Reports released last week by U.S. security officials and private cybersecurity researchers suggest hacking of energy facility computers is on the rise, and happens far more often than the public assumes.
The Department of Homeland Security said it received reports of 59 cyber incidents at energy facilities last year, up nearly a third from the year before.
The agency responsible for protecting the nation from cybercrime said it worked to mitigate 290 incidents last year across more than a dozen industries that rely on computer controls to run industrial sites, including manufacturing sites, power generation facilities, refineries, chemical plants and nuclear facilities.
It found more than a quarter of these intrusions originated from so-called spear phishing emails that hackers use to trick people into downloading infected attachments or clicking on virus-laden links. More than one in 10 came from network probing and scanning.
"Every year, adversaries develop increasingly sophisticated attacks against control system networks," Homeland Security's Industrial Control Systems Cyber Emergency Response Team said.
The increased number of intrusions into energy computer controls last year brings the number of such incidents in the industry to more than 400 since 2011, Homeland Security data show. Security specialists say that's likely a conservative number because energy companies aren't required to report cyberattacks to the U.S. government.
In another report, cybersecurity researchers believe computer controls at industrial facilities, including in the oil business, get infected by non-targeted malware at least 3,000 times a year.
Dragos Security, a cybersecurity firm in San Antonio, arrived at what it believes is a conservative estimate of worldwide industrial cyberattacks after studying 30,000 samples of infected control system files submitted over the past decade and a half to a publicly available database called VirusTotal, a web service owned by Google.
The findings show malware that isn't even tailored to industrial controls finds its way into critical technology far more often than the public assumes. Some of the malware can spread through these systems with ease, and some were designed many years ago.
"If you have really bad cyber hygiene and you're not paying attention to basic things, you're more likely to get impacted by a virus that was written nine years ago," said Ben Miller of Dragos.
For example, Miller found thousands of industrial files compromised by Sinowal, a Trojan horse first discovered in 2006. Even more common, though, were strains of malware that spread from computer to computer, created at least five years ago.
It's not clear how many of these industrial facilities were tied to the energy industry, because the VirusTotal data only provided the country of origin of the independently uploaded files. But it's yet another grim revelation for oil companies that rely on automated computer controls to run refineries, pipelines and offshore platforms.
Miller said these breaches could begin during the equipment upgrades that happen when power plants, refineries and other energy facilities are taken offline for repairs.
Crews of engineers, equipment contractors and information technology specialists flowing in and out of the facilities could, for example, fail to follow security protocols and accidentally plug in infected USB drives into facility systems. And they might only discover they've infected operational computers after they use the same thumb drives in corporate computers outfitted with antivirus alert systems, Miller said.