The Guy Fawkes-masked hacktivist group called Anonymous has threatened to strike the oil and gas industry with a cyber attack June 20, citing among its reasons displeasure with how oil is priced in US dollars.

Telling oil companies to “expect us,” the group announced in a video that it would target the US, Canada, England, Israel, China, Italy, France, Germany, Russia, and the governments of Saudi Arabia, Kuwait, and Qatar. However, details on Operation Petrol and what technological harm would be inflicted were not revealed. That, experts say, is typical of the group.

“But based on previous attacks this could mean anything from releasing sensitive information that private companies or publicly traded companies have,” said Justin Seitz, a security researcher with Immunity Inc., a cyber security firm. “This could be related to anything from the Keystone XL pipeline to private conversations between producers. This could also go all the way up to full-blown attacks where they could be knocking some of these services or their websites offline or potentially compromising these organizations.”

The Aug. 15, 2012, attack on Saudi Aramco illustrates the ability of hackers to infiltrate systems. In this cyber attack a virus was launched that affected 30,000 workstations. Saudi Aramco CEO Khalid A. Al-Falih said in a news release that its precautionary procedures helped mitigate the cyber threats from spiraling. Normal operations resumed 10 days after the attack, following the Eid holidays.

Saudi Aramco officials have said the attack was aimed at the kingdom’s economy with the objective – which failed – being to stop oil flow to local and international markets.

Saudi Arabia was singled out again in the latest Anonymous threat.

“While most in the security industry are assuming that these threats will mostly only impact the Internet-facing and corporate IT [information technology] environments, it is never a good idea to underestimate the threat,” Jonathan Pollet, founder of Red Tiger Security, said. “Systems that are Internet-facing could go under denial of service and be shut down or disabled. We have to assume that systems connected to the corporate IT network may also be targeted, especially if they are related to market systems. Trading and marketing systems should be protected to a greater level.”

Experts give advice

Although cyber attacks on the oil and gas industry is not new, the Independent Petroleum Association of America (IPAA) still took a step to warn its members. IPAA published a warning in its June 6 newsletter about the planned cyber attack.

Julia Bell, the association’s manager of public and industry affairs, said IPAA learned about the possible threat after reading a newspaper article and decided to alert its members. “We just want them to make sure that their IT or security teams are aware of these activities,” Bell said.

Although it is difficult to determine whether Anonymous has the skills necessary to penetrate multiple layers of firewalls intended to guard companies against such attacks, there are still steps to take just in case.

To prepare companies, Pollet said Red Tiger has advised its clients to:

• Ensure operational control systems are segmented from the corporate network and know what types of communications are allowed between the corporate network and the operational networks. If the risk is great, consider temporarily disconnecting and isolating these two systems to create a temporary air gap. In case the corporate IT network is compromised, the operational systems will continue to function and support the production, refining, and transportation of crude products;

• Implement network monitoring solutions to monitor the corporate IT and the operational side of firewalls. Develop a baseline identifying types of network traffic that are usually seen, and be able to detect and respond to an abnormal incident; and

• Have up-to-date backups of all critical systems that you can restore quickly if your operational systems are compromised.

He added that some companies also may want to implement a plan for how to operate manually in case electronic SCADA and ICS devices are compromised.

Also, it never hurts to have a friendly person applying these attacks to companies’ systems so they can assess their exposure, Immunity CEO Dave Aitel said.

“That’s probably the reason that you will hear us say that any level of professional security management is good,” Aitel said. “In this particular case, the way you’re going to know how to respond is through a penetration test.” Such testing can model attacks carried out by hacker groups, helping to create offensive plans.

Threats grow, motivation varies

In the last three to four years Pollet said the number of cyber attacks against the industry has grown and several of Red Tiger’s upstream, midstream, and downstream clients have reported multiple breaches. The company believes, based on its work, that the highly publicized events represent only about 5% to 10% of the actual cyber attacks being carried out.

“In fact, we are telling our clients that it is no longer a question of if an attack will take place, but more realistically, when,” Pollet said.

The timing of such attacks is unpredictable. Speaking specifically about Anonymous, Seitz said there is no pattern or uptick in frequency of threats.

And, the reasons behind such attacks vary.

“The prior motivation seemed to be to steal corporate intellectual property surrounding how to run and operate an oil and gas business. Corporate emails, financial records, plant blueprints, control schemes, and batching processes were the targets in the past,” Pollet said, noting that many US-targeted cyber attacks do not make it into the news. “This latest threat from Anonymous… appears to be motivated out of a political desire to hurt the oil industry and the global oil markets. Their main grievance seems to be centered around how the global oil market system works, and the games that are played to keep the oil prices artificially high.

“From what I can tell, they are particularly upset about how oil is priced in US dollars instead of the local currency of where the oil is produced, and they seem to lump Saudia Arabia, Qatar, and a few other Middle Eastern countries in with the US by claiming that these countries are cooperating with the greedy US-based oil companies, exploiting the oil from the local countries, and thus creating a hardship for the typical local families.”

But the point of view fails to take into account that most Middle Eastern countries subsidize the price of oil and gas to locals, Pollet said, adding that families in the US and other western countries pay at least five times the price for a gallon of gas than those in the Middle East.

“They also may not recognize that the oil markets are very skiddish and based on speculation. This means that if the oil markets suspect that this potential cyber attack will impact the global market, they may decide to raise the price of oil ahead of time for no other reason than to prepare for this potential threat,” he added. “So therefore, while their cause may have been noble to begin with, it may backfire and actually cause the oil and gas prices to increase even higher and place an even higher burden on local families in their region.”

However, Aitel hesitates to think price fixing is the reason for the planned attack despite what was said in the video. “Historically, Anonymous has not really been able to fix its target. It sorts of picks a method of attack, and then whoever in the industry it happens to be able to get into that’s who it gets into,” Aitel said.

Seitz added that he thinks the Keystone XL issue – although there was no mention of it in the Anonymous video – is the real reason. “I think it’s easier for them to wave the environmental banner than it is to take on something that’s economic.”

Collaboration is needed

Regardless of why hackers are planning the cyber attack, experts believe now is the time for companies in the oil and gas industry to work together and start sharing information to try to mitigate potential problems.

“If they have identified that their website is on the hit list, now would be a good time for them to all put their heads together and work with one another,” Seitz said. “It’s a lofty goal but a worthy one.”

Aitel added that major oil companies also should have someone paying attention to Twitter accounts like the AnonGhost account to gather information about such attacks.

“The oil and gas industry is not regulated like the electric power industry, so each oil and gas company can decide what type of security controls they believe are adequate. This has created kind of a wild west where each oil company has a different type of cyber security program in place,” Pollet said. “At some point, I can see how some common minimum set of baseline cyber controls would benefit the oil and gas industry.”

Contact the author, Velda Addison, at