Hackers Drawn to Oil and Gas Industry’s Lack of Sensors, Controls
Oil and gas companies, including some of the most celebrated industry names in the Houston area, are facing increasingly sophisticated hackers seeking to steal trade secrets and disrupt operations, according to a newspaper investigation.
A stretch of the Gulf Coast near Houston features one of the largest concentrations of refineries, pipelines and chemical plants in the country, and cybersecurity experts say it’s an alluring target for espionage and other cyberattacks.
“There are actors that are scanning for these vulnerable systems and taking advantage of those weaknesses when they find them,” said Marty Edwards, director of U.S. Homeland Security’s Cyber Emergency Response Team for industrial systems.
Homeland Security, which is responsible for protecting the nation from cybercrime, received reports of some 350 incidents at energy companies from 2011 to 2015, an investigation by the Houston Chronicle has found. Over that period, the agency found nearly 900 security flaws within U.S. energy companies, more than any other industry.
Steps are being taken to thwart attacks. For instance, the Coast Guard in a joint operation with Houston police patrolled the waters southeast of Houston last year conducting sweeps for unprotected wireless signals that hackers could use to gain access to facilities. The operation was one of the first of its kind in the U.S. concentrating on cyberattacks by sea.
But the vast network of oil and gas operations makes it difficult to secure. Thousands of interconnected sensors and controls that run oil and gas facilities remain rife with weak spots.
Many companies the technology and personnel to detect hackers. Equipment was designed decades ago without security features, and efforts over the years to link computer networks to devices that monitor pressure or control valves have exposed operations to online threats.
“You could mess with a refinery or cause a vessel to explode,” Richard Garcia, a former FBI agent who became a cybersecurity specialist, told the Chronicle.
Power, chemical and nuclear facilities must adhere to strict cybersecurity measures, but federal law doesn’t impose such standards on the oil and gas sector. And when oil and gas companies have been infiltrated by a hacker, they’re not required to report the incident.
More than 20 of the nation’s largest oil companies – including Exxon Mobil Corp. and ConocoPhillips, refiner Phillips 66 and pipeline operator Kinder Morgan – declined to comment or did not respond to multiple requests for comment. The American Petroleum Institute, the national trade association for oil and gas, also declined to comment.
Charles McConnell, executive director of Rice University’s Energy and Environment Initiative, said oil companies tend to rush to deploy new computer technologies that make operations more productive, but only afterward considering ways to defuse online threats.
“The pace of change of the technology we’ve adopted is every step of the way more and more vulnerable to cyberattack,” McConnell said.
- 2024 Wildfire Forecast Calls for ‘Below Average’ Season
- Florida’s Home Insurance Industry May Be Worse Than Anyone Realizes
- EPA Designates PFAS Chemicals as Superfund Hazardous Substances
- 4,800 Claims Handled by Unlicensed Adjusters in Florida After Irma, Lawsuit Says
- Mother of 8-Year-Old ‘Violently Sucked’ into Houston Hotel Pool Files Wrongful Death Suit
- Report: Vehicle Complexity, Labor ‘Reshaping’ Auto Insurance and Collision Repair
- EVs Head for Junkyard as Mechanic Shortage Inflates Repair Costs
- Millions of Recalled Hyundai and Kia Vehicles, With Dangerous Defect, Remain on Road