Late last year, the New South Wales' Department of Industry, Resources and Energy was considering the approval of several significant projects, including approval of the AU$1.2 billion Shenhua Watermark coal mine. It was at this time that the IT systems of the Department's regional office in Maitland registered a marked increase in virus activity.1 It soon became apparent that hackers were coordinating a malware-based attack to hack into the Department's network. Steps were immediately taken in response and no data was accessed at this time.
Although the Department's confidential commercial information was unscathed, the Department, and the energy industry more broadly, was shaken. Australia's energy networks were attacked at least 60 times in 2014-2015.2 CERT Australia, Australia's computer emergency response team, reported 29 percent of cyber incidents occur in this sector.3 This is more than in the banking and financial services industry and the communications industry.4 Indeed, Australia is far from immune and it is crucial for the energy industry to understand and respond to the evident risk of cyber attack.
The Effects of a Cyber Attack in the Energy Sector
A cyber attack may disrupt general functionality or cause specific damage to intellectual property, critical infrastructure, or physical property. Below are some examples which highlight how broad and varied a cyber attack can be.
Operational technology (OT) and supervisory control and data acquisition systems (or SCADA) are particularly at risk of cyber attacks. SCADA controls complex industrial processes, including production, centralized monitoring, and control of dispersed meters and sensors. OT and SCADA are generally connected to the internet, which makes them more vulnerable. However, there have been examples of these systems being compromised even when they are not connected to the internet. A cyber attack on such systems can cause business disruption, information loss, revenue loss, and damage to assets and shareholder wealth.5 For example, in 2012, Saudi Aramco was hit by a computer virus, later named Shamoon, which disabled over 30,000 of the company's workstations and caused disruption for months.6
Cyber attacks can gain unauthorized access and subsequently use or release confidential information. This can result in a loss of future opportunity, reputation, and financial gain that is difficult to quantify but can have a material impact on a business and its competitive standing. In December 2014, South Korea reported a cyber attack against the operator of its nuclear power plants.7 The attackers released sensitive and confidential information online, including the plant equipment’s designs and manuals.
Governments and their regulatory bodies around the world are particularly concerned about cyber risks to systems of national interest and critical infrastructure. That is, those systems that, if rendered unavailable or otherwise compromised, could result in significant impacts on a country's economic prosperity, international competitiveness, public safety, social wellbeing, or national defense and security. Critical infrastructure owned and operated by private companies, as is the case in Australia, are especially vulnerable to cyber attacks.
Damage to Physical Plant
Attackers can also use remote access to disrupt operations and cause physical damage to a plant and/or equipment. Motorola Solutions reported that wherever there is digitally enabled technology or an intelligent device, even a simple device that controls a valve on a pipeline, there is a risk of it being used as a portal and taken over without authorization.8 Such cyber attacks have the potential to cause equipment damage, a safety incident, or loss of production.