside of the company firewalls. Oil and gas companies hold data such as detailed well logs and production figures close, while being more willing to outsource management of other types of data. In this case, it is not exactly clear exactly what data was the target. The report stated that hackers were "harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations." In the scheme of things, if the main target was bid documents involving competitors, then this information would give Chinese companies like CNOOC that are very active in oil deals a competitive advantage.
A lot more detail was provided on the types of tools used to breach security. Unlike the sophistication and newness of a virus like Stuxnet, our impression is that the Night Dragon attacks were not exotic. Spear-phishing attacks, exploitation of operating systems vulnerabilities, and the use of remote administration tools (RATs) are common. According to IDC security analyst Charles Kolodgy, these are run of the mill vulnerabilities and exploits that we should be able to stop.
It is a matter of constant vigilance when it comes to security practices. Given that so many projects in the oil patch require participation of multiple parties - joint venture owners, rig operators, oil field services firms, and engineering, procurement and construction firms - many documents are likely to be widely shared. As technology makes it easier to collaborate among business partners in the upstream segment and as safety demands more collaboration, it is even more important to pay attention to making sure this collaboration is secure and protected.