Theft of a single password led to a ransomware attack on Colonial Pipeline that forced it to shut down for several days last May.

While the magnitude of this attack is unique, the target isn’t.

“Cybercrime is a problem for energy companies, full stop,” says Geoffrey Cann, author of Bits, Bytes and Barrels: The Digital Transformation of Oil and Gas.

“Energy companies are under constant threat mode. It just never goes away.”

Cann — who has a book soon to be published called Carbon, Capital and the Cloud — has experience working for an integrated oil and gas company in Toronto, and as a partner at Deloitte, helping oil and gas chief information officers embrace change.

There are a number of factors driving this attention from hackers, including, he adds, that the concentration of oil resources rest in “relatively speaking, a small number of hands,” says Cann.

“All you have to do is cause an upset on the supply of oil, and it doesn’t take much, for the price to go up.”

Sophisticated cyber attackers may use breaches to short the market and benefit from a corresponding stock market shift.

“It’s easy to visualize how you might capture an opportunity in the marketplace by tampering with the supply,” says Cann. “It’s pretty sensitive to disruption.”

Another quality keeping the oil and gas industry in the crosshairs of cyber criminals, in some cases, is use of outdated equipment, a by-product of the age of the energy sector, itself.

“Some of that equipment will not have anything close to the protective features to counter cyber activity that you would see in much more modern gear,” says Cann. “So, there are little vulnerabilities out there to exploit.”

It doesn’t take long to get on a cyber attacker’s radar. Sometimes, just a few minutes.

“I spoke to a researcher at a university for one of my books … [and] he created what’s called a honeypot,” Cann says, of the controlled system, typically found in energy infrastructure. This is also called supervisory control and data acquisition (SCADA), which typically controls an industrial process.

In this case, it was just software and was not connected to infrastructure.  

“He turned the thing on, went away from his desk to get a cup of coffee, came back and it was already under attack,” says Cann.

“The technologies that we have all come to know, love, use to transform our businesses — artificial intelligence, machine learning, robots — all of those technologies are available to people up to no good at the same pace we are,” he adds. “There is no time delay.

“This is [a] cat and mouse game, a war of my tools versus your tools.”

Kelly Sundberg, associate professor in the Department of Economics, Justice, and Policy Studies at Mount Royal University, last year ran a study with a group of students on cybersecurity in the private sector and the interplay with police. This included conversations with energy companies.

“For the most part, the Canadian oil and gas sector has very good cybersecurity,” says Sundberg. “Our oil and gas sector has a very high degree of efficacy within the area of cybersecurity, and even though you have competitive companies, when [it] comes to cybersecurity for the industry, there is co-ordinated effort and that is quite impressive.”

Gaining access

Ransomware is playing a significant role in cybercrime, including against large companies, such as those in oil and gas, says the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment, a federal government agency.

“Ransomware has become an increasingly common and significant risk to government, businesses and individuals, and it will almost certainly continue to target large businesses and critical infrastructure providers, including the energy sector [oil and gas],” says Evan Koronewski, spokesperson for the CCCS.

“These large and essential organizations cannot tolerate sustained interruptions to their operations and are often willing to pay substantial ransom amounts to quickly restore their operations.”

The CCCS has knowledge of 235 ransomware incidents against Canadian victims from Jan. 1 to Nov. 16, 2021. More than half of these victims were critical infrastructure providers.

“It is important to note, however, that most ransomware events remain unreported,” says Koronewski.

In the first half of 2021, global ransomware rose 151 per cent when compared with the first half of 2020.

This year has also been marked by the highest ransoms and the highest payouts, says Koronewski. In Canada, the estimated average cost of a data breach, a compromise that includes but is not limited to ransomware, is C$6.35 million.

Ransomware can be applied through social engineering tactics, such as phishing.

“They have become more sophisticated,” says Carl Fransen, CEO of CTECH Consulting Group, which has clients in the energy sector and energy sector supply chain.

He says phishing scams may use both the recipient’s name and the name of their boss to trick them into transferring money to a location that can be accessed by the criminal.

“They’ll make it look like a legitimate email,” he adds. “They’ll make people do things like transfer money or click on a link.”

Cann says he’s aware of a recent incident at a company in Alberta where cyber criminals captured the voice print of the company’s boss and used it to simulate that executive’s voice.

“It’s not that hard to get if he or she has done a podcast or a video and their voice is out there,” says Cann.

“They used that simulated voice to issue instructions to employees to wire funds,” he adds. “The employees were like ‘it’s a call from the boss, how do you ignore that one?’ So, they followed through.”

Industry responds

The Canadian Gas Association (CGA), with support from the CCCS and Natural Resources Canada, developed a technical information sharing initiative called the Blue Flame Program in 2021.

