Oil and gas cybersecurity projects went "to the bottom of the pile" in energy slump

A tanker sails out of the Port of Corpus Christi in Texas after discharging crude oil at the Citgo refinery. A tanker sails out of the Port of Corpus Christi in Texas after discharging crude oil at the Citgo refinery. Photo: Eddie Seal, Stf / Bloomberg Photo: Eddie Seal, Stf / Bloomberg Image 1 of / 1 Caption Close Oil and gas cybersecurity projects went "to the bottom of the pile" in energy slump 1 / 1 Back to Gallery

Oil companies fell behind in hardening their computer control systems against cyberattacks after the collapse of crude prices more than three years ago, putting security initiatives on hold while state-sponsored hacking groups became more proficient at probing U.S. energy networks, according to cybersecurity experts.

Oil and gas cybersecurity teams faced funding shortfalls for projects to protect networks that run pipelines, drilling rigs and other oil field operations, as energy companies slashed thousands of jobs and cut production, security professionals said in recent interviews and conferences. Meanwhile, the worst of the downturn in early 2016 and some of the deepest cuts to jobs and spending coincided with an intensifying campaign of online attacks on energy networks by hackers backed by the Russian government, according to a recent report by the FBI and Department of Homeland Security.

The hackers almost certainly penetrated the networks, according to government and private cybersecurity specialists, likely with the aim of testing detection capabilities and responses and preparing for a a day when they could launch an attack aimed at shutting down operations or damaging facilities. Attacks that interrupted the flow of power or crude oil or gasoline could disrupt, if not derail the U.S. economy.

During an oil bust, said Paul Brager Jr., a cybersecurity specialist at Houston oil field services firm Baker Hughes, “projects, capabilities and needs that aren’t exactly on top of mind go to the bottom of the pile.”

In recent years, federal authorities and security consultants have warned of the vulnerability of the U.S. energy industry to cyberattacks, pointing to outdated software that hackers can easily crack, a vast network of internet-connected devices that provide avenues to control systems, and lack of monitoring and detection of attempted intrusions. In many cases, specialists said, companies can’t tell if hackers have penetrated their networks or if they are still lurking in their systems.

In mid-March, the FBI and Homeland Security blamed Russia for a hacking campaign targeting the operators of critical infrastructure in the energy, water, aviation, nuclear and manufacturing sectors. Not long after, four U.S. natural gas pipeline operators reported that cyberattacks shut down electronic data systems used in setting transaction terms with customers. The attacks, which security experts said didn’t bear the markings of a nation-state incursion, did not affect pipeline operations

Jim Guinn, global lead of the consultancy Accenture’s natural resource cybersecurity practice, said analysts affiliated with his firm have tracked a significant increase in hacking activity in all portions of U.S. critical infrastructure over the past two years, including against oil and gas companies. For the oil industry, which is concentrated in Houston, critical assets include refineries, petrochemical plants, pipelines, power plants and drilling rigs.

The tactics have included using phishing emails and malware aimed at engineers and operators who have control of systems that run plants, pipelines and equipment, according federal agencies and cybersecurity researchers. “They’re going after critical access to figure out how to manipulate systems,” Guinn said.

So far lawmakers and regulators have done little to address the vulnerabilities in the oil and gas industry. There are no regulations governing cybersecurity in oil and gas as there are for power, nuclear and chemical sectors.

Oil industry representatives and some cybersecurity professionals have argued such regulations would diminish security programs to a check list of basic measures that would not make systems more secure. The American Petroleum Institute, a trade group for the oil and gas industry, said the oil and gas industry has invested heavily in cybersecurity measures and promoted guidelines similar to ones followed by the electric utilities and financial companies.

As oil prices have improved - U.S. crude settled above $67 a barrel on Thursday, more than double the $26 in February 2016 - energy companies are spending more to protect systems and asking security teams for better results, cybersecurity consultants said.

Top executives “are starting to take it seriously,” said Stuart Bailey, an information security adviser at Houston oil explorer Noble Energy. “It’s not perfect, but we’ve seen a lot of push for people wanting secure stuff.”

Unlike hacks that compromise personal data such as Social Security or credit card numbers, federal agencies have typically had little to say about attacks on industrial control and networks. In most cases, the details of attacks on critical infrastructure are classified by the FBI and national security agencies, which private security experts says precludes the type of exposure and public outrage that might lead to changes needed to improve cybersecurity.

But Homeland Security’s recent acknowledgment of Russia’s role in attacks on U.S. energy and industrial networks is a sign Washington may put more resources into tackling the lack of defenses protecting vital networks, security experts said.

“For way too long, the U.S. government did not want to talk about that,” said Galina Antova, co-founder and chief business development officer at cybersecurity firm Claroty. “The reports by the DHS and FBI were super helpful just to say, ‘Hey, I’m not crazy, this is actually what’s going on.”

collin.eaton@chron.com

twitter.com/collineationhc