Why cyber attack is the biggest risk for energy companies
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
Energy security is no longer about shortages of supply caused by Opec embargoes or the fear that Russia will cut off gas supplies flowing into Europe. The key issue now is the integrity of the computer systems through which supply, processing and distribution are managed.
Cyber security is what matters, and because the energy business is mainly run by private companies, their systems are prime targets for both criminals and hostile governments.
The old security concerns are less significant because resources are plentiful and shortages can be covered. Over the past year, production in Venezuela — one of the major oil suppliers — has fallen more than 600,000 barrels a day, but other countries have easily made up for it. Worldwide, the supply of oil, gas and energy generally continues to outstrip demand.
The shift to an age of plenty does not, however, remove all risk. The complex energy system is highly vulnerable to both accident and deliberate intervention. The supply chains from one country to another, and the openness of the network at all levels, means that consumers — individuals, businesses and those dependent on continuous supplies of energy such as hospitals, links in the food chain and transport — are all vulnerable in the event of attack.
A new paper from the international insurance company Marsh & McLennan lays out the risks involved, and the way in which they are amplified by the internet-based relationships within the energy industry, and between suppliers and consumers. It offers some basis for the underwriters of corporate insurance to operate.
There is no reliable data on the scale of the problems experienced to date — companies tend not to talk about breaches of their security systems, nor about any payments to buy off hackers. But even those that think they are vigilant and professional in managing their own systems are vulnerable if that of one of their trading partners is penetrated.
Blackmail is one motive for cyber attacks. Another is the theft of information — about market conditions, or corporate plans concerning mergers and acquisitions, or bidding strategies.
Cyber security is often no more than a minor item on a board agenda until something goes wrong, by which time it is too late. Most large companies now employ internet security officers but because of the lack of knowledge of the technical details of the cyber world at board level, their work remains within a black box.
The vulnerability of private companies to assault by hostile states or terrorist groups is understated in much corporate cyber security analysis. Yet the ability to disrupt enemies by breaking down the systems on which they depend has become much more important in conflict than massed armies, pitched battles and heavy artillery.
Companies can become victims because they operate key infrastructure in disputed areas or simply because their systems are linked to networks in a country under political attack.
Energy systems are particularly at risk because of their economic and social importance. Imagine that a hostile country or a terrorist group were able to penetrate or take down power supplies to a major city such as London or Tokyo. Or to disable air-traffic control systems across significant parts of Europe or the US. Or to halt the flow of oil or gas through pipelines in the North Sea.
In every case, the primary attack would be felt by the corporate sector, even if the intended target was a government.
In 2017, the Danish shipping company AP Moller-Maersk was the accidental victim of a cyber attack because its operation in Odessa in Ukraine had downloaded an accounting package. The attack spread through the Maersk system across the world, with a cost running into hundreds of millions of dollars. According to Bloomberg, hackers may also have caused a 2008 explosion on the Baku-Tbilisi-Ceyhan oil pipeline in Turkey by breaking into computers along the line.
The US has already used cyber force in the dispute with Iran: in 2010 it and Israel deployed the Stuxnet virus to damage Tehran’s nuclear programme.
Both China and Russia have developed high levels of cyber capability — as last week’s revelations about the activities of the GRU, Russia’s military intelligence service highlighted — and allowed or encouraged hackers to operate from their territory. And conflicts over control of the South China Sea or over Ukraine could escalate.
Beijing may crack down on broadcasts by the BBC and deny access to Google searches, but it has done less to prevent the growth of an industry of hackers. And Moscow could replace incompetent agents blundering around Salisbury in the UK with bottles of poison with hackers.
Many energy majors may now think they are global entities, no longer identified with a particular home country or government. Some may even believe that working in China or Russia will protect them from assault.
But those wanting to cause disruption may think differently. Energy companies are an obvious target because of the importance of the products and services they provide. The risks are high, but the danger is unlikely to be widely appreciated until a full-scale attack has taken place.
The writer is visiting professor and chair of the King’s Policy Institute at King’s College London
Get alerts on Cyber Security when a new story is published