US Army must be prepared for cybersecurity threats to energy sector, study says

February 6, 2014 by Jeff Falk, Rice University

Cybersecurity threats to the United States' energy industry and infrastructure are rising and require increased preparedness by the U.S. Army and Department of Defense, according to a new paper from Rice University's Baker Institute for Public Policy.

The paper, "Hacks on Gas: Energy, Cybersecurity and U.S. Defense," was authored by Chris Bronk, a fellow in at the Baker Institute and a former U.S. State Department diplomat who specializes in cybersecurity issues. Produced for the U.S. Army War College's Strategic Studies Institute, the paper considers potential cyberthreats relevant to the Army and Department of Defense's needs and purview, including the electrical grid, oil and gas security and the military's fuel supply chain, and proposes a range of policy and strategic recommendations the nation's military should undertake to address these threats.

"We should be concerned with cybersecurity in energy because, as with other areas of the global economy, computing has been widely adopted in the ," Bronk said. "The Department of Defense is incredibly reliant on private sources of energy, and the level of preparedness for cyberattack among those sources likely varies greatly."

Bronk counts the 2012 "Shamoon" computer virus attack against national petroleum producer Saudi Arabian Oil Co. (also known as Saudi Aramco) as an example of the devastation that such attacks can cause. Shamoon reportedly spread across as many as 30,000 Windows-based personal computers operating on the company's network. It may have taken Saudi Aramco almost two weeks to fully restore its network and recover from the disruption of its daily business operations caused by data loss and disabled workstations resulting from the incident.

Bronk said there are likely three major areas of energy-related cyber vulnerability that are relevant to the Army: the provision of electricity to bases and facilities by the electrical grid, both in the U.S. and abroad; the distribution of fuels to forces often operating some distance from major logistical hubs; and major cyberattacks against suppliers of fuels that would result in a significant disruption of supply or a rise in price.

"Other scenarios of attack are no doubt possible and are limited only by vulnerability, technical know-how and imagination," Bronk said. "Cyberattacks against Army logistics should be taken as a given, and a massive cyberattack against the oil and gas industry would be of great concern far beyond the Department of Defense."

Bronk proposed five immediate policy and strategic interventions the U.S. military should pursue to prepare for and manage cyberthreats to energy security:

Recognize that cyber incidents like safety or disruption events are not just organizational issues, but also issues of potential concern across an extensive, interconnected energy supply chain.

Develop trusted third-party and clearinghouse relationships aimed at developing better cyber intelligence and analysis.

Produce and constantly refine models of cyber risk intelligence, merging the valuation of assets/processes, threats and reasons for potential compromise.

Consider the cybersecurity ramifications as the Internet expands to cover more infrastructure, including hundreds of millions of energy-related computing devices.

Connect the spheres of geopolitics and the technical aspects of cybersecurity to develop holistic models for coping with the problem.

"These recommendations represent an initial thrust of activity, but instituting them will require difficult shifts in behavior for government and industry," Bronk concluded. "Deep analysis not only of vulnerability but also of the resiliency of the energy supply chain to a cyberattack is necessary."

Explore further: 'Shamoon' computer virus attack marked new height in international cyber conflict

More information: Read the full paper here:

Related Stories

Baker Institute policy report looks at cybersecurity

February 24, 2011

A new article written by a fellow at Rice University's Baker Institute for Public Policy calls on the intelligence community to jointly create a policy on cybersecurity and determine the degree to which the U.S. should protect ...

Recommended for you

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Mar 04, 2014
Jeff, this is a worthy addition to the ongoing discussion. Readers can / should additionally take a look at the just-released publication from the Bipartisan Policy center, "Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat", http://bipartisan...ic-grid, which provides some findings and recommendations relevant to this discussion.

I have summarized the report in the IDC Energy Insights Blog: https://idc-commu...w_report

Robert Eastman
Research Manager
IDC Energy Insights

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.