While fears that terrorists could intentionally set off a major oil or chemical leak have grabbed headlines, there’s another cyber security threat emerging: criminals who hack the system to steal from companies.
It’s the major downside of new capabilities like digital monitoring and IoT, which have allowed companies to remotely control the flow of products like oil and gas.
Here’s one way it could work: A pipeline business buys oil from a drilling and extracting company. The pipeline company has to pay for every drop of the goods it transports. But if it pays hackers to manipulate the system and make it look like less oil is being shipped, and then the pipeline company pays less for the oil.
Of course, drilling companies could also pull the same scheme on a pipeline business. And even with volume changes as small as 1 percent, the hack can still add up to lots of money.
“It is essentially like putting your finger on a scale when going to the grocery store,” explained Barak Perelman, the CEO of Indegy, a cyber security company.
A similar scenario has unfolded with petrol shipping on tankers. In one instance, gangs hacked into a system that controlled the temperature of the tanks—by decreasing the temperature, the gangs were able to fit more petrol into the tank without adjusting the documented amount. After making petrol deliveries, they were left with extra to sell off.
According to Perelman, most of the hackers are from Russian-speaking countries. When the amounts diverted are relatively small, it makes it more difficult to find the culprit because companies can blame the discrepancies on programming errors.
If the company opts to report the incident, it gets tracked by US Computer Emergency Readiness Team (CERT). Last year, the number of incidents related to critical manufacturing infrastructure reported to CERT jumped to 295, compared to 245 in 2014. The energy sector accounted for 46 of the incidents in 2015. The other major industries that reported incidents included water (25), transportation systems (23) and government facilities (18).
But Perelman says the numbers could be higher because unlike the financial industry, manufacturers are not obligated to report hacks.
“It’s something that almost never gets reported,” Perelman said. “The companies don’t want to release the fact that they are hacked, because it hurts their brand.”
Companies like Indegy supply security devices that Perelman said are effective at detecting about 99 percent of hacks. New threats continue to emerge.
In addition to stealing, companies that manufacture chemicals and pharmaceuticals are also at risk for being hacked for intellectual property like formulations, which criminals can then hold for ransom.
And the threats of security breaches are always present. In 2014, hackers used booby-trapped emails to steal logins and get into the system of a steel mill in Germany. The cyber attack led to parts of the plant being shut down and caused “massive damage” to a blast furnace. It wasn’t known what motivated the attack.