Middle East Oil, Carmakers Face Very High Cybersecurity Risk

The threat of hackers on human lives, breached data, and system shutdowns, are being taken very seriously by automakers and oil and gas companies.

Security and energy experts have been warning carmakers, oil and gas companies, and utilities, about the devastating impact computer system and network hackers could have at any given moment. Automakers are strengthening their ties to "white hat" hackers who specialize in discovering vulnerabilities to help organizations. Security firm Dragos has warned oil and gas companies about how a new hacking group is targeting telecommunications and oil and gas companies.

Automakers are strengthening their ties to "white hat" hackers who offer real solutions to the menacing problem. Automakers and suppliers sponsored the DEF CON security convention in Las Vegas this past weekend. Most participants were males who were not registered for the conference to protect their privacy and encourage them to play games and hack vehicle security systems.

Volkswagen, Fiat Chrysler Automobiles, autonomous vehicle suppler Aptiv PLC, and NXP Semiconductors NV, were among the sponsors at this year’s event. These companies have serious concerns about “black hat” hackers who are able to find computer security vulnerabilities and exploit them for personal financial gain or other malicious reasons. Automakers and tech partners want to forge alliances with white hat hackers who understand the game, but are willing to be paid well for stopping black hats from winning the game.

“A big part of it is redefining the term ‘hacker’ away from that of a criminal to make automakers understand that we’re here to make their systems more secure,” said Sam Houston, senior community manager at Bugcrowd, which recruits researchers for so called “bug bounty programs” at Tesla, Fiat Chrysler Automobiles, and other automakers.

Oil and gas companies have been watching for security breaches in recent years that could devastate production and shipping. One expert firm has discovered a well organized hacker group preparing to go this route.

Industrial security company Dragos recently issued a warning on what it calls “Hexane,” a new hacking group on the radar targeting telecommunications and oil and gas companies across Africa and the Middle East. Dragos has seen the group’s activity ramp up in recent months amid heightened tensions since the group first emerged a year ago.

The security firm sees Hexane targeting telecommunication companies and their cell phones as a potential “stepping stone” to gain access to the network of oil and gas companies.

“Targeting telecommunications firms can potentially enable third-party access to downstream refining or upstream production operations via cellular networks,” said Casey Brooks, a senior adversary hunter at Dragos.

Dragos said it couldn’t reveal sensitive details but hinted that Hexane targets and compromises “devices, firmware, or telecommunications networks” in the supply chain, which could be used to breach a targeted company’s network from within. The security firm has “moderate confidence” that the hacker group doesn’t yet have the capability to disrupt industrial control networks, but the group could use its leverage on telecommunications networks as a “precursor.”

Dragos said Hexane is expected to increase targeting oil and gas companies in the Africa and the Middle East region.

The stakes are quite high as governments and corporations see repeated examples of how hackers can infiltrate their cybersecurity systems to steal data and to throw a switch that could cost lives and billions of dollars to recover from.

Credit reporting agency Equifax is still trying to clean up the mess caused two years ago when hackers stole the personal information of 147.7 million Americans from its servers. Hackers stole customer names, Social Security numbers, birthdates and addresses, affecting more than half the country’s population. The company settled with the Federal Trade Commission to pay up to $575 to $700 million in settlements to consumers, depending on how many file a claim.

Autonomous, robot-driven cars of the near future raise the issues further, with Washington being pressured to release a clear national standard. One such effort has stalled in the capitol but may be revived.

Lawmakers on the U.S. House Energy and Commerce Committee and the U.S. Senate Commerce, Science and Transportation Committee announced in a recent statement they are "shifting into high gear on self-driving car legislation."

But Congress has recessed for a month, and the earliest any potential legislation could be approved is September. Details have yet to be released on safety standards and how they would fall under the U.S. National Highway Traffic Safety Administration, and how much say state lawmakers will have in the matter.

Companies like Tesla, Waymo, Apply, Ford, Uber, and Lyft, are pressuring regulators to move forward on the legal issues so that they can make the technology a reality.

Sam Abuelsamid, a senior analyst at Navigant Research, a market research firm, said that most automakers have been taking a more cautious approach.

These core questions have been floating for the past half decade over which party would be legally responsible in fatal car crashes involving autonomous vehicles. Concerns have also been expressed about what hackers might be able to do when taking over control of a vehicle — and some of the essential safety systems such as traffic lights that govern roads.

The Navigant Research analyst said that it’s going to take a while for these issues to be resolved. The biggest barrier for mass-market deployment of autonomous vehicles is that the technology is not yet ready for moving beyond the limited testing pilot programs in place now within several states.

"If you go back three or four years, everybody thought they would be further along than they are," Abuelsamid said.

By Jon LeSage for Oilprice.com