Cyber-Security Challenges to Australia’s Hydrocarbon Sector

Wednesday, 14 December 2011

Background

The Australian hydrocarbon sector boasts an advanced emergency management capability. Oil and gas facilities, however, are highly vulnerable to deliberate targeting, particularly from cyber-operations. Hydrocarbon has a complex production and supply chain, including exploration; production; refining; storage; and transportation, which creates significant vulnerabilities. Industry commentators suggest that the threat posed to the sector is real and credible. While Australia’s oil and gas sector has been relatively secure, it is not immune to potential challenges. Accordingly, oil and gas stakeholders must recognise the constantly evolving challenge of cyber-security and work together to develop a framework to counter cyber-operations. 

Comment

According to Royal Dutch Shell’s IT Manager, Ludolf Luehmann, cyber-attacks against the hydrocarbon sector are increasing in frequency and sophistication. In early December, Mr Luehmann told delegates attending the 20^th World Petroleum Congress, in Doha, Qatar, that industry use of remote technologies had increased the potential for global supply disruption due to cyber-security vulnerability. In late November, consistent with Mr Luehmann’s assessment, Norway’s National Security Agency, acknowledged in a statement that data from the nation’s hydrocarbon sector had been targeted. The attack, which analysts have suggested was the most extensive data espionage event in the nation’s history, has an added importance given Norway’s status as the world’s third-largest oil and gas producer.

As Australia rises to become a global liquefied natural gas supplier, it is imperative that the government and private sectors critically assess their cyber-capabilities.

For several reasons, cyber-attacks represent an attractive option for perpetrators, be they state, semi-state^[1] or non-state actors. The asymmetrical nature of cyber-capability magnifies an individual’s or a party’s power. Barriers to entry into cyber-operations are minimal, with cyber-materiel simply consisting of a personal computer with internet capability. Technical barriers, a significant inhibitor in early cyber-activity, have been eroded over the last decade; downloadable and graphic-interface tools have become available as freeware on a host of hacker sites. 

Agents of cyber-criminality further benefit from the anonymity that cyber-space affords. States or non-state actors may advance their agenda, without the aggressive action a physical security breach implies. Technical and international legislative deficiencies further complicate security or police investigations.

Analysts contend that recent cyber-security incidents provide some insight into the potential security challenges that the Australian hydrocarbon sector may face.

The increased availability, sophistication and affordability of cyber-weapons have resulted in a formidable risk management challenge. As has been the case over the last two decades, cyber-operations are likely to become more daring, suggesting scope for potential action against high-value economic targets, such as the gas sector in Australia’s north-west. Equally, the nation’s economic credentials may increasingly be threatened by non-state activists, or even potentially, competitor-state operations.

The hydrocarbon sector will potentially be the victim of increased corporate espionage. The oil and gas sector relies upon internal computer networks, to provide company and technical information to employees and vendors. Running parallel to this data access, increased global competition within the sector and developments in information technologies, have dramatically increased the potential for cyber-espionage dangers.

Small to medium enterprises (SME), particularly those with direct or semi-direct contact with hydrocarbon operations, may in future become increasingly exposed to cyber-operations. The reduced budget and profile of SMEs may mean cyber-security is given a lower emphasis when compared to major energy companies. Recognising this, perpetrators of cyber-operations may use SME as a “chink” in the armour of large organisations.

Despite the information technology sector’s inherent sophistication, the industry’s security doctrine is overly simplistic and reactionary. Cyber-security management relies on addressing an issue, if and when it occurs, reminiscent of plugging a hole in a leaking dam.

To enhance cyber-security, and ensure the long-term prosperity of the Australian hydrocarbon sector, the public and private sectors must combine resources and capabilities to extend Australia’s reputation in physical security to cyber-security.

Similarly, hydrocarbon organisations and complementary enterprises should ensure technical and, importantly, managerial strategies, to develop resilience against potential security threats. Firewalls, prevention systems and intrusion detection systems, must complement, not replace, a culture in which workers apply and understand best practice. The State and Federal Governments must also make a concerted effort to establish greater legislative and technical capability to deal with potential cyber-security challenges. Failure to do so may result in the Australian hydrocarbon sector becoming a high-risk, low return industry.

Liam McHugh

Manager

Northern Australia & Energy Security Research Programmes

This e-mail address is being protected from spambots. You need JavaScript enabled to view it.

*****