DOHA (Reuters) - Hackers are bombarding the world’s computer controlled energy sector, conducting industrial espionage and threatening potential global havoc through oil supply disruption.
Oil company executives warned that attacks were becoming more frequent and more carefully planned.
“If anybody gets into the area where you can control opening and closing of valves, or release valves, you can imagine what happens,” said Ludolf Luehmann, an IT manager at Shell (RDSa.L) Europe’s biggest company .
“It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage - huge, huge damage,” he told the World Petroleum Congress in Doha.
Computers control nearly all the world’s energy production and distribution in systems that are increasingly vulnerable to cyber attacks that could put cutting-edge fuel production technology in rival company hands.
“We see an increasing number of attacks on our IT systems and information and there are various motivations behind it - criminal and commercial,” said Luehmann. “We see an increasing number of attacks with clear commercial interests, focusing on research and development, to gain the competitive advantage.”
He said the Stuxnet computer worm discovered in 2010, the first found that was specifically designed to subvert industrial systems, changed the world of international oil companies because it was the first visible attack to have a significant impact on process control.
But the determination and stamina shown by hackers when they attack industrial systems and companies has now stepped up a gear, and there has been a surge in multi-pronged attacks to break into specific operation systems within producers, he said.
“Cyber crime is a huge issue. It’s not restricted to one company or another it’s really broad and it is ongoing,” said Dennis Painchaud, director of International Government Relations at Canada’s Nexen Inc NXY.TO. “It is a very significant risk to our business.”
“It’s something that we have to stay on top of every day. It is a risk that is only going to grow and is probably one of the preeminent risks that we face today and will continue to face for some time.”
Luehmann said hackers were increasingly staging attack over long periods, silently collecting information over weeks or months before attacking specific targets within company operations with the information they have collected over a long period.
“It’s a new dimension of attacks that we see in Shell,” he said.
In October, security software maker Symantec Corp (SYMC.O) published a report on a mysterious virus, discovered and named Duqu by Hungary’s Laboratory of Cryptography and System Security, that contained a code similar to Stuxnet.
Experts said it appeared to be designed to gather data to make it easier to launch future cyber attacks.
Other businesses can shut down their information technology (IT) systems to regularly install rapidly breached software security patches and update vulnerable operating systems.
But energy companies cannot keep taking down plants to patch up security holes.
“Oil needs to keep on flowing,” said Riemer Brouwer, head of IT security at Abu Dhabi Company for Onshore Oil Operations
“We have a very strategic position in the global oil and gas market,” he added. “If they could bring down one of the big players in the oil and gas market you can imagine what this will do for the oil price - it would blow the market.”
Hackers could finance their operations by using options markets to bet on the price movements caused by disruptions, Brouwer said.
“So far we haven’t had any major incidents,” he said. “But are we really in control? The answer has to be ‘no’.”
But the threat of a coordinated attack on energy installations across the world is also real, experts say, and unlike a blockade of the Gulf can be launched from anywhere, with no U.S. military might in sight and little chance of finding the perpetrator.
“We know that the Straits of Hormuz are of strategic importance to the world,” said Stephan Klein of business application software developer SAP.
“What about the approximately 80 million barrels that are processed through IT systems?,” said Klein, SAP vice president of oil and gas operations in the Middle East and North Africa.
Attacks like Stuxnet are so complex that very few organizations in the world are able to set them up, said Gordon Muehl, chief security officer at Germany’s SAP, but it was still too simple to attack industries over the internet.
Only a few years ago hacking was confined to skilled computer programmers, but thanks to online video tutorials, breaking into corporate operating systems is now a free for all.
“Everyone can hack today,” Shell’s Luehmann said. “The number of potential hackers is not a few very skilled people — it’s everyone.”
(This version corrects discovery of Duqu virus paragraph 13)
Editing by William Hardy