Canadian takeaways from the oil and gas DDoS attack that bombed

Deloitte analysts say awareness of IT security threats varies considerably among Canadian energy companies


Given its track record, when the Anonymous hacking collective threatens DDoS attacks, we tend to take them seriously.

But recently, weeks after its announcement that the worldwide oil and gas sector was about to get a bloody nose, their threats appeared almost comical. No oil and gas operation suffered a major disruption, and it was business as usual the next day.

Unfortunately, as one of the most targeted sectors, for oil and gas companies, the prospect of future, better-planned attacks is no laughing matter. So-called activist hackers reserve particular disdain for energy companies, and are seeking big name trophies.

An increased motivation to conduct attacks could be the result of a more general public interest in the energy sector, says Geoff Hill, a partner and national oil and gas leader at Deloitte.

“If you look at the oil and gas industry historically, there’s been a very large gap between the producers and the end-consumers,” says Hill. “In other words, the end-consumer typically doesn’t know where their gas is produced from. That’s changed a lot in recent years.”

Clearly, some people aren’t happy about what they see, and in Canada, we’ve had physical security breaches—explosions at pipelines, for example. There haven’t, however, been any publicized cases of  successful DDoS attacks.

Still, there are forces at play that could change that. One of them, says Justin Fong, a partner in the enterprise risk division at Deloitte, is the the weak link of the “human element.”

There may indeed be DDoS attacks occurring in the energy sector that simply aren’t being reported, he says. And certainly, there’s a potpourri of potential hackers out there, ranging from the merely curious to the absolutely determined, who represent a persistent danger to the integrity of the companies’ IT systems.

A good security strategy should therefore recognize that hackers have different goals, whether it’s using DDoS for some mean-spirited laughs or trying to increase profits by spying on the competition, he says.

In terms of how well companies cope with the threat by developing good IT security practices, Fong says there are “different levels of maturity for different organizations. And we’ve seen a wide range of that.”

One mark of a mature company is that it knows the enemy: in other words, it’s able to get into the minds of hackers, some of whom are very skilled at their trade. By reverse-engineering the attacks, oil and gas companies can get a clearer picture of what they’re up against, he says.

Oil and gas is a very competitive business, and a lot of what keeps business leaders up at night is the potential theft of trade secrets, adds Fong. But he isn’t personally aware of a Canadian energy company knocking down a competitor’s site via a denial-of-service attack. The probability of such a thing happening remains quite low, in his estimation.

But there are other, higher probabilities, such as activist hackers stepping up their game. And aside from maturity level, it’s a focus on risk, stemming from an awareness of security threats, that will make a company in the sector more likely to set IT security as a top priority, he adds.

So, the remaining question is one that isn’t unique to the oil and gas sector: do you handle your security in-house, or contract it out to a service provider? Right now, Deloitte hasn’t seen a major shift either way. But if a firm does decide to trust another party with its security, it should understand the scope of the protection being offered very clearly, says Fong.

With all the initial excitement around cloud services in general, many companies failed to read their contracts carefully enough. This led to misunderstandings about when technical support was available (some companies assumed 24/7 coverage when their contract spelled out a nine-to-five arrangement, for instance). When it comes to contracted-out IT security, the old adage about reading things before you sign them cannot be repeated enough. If technical glitches are a nuisance, a botnet attack against an oil and gas company’s network could be catastrophic. If you rely on others to protect against that eventuality, make sure to read the fine print.

Protect yourself from anything with The Internet Security eBook: A Self-Assessment Guide.

Comments are closed.