US Army must be prepared for cybersecurity threats to energy sector, study says

Feb 06, 2014 by Jeff Falk

Cybersecurity threats to the United States' energy industry and infrastructure are rising and require increased preparedness by the U.S. Army and Department of Defense, according to a new paper from Rice University's Baker Institute for Public Policy.

The paper, "Hacks on Gas: Energy, Cybersecurity and U.S. Defense," was authored by Chris Bronk, a fellow in at the Baker Institute and a former U.S. State Department diplomat who specializes in cybersecurity issues. Produced for the U.S. Army War College's Strategic Studies Institute, the paper considers potential cyberthreats relevant to the Army and Department of Defense's needs and purview, including the electrical grid, oil and gas security and the military's fuel supply chain, and proposes a range of policy and strategic recommendations the nation's military should undertake to address these threats.

"We should be concerned with cybersecurity in energy because, as with other areas of the global economy, computing has been widely adopted in the ," Bronk said. "The Department of Defense is incredibly reliant on private sources of energy, and the level of preparedness for cyberattack among those sources likely varies greatly."

Bronk counts the 2012 "Shamoon" computer virus attack against national petroleum producer Saudi Arabian Oil Co. (also known as Saudi Aramco) as an example of the devastation that such attacks can cause. Shamoon reportedly spread across as many as 30,000 Windows-based personal computers operating on the company's network. It may have taken Saudi Aramco almost two weeks to fully restore its network and recover from the disruption of its daily business operations caused by data loss and disabled workstations resulting from the incident.

Bronk said there are likely three major areas of energy-related cyber vulnerability that are relevant to the Army: the provision of electricity to bases and facilities by the electrical grid, both in the U.S. and abroad; the distribution of fuels to forces often operating some distance from major logistical hubs; and major cyberattacks against suppliers of fuels that would result in a significant disruption of supply or a rise in price.

"Other scenarios of attack are no doubt possible and are limited only by vulnerability, technical know-how and imagination," Bronk said. "Cyberattacks against Army logistics should be taken as a given, and a massive cyberattack against the oil and gas industry would be of great concern far beyond the Department of Defense."

Bronk proposed five immediate policy and strategic interventions the U.S. military should pursue to prepare for and manage cyberthreats to energy security:

Recognize that cyber incidents like safety or disruption events are not just organizational issues, but also issues of potential concern across an extensive, interconnected energy supply chain.

Develop trusted third-party and clearinghouse relationships aimed at developing better cyber intelligence and analysis.

Produce and constantly refine models of cyber risk intelligence, merging the valuation of assets/processes, threats and reasons for potential compromise.

Consider the cybersecurity ramifications as the Internet expands to cover more infrastructure, including hundreds of millions of energy-related computing devices.

Connect the spheres of geopolitics and the technical aspects of cybersecurity to develop holistic models for coping with the problem.

"These recommendations represent an initial thrust of activity, but instituting them will require difficult shifts in behavior for government and industry," Bronk concluded. "Deep analysis not only of vulnerability but also of the resiliency of the energy supply chain to a cyberattack is necessary."

Explore further: Tech firms vie to secure energy sector against cyberattacks

More information: Read the full paper here:

add to favorites email to friend print save as pdf

Related Stories

Baker Institute policy report looks at cybersecurity

Feb 24, 2011

A new article written by a fellow at Rice University's Baker Institute for Public Policy calls on the intelligence community to jointly create a policy on cybersecurity and determine the degree to which the U.S. should protect ...

Recommended for you

Should you be worried about paid editors on Wikipedia?

3 hours ago

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

4 hours ago

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

4 hours ago

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

17 hours ago

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

Music site SoundCloud to start paying artists

23 hours ago

SoundCloud said Thursday that it will start paying artists and record companies whose music is played on the popular streaming site, a move that will bring it in line with competitors such as YouTube and Spotify.

Facebook awards 'Internet Defense Prize'

Aug 21, 2014

Facebook awarded a $50,000 Internet Defense Prize to a pair of German researchers with a seemingly viable approach to detecting vulnerabilities in Web applications.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Mar 04, 2014
Jeff, this is a worthy addition to the ongoing discussion. Readers can / should additionally take a look at the just-released publication from the Bipartisan Policy center, "Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat", http://bipartisan...ic-grid, which provides some findings and recommendations relevant to this discussion.

I have summarized the report in the IDC Energy Insights Blog: https://idc-commu...w_report

Robert Eastman
Research Manager
IDC Energy Insights