Years before Stuxnet became known for reportedly disabling the Iranian nuclear complex, Don Shafer, a security executive specializing in protecting offshore oil drilling operations around the globe, was already familiar with the computer worm. He had seen it attack his clients’ rigs in Angola and Indonesia. “It was very interesting when we saw it,” Shafer says, from his home in rural west Texas. “It took us a few days before we realized what it was.”
Stuxnet targets Siemens industrial programmable logic controllers (PLCs) that run a Windows operating system and are controlled over a computer network. They are ubiquitous in industrial operations—“from oil rigs to coffee decaffination facilities,” Shafer says. In nuclear plants, PLCs power centrifuges in the reactor. On oil rigs, they handle power distribution on the top drives and draw-works that raise and lower the rig’s enormous drill.
Knocking out the power management basically renders an oil rig unoperational, which is why oil and gas companies turn to Shafer’s company, Athens Group, to shore up cyber security onboard their rigs. With a staff of about 100 cyber security engineers, and oil and gas clients in remote areas of Russia, Africa, the South Pacific, and Antarctica, Shafer’s job gets tougher each year. “It’s gotten more dicey as the world has become connected,” he says.
The falling price of oil has triggered more aggressive cyber attacks against the oil and gas industry, specifically against Saudi Arabian and US companies, Shafer says. “The countries most impacted by [rapidly falling oil prices] are Russia, Venezuela, Iran, and to some extent North Korea,” he says. “These countries have the ability and the very intelligent hackers to go after the infrastructure that we’ve got.”
At least two private sector research reports from 2014 implicated Russian hackers have been targeting Western oil and gas fields. Symantec researchers traced several attacks back to a cyber crime syndicate called Dragonfly, which was able to plant encrypted malware onto internal employee websites—a Chinese restaurant menu, for instance—by which it infected users’ machines which hackers then used to seize control of machinery on the network.
“We see all kinds of phishing and social engineering—more so than malware,” Shafer says. Even before oil prices began to decline, rigs have been popular targets for cyber crime. In February 2013, the Houston Chronicle reported that malware attacks incapacitated oil rigs’ computer networks in the Gulf of Mexico. Months later, experts warned that the entire global shipping industry is vulnerable to cyber attack after hackers tipped a floating oil rig off the coast of Africa.
Related content: 10 Steps to Effective Anti-Phishing Training
The U.S. government has taken notice as well. President Obama has touched on cyber security threats in the year’s first State of the Union address: “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.”
In kind, the FTC released guidelines for manufacturers of Internet of Things devices in order to combat this type of cyber crime. “This is stuff we’ve known in the oil and gas industry for decades,” Shafer says. “I think [the FTC] is a day late and a dollar short.”
“I would feel much more comfortable if they went back and talked to a few more people from industry. I don’t see a lot of actionable things in there.”
But introducing legislation is not the answer for Shafer, who points out that strict HIPAA rules have stifled advances in medical and healthcare technology. He agrees that the onus should be on manufacturers to build in security features on industrial and home devices that connect to the Internet.
Transparency in security testing methods is another key factor. “Right now it’s a big mystery,” Shafer says. “How [manufacturers] test these things, that’s almost impossible to find anywhere.”