Cyber threats put energy sector on red alert

Officials working to protect the nation from online threats are casting a wide net as they seek to guard against hackers and foreign governments targeting the United States.

Lately the focus has shifted to the power lines and oil pipelines that crisscross the country, providing vital energy sources that could be hijacked for nefarious ends.

ADVERTISEMENT
"Changes in technology with operational devices is really causing the industry to broaden its spectrum of possible threats," said Michael Gomez of KPMG, a professional services firm that offers cybersecurity products to the energy industry.

"You can get an attack from almost any place now."

The control rooms, substations and devices used to manage the nation’s power grid, oil and gas plants, refineries and pipelines are all digital now, putting them at greater risk of cyberattacks.

At the same time, attempts to infiltrate the energy sector are growing more frequent. Of the roughly 200 cases of hacking attacks the cybersecurity team at the Department of Homeland Security handled in 2013, more than 40 percent were in the energy sector, an agency report said.

"Out of all of the critical infrastructure sectors reporting attacks, the most vulnerable to attacks is the energy sector," Gomez said. "Not any single sector within the energy industry is outside the scope of recent cyberattacks."

Rising concern about cyberattacks fueled the Obama administration's move to issue security guidance for critical infrastructure providers.

The guidance focused on helping utilities and other energy sector organizations purchase technology to protect against attacks and improve reliability.

Lawmakers on Capitol Hill have pushed to establish additional cybersecurity standards through legislation, but have yet to send legislation to President Obama’s desk.

But the issue is getting fresh attention after documents containing classified information about an attack on a California electric substation were leaked to The Wall Street Journal. The Senate Energy and Natural Resources Committee convened a hearing in April to examine the case.

“I am most concerned about coordinated physical and cyberattacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures,” Gerry Cauley, president of the North American Electric Reliability Corp. (NERC) told the Senate Energy Committee in April.

The Senate Intelligence Committee is looking to move forward on legislation that would remove liability hurdles that prevent companies from sharing information with each other about cyber threats.

Similar legislation passed the House, but has yet to see action in the upper chamber.

Sen. Lisa Murkowski (R-Alaska) has been front and center in discussions with energy companies about how to best protect themselves.

"I've been trying to put an urgency behind all of it," Murkowski told The Hill. "But what we are trying to do is get the industry to move voluntarily so we don't have to have mandates and requirements."

Right now, the electric power sector is the only part of the energy industry that is subject to mandatory cybersecurity standards.

Congress approved the mandates in 2005, putting the Federal Energy Regulatory Commission in charge of cyber standards for electric power that are routinely updated.

FERC issued version five of the standards this year. The rules directed utilities to be more specific about protections for devices that are used in control rooms, and for devices across the network that are temporarily plugged in, such as laptops and cellphones.

Companies managing the electric grid have made progress, and say they are continually enhancing their protections.

Paul Stockton, a former assistant secretary with the Defense Department who now works for the security firm Sonecon Inc., said the electric sector is on it’s game when it comes to cybersecurity preparedness, information sharing and security investments.

More progress is vital, however, Stockton said.

There need to be solid goals for utility regulators, and more detailed criteria on how to assess the likelihood and sophistication of threats, Stockton said.

Another weak spot, Stockton said, is the ability of the electric grid to withstand and recover from simultaneous hits on cyber and physical elements of the infrastructure.

Still, the United States has remained relatively free of successful attacks on the grid.

The most devastating attacks to date have been inflicted on the oil and gas sector.

In 2011, China-based hackers targeted international oil and energy companies in cyberattacks dubbed "night dragon."

And in 2012, cyber hackers tried to halt all oil production in Saudi Arabia by attacking the operations of Aramco. The breach damaged 30,000 computers.

While the U.S. has remained relatively free of catastrophic attacks, that doesn't mean the sector’s security precautions are foolproof.

Experts say America’s record of avoiding an attack is part luck, part diligence.

Last year, the oil and gas sector formed its own Information Sharing and Analysis Center, allowing companies to share cybersecurity tips, threats, sophistication, and more with each other.

It's one step toward helping make oil and gas companies more resilient, but the industry will need to continually adapt in order to keep pace with changes in technology.

"Are we a ticking time bomb? Absolutely," Gomez from KPMG said.

"If we don't stay vigilant and we don't try to stay ahead of what the possibilities are and we don't communicate and don't work with entities such as the FBI, Department of Homeland Security, and the NERC, and we stop communicating and try to attack this by ourselves, then something bad will happen, and you could say it would be catastrophic."