By Jasmine Shaheen & Reham Gamal
As the world moves forward towards a paperless society, privacy issues and cyberattacks remain a threat to our lives and businesses. Cyberattacks are more likely to happen than not to. With COVID-19, cybercrime has since increased by a whopping 300%. And despite the obvious impending doom, more than 77% of organizations do not have a cybersecurity incident response plan. The oil and gas industry is no stranger to such incidents and whether the industry manages to overcome them or not, the fact remains that these incidents can shift the balance of the market.
Since almost every aspect of the energy industry is digitalized, oil companies are vulnerable to threats such as hydrocarbon installation terrorism, utility interruption, production disruption, and undetected spills to name a few. Maintaining this critical infrastructure has never been more important and the industry cannot afford to dismiss the consequences of cyberattacks.
A Tug War
The most recent ransomware attack fell on May 7 and cost Colonial Pipeline $4.4 million worth of bitcoin. The attack struck the largest pipeline system which carries 2.5 million barrels per day (bbl/d) of gasoline, diesel, heating oil, and jet fuel from Texas to New Jersey and provides around 45% of fuel needs to the US East Coast. The hack led to a system shutdown which resulted in thousands of gas stations across the US southeast running out of fuel. The masses, unsurprisingly, acting out of fear of prolonged shortages, raced to fill up their cars.
The pipeline restarted its operations after almost a week of shutdown, which prompted gas prices to surge and gas stations in multiple states to experience shortages. Prices for all four products of West Texas Intermediate (WIT), Brent crude, natural gas, and gasoline increased by 1.8%, 1.5%, 0.37%, and 1.5% respectively. On top of that, as of May 18, over 10,400 supply stations remained without fuel, and in North Carolina, South Carolina, Virginia, and Georgia, gas outages dropped below 50%.
Anna Scherbina, Senior Economist on the Council of Economic Advisers, the executive agency that provides the US president with objective advice on economic policy, stated in an interview published by Brandeis Business School that “any given hack can reverberate throughout the economy, way beyond the company that was attacked. When one company is compromised, other businesses feel the impact too because everybody is so connected through different supply chain connections, and through similarities in the technology they use.”
This may have been the latest cyberattack on the energy sector, however, it is not something new. No one can forget what is now dubbed ‘the biggest hack in history’ when Saudi Aramco, the oil supplier for 10% of the world, got hacked and stepped into the dark ages. In 2012, about 35,000 of Aramco’s computers were partially wiped or destroyed with the aim to stop production. To prevent the virus from spreading, Aramco was forced to shut down the company’s internal corporate network, disabling employees’ e-mail and internet access.
For Aramco, the world had gone silent. Any sort of contracts or agreements had to be done on literal paper. Gasoline tank trucks seeking refills had to be turned away. The company temporarily stopped selling oil to domestic gas tank trucks. After 17 days, Aramco yielded and started giving oil away for free to keep it flowing within Saudi Arabia. Luckily, the damage did not impact the company’s production as it was run on isolated network systems. The then US Secretary of Defense, Leon E. Panetta, stated that the Aramco infiltration was “a significant escalation of the cyberthreat.”
As one of the biggest oil companies in the world, Aramco has since been upping its game to counter cyberterrorism. This was an essential step since Saudi Arabia’s economy is massively reliant on oil. Taking into consideration that the country’s oil export revenues account for 80-90% of total Saudi revenues and above 40% of the country’s gross domestic product (GDP), the attack is severely linked to the country’s economy and shows that investing in cybersecurity outweighs the damage of cyberattacks.
Better Safe Than Sorry
Cybersecurity spending has been increasing every year with increased remote working, the cybersecurity market was valued at around $132 billion in 2020. Adding COVID-19 into the mix, forecasts suggest that the market will exceed $200 billion a year in 2024. At times where sensitive data is on the cloud, spending on cybersecurity is an important priority in order to ensure its protection.
According to IBM, in 2019, the global data breach could cost an industry something along the lines of $3.9 million and a 207-day average time to identify and contain a breach. Of course, based on the industry, the cost of a breach varies significantly. For the energy industry in 2020, that cost was valued at $6.4 million, up by 106% since 2015.
Deloitte’s report on cybersecurity for upstream oil and gas estimates the average energy company’s annualized cost of cybercrime at only around $15 million. However, a major incident could easily incur costs running into hundreds of millions of dollars and could significantly impact the business – like in the case of Aramco.
To overcome the myriad threats facing the energy industry, one has to assess where the vulnerability lies to prioritize cyber investments. In the upstream industry, production and drilling operations are the most vulnerable and most damaging to a company’s finances. If not taken care of, if not invested in, it could lead to disruption, legal and regulatory costs among other things. Eric Cole, Founder and CEO at Secure Anchor, and a World-Renowned Cybersecurity Expert, noted that “with the increase of cyberattacks occurring, organizations continue to spend more money on security; however, they often spend it in the wrong areas.”
Cyberattacks should not be taken lightly, it impacts trade, competitiveness, economic growth, and GDP. It will turn to losses that can be significant, causing business disruption, loss of time and cash, and reputational damage. On a financial level, the effects will be downtime and productivity loss. Despite that, a 2018 Bloomberg report estimated that energy companies invest less than 0.2% of their revenue in cybersecurity, meanwhile, the number of hacker groups targeting the energy sector is soaring.
Since the major challenging economic consequences of cyberattacks are budget constraints and resource limitations, it is advised that the IT infrastructure should be a core asset to the company’s budgets and money need to be invested in cybersecurity to mitigate risks.