Hackers Hit 75% of Drillers as Sketchy Monitoring Is Blamed

(Bloomberg) Three out of four oil and natural gas companies fell victim to at least one cyber attack last year as hacking efforts against the industry become more frequent and sophisticated.

That’s the finding from a report released Monday by industry consultant Deloitte LLP. Technology advances, such as  Royal Dutch Shell Plc’s recent control of operations in Argentina from an operating center in Canada, offer new openings for hackers, the authors wrote. At the same time, older equipment retrofitted for cybersecurity, including the pumps known as nodding donkeys, make it tougher to defend against sophisticated attacks.

A day after the report was released,  Rosneft PJSC said its servers were hacked, forcing Russia’s largest crude producer to switch to a backup system. Less than half of drillers use any monitoring tools on their upstream operations networks, the report found. Of those, only 14 percent have fully operational security monitoring centers.

When the authors visited the oil fields it “was like walking into the 1980s, with shared passwords and passwords written down on paper,” said Paul Zonneveld, a senior partner at Deloitte in Calgary, by phone.

A 2011 cyber attack dubbed “Night Dragon” stole exploration and bidding data from oil majors including Exxon Mobil Corp. and BP Plc. Past assaults in 2012 and 2014 crippled companies throughout the Middle East and Europe with disk-wiping malware and advanced Trojan Horse attacks. Rosneft and energy companies in Ukraine were hit by a ransomware assault on Tuesday, highlighting the urgency of the threat.

Shell, Exxon, BP and other producers didn’t reply to requests for comment.

The report suggested that industry concern over cyberattacks may be low because of a feeling it would be an unlikely target. But with the motives of hackers fast evolving — from cyberterrorism to industry espionage to disrupting operations to stealing field data — risks are rising fast, along with the stakes, the report found.

Complex System

Companies have to defend a complex system comprising assets decades old as well as state-of-the-art digitized technology. To make matters more difficult, these assets are overseen by a wide array of companies and partners and spread across different fields and regions. Protecting the entire system just isn’t feasible, Zonneveld said.

While the cost of cyber crime is estimated to average about $15 million in the industry right now, major assaults can cost hundreds of millions of dollars, and risk deaths and environmental damage.

Company executives are waking up to the threat posed by cybercrime. “The culture needs to change, and that’s happening but it takes time,” said Andrew Slaughter, executive director at the Deloitte Center for Energy Solutions in Houston, in a telephone interview. “This report serves as a call to arms.”