DOHA Dec 8 Hackers are bombarding the
world's computer controlled energy sector, conducting industrial
espionage and threatening potential global havoc through oil
supply disruption.
Oil company executives warned that attacks were becoming
more frequent and more carefully planned.
"If anybody gets into the area where you can control opening
and closing of valves, or release valves, you can imagine what
happens," said Ludolf Luehmann, an IT manager at Shell
Europe's biggest company .
"It will cost lives and it will cost production, it will
cost money, cause fires and cause loss of containment,
environmental damage - huge, huge damage," he told the World
Petroleum Congress in Doha.
Computers control nearly all the world's energy production
and distribution in systems that are increasingly vulnerable to
cyber attacks that could put cutting-edge fuel production
technology in rival company hands.
"We see an increasing number of attacks on our IT systems
and information and there are various motivations behind it -
criminal and commercial," said Luehmann. "We see an increasing
number of attacks with clear commercial interests, focusing on
research and development, to gain the competitive advantage."
He said the Stuxnet computer worm discovered in 2010, the
first found that was specifically designed to subvert industrial
systems, changed the world of international oil companies
because it was the first visible attack to have a significant
impact on process control.
But the determination and stamina shown by hackers when they
attack industrial systems and companies has now stepped up a
gear, and there has been a surge in multi-pronged attacks to
break into specific operation systems within producers, he said.
"Cyber crime is a huge issue. It's not restricted to one
company or another it's really broad and it is ongoing," said
Dennis Painchaud, director of International Government Relations
at Canada's Nexen Inc. "It is a very significant risk
to our business."
"It's something that we have to stay on top of every day. It
is a risk that is only going to grow and is probably one of the
preeminent risks that we face today and will continue to face
for some time."
Luehmann said hackers were increasingly staging attack over
long periods, silently collecting information over weeks or
months before attacking specific targets within company
operations with the information they have collected over a long
period.
"It's a new dimension of attacks that we see in Shell," he
said.
NOT IN CONTROL
In October, security software maker Symantec Corp
said it had found a mysterious virus that contained code similar
to Stuxnet, called Duqu, which experts say appears designed to
gather data to make it easier to launch future cyber attacks.
Other businesses can shut down their information technology
(IT) systems to regularly install rapidly breached software
security patches and update vulnerable operating systems.
But energy companies cannot keep taking down plants to patch
up security holes.
"Oil needs to keep on flowing," said Riemer Brouwer, head of
IT security at Abu Dhabi Company for Onshore Oil Operations
(ADCO).
"We have a very strategic position in the global oil and gas
market," he added. "If they could bring down one of the big
players in the oil and gas market you can imagine what this will
do for the oil price - it would blow the market."
Hackers could finance their operations by using options
markets to bet on the price movements caused by disruptions,
Brouwer said.
"So far we haven't had any major incidents," he said. "But
are we really in control? The answer has to be 'no'."
Oil prices usually rise whenever tensions escalate over
Iran's disputed nuclear programme - itself thought to be the
principal target of the Stuxnet worm and which has already
identified Duqu infections - due to concern that
oil production or exports from the Middle East could be affected
by any conflict.
But the threat of a coordinated attack on energy
installations across the world is also real, experts say, and
unlike a blockade of the Gulf can be launched from anywhere,
with no U.S. military might in sight and little chance of
finding the perpetrator.
"We know that the Straits of Hormuz are of strategic
importance to the world," said Stephan Klein of business
application software developer SAP.
"What about the approximately 80 million barrels that are
processed through IT systems?," said Klein, SAP vice president
of oil and gas operations in the Middle East and North Africa.
Attacks like Stuxnet are so complex that very few
organisations in the world are able to set them up, said Gordon
Muehl, chief security officer at Germany's SAP said, but it was
still too simple to attack industries over the internet.
Only a few years ago hacking was confined to skilled
computer programmers, but thanks to online video tutorials,
breaking into corporate operating systems is now a free for all.
"Everyone can hack today," Shell's Luehmann said. "The
number of potential hackers is not a few very skilled people --
it's everyone."