This program brings together the Canadian natural gas industry and the CCCS to share near real-time threat information and analysis. This two-way sharing increases the cyber centre’s visibility of the Canadian threat landscape, while providing specific actionable guidance to participating member companies, says the CGA.

This is expected to reduce cyber vulnerabilities through a more-timely action and response to threats.

“Relative to the ongoing geopolitical situation, CGA is taking extra measures to ensure industry members are prepared for any situations that may arise,” says Timothy M. Egan, president and CEO, CGA.

“There is an ongoing flow of information between industry and key government agencies.”

The CGA and its members work with governments in Canada and the U.S. and industry allies, sharing information on threats and best practices. This collaboration is on an ongoing basis, as part of the industry’s safety operations.

“Cybersecurity is a priority for all gas industry companies and is part of the industry’s collective commitment to safety and security,” says Egan. “The CGA’s members employ effective cyber security programs to protect systems and collaborate broadly to share knowledge and continuously improve.”

“The industry’s collaborative work with partners ensures the energy system is resilient and can continue through any challenges, including cyber ones,” he adds. “Incidents like last year’s attack on Colonial Pipeline underscore the importance of this work, and of maintaining the critical infrastructure that is at risk.”

Individual energy companies are taking a hard line against digital risk. Jesse Semko, a spokesperson for Enbridge Inc., says the company takes cybersecurity “very seriously.”

“Protecting our customer information and IT systems is as important as protecting our energy infrastructure,” he says.

“As an energy delivery company that people rely on every day to live their lives, we have been investing [in] and increasing our capabilities in cybersecurity through the years. As part of this, we conduct continuous assessments of our cybersecurity standards, performing regular tests of our ability to respond, recover and monitor for potential threats,” adds Semko.

Enbridge has a dedicated team of cybersecurity experts and a substantial cybersecurity program in place.

“To further mitigate threats, we collaborate with governments and regulatory agencies, and take part in external events to learn and share information on how we can improve our defenses,” Semko says.

“At all levels of our company, we have robust systems, policies and processes in place to protect the privacy and data of our customers and stakeholders.”

Protection

Cann believes there are many ways companies can strengthen their cybersecurity. This includes having a team of specialists, either internal or outsourced, who maintain the integrity of their environment.

“Do you run any simulations on what happens if you do get attacked, so you know how you are going to respond and respond quickly?” Cann says. “It’s like life-savings techniques … like a lifeguard, you have to practice it.

“Run a simulation to see how good your security is,” he adds. “It’s very eye-opening.”

Another focus for companies should be education.

“The crooks are very good, they have the latest and greatest technology,” says Cann. “Employees need to be educated constantly on what theft and phishing expeditions look like, so they don’t fall prey.”

After a hack

If a company has been breached, CTECH says it conducts an investigation into how the attackers got in and what happened, followed by remediation.

“Once the bad guys get in, it’s like a tick, it’s so hard to take out,” says Fransen. “We’ll go through the system with a fine-tooth comb to see where the hacker laid their booby traps or their dormant programs that come out after the fact and we’ll scan everything.

“The best way to ensure a hack is mitigated is completely rebuilding the system up from a last backup,” he adds. “Unfortunately, that is the only way. There is absolutely no way anyone can go through every single system, look through every single subsystem against every application and verify that it is completely clean.”

He then suggests rebuilding desktops and applying cybersecurity tools such as log analyzers, behavioral software that detects hacking, and two-factor authentication.

When Sundberg’s team connected with cybersecurity experts and practitioners at oil and gas companies, specific to Calgary, they asked if these companies call the police after being hacked.

“They will inform the police if it is major enough or if they think that it will impact something outside of their respective sphere, otherwise they don’t,” Sundberg says.

When asked why, he adds that he was told, “the police don’t have the expertise.”

His research group then explored the training and capacity of police departments in the prairies to combat cybercrime.

“The challenge is most of the offenders are not in Canada,” says Sundberg. “If you have an oil and gas company that is hit … we don’t know where [the perpetrator] is.

“We are still moving forward with our research in this area,” he adds. “But our initial findings from research in this area is that the police, the federal, provincial, and municipal levels, fall behind the expertise and capacity that industry has.”

While he makes clear cybercrime is a problem for the industry, Sundberg continues, “Alberta’s oil and gas sector, from our assessment, is very robust and capable of protecting their systems and do a very good job.”

Koronewski says companies hit by a cyberattack should report it to their local police, the Canadian Anti-Fraud Centre, and CSE’s CCCS, using its online portal.

“We can advise the organization on mitigation and recovery efforts,” he adds. “It also helps us protect others from the same strain of ransomware, if it is a cybercrime.”