Data theft from high profile hacks against companies like Uber and Equifax can cost consumers thousands of dollars but source businesses worry about countless damage, together with possible injuries and death, if their technology is compromised.
The notion of a multi-tonne piece of equipment running amok or shutting down at a vital period in the resource gathering process is a nightmare situation for chief information and security officers in the oilpatch and other resource-rich areas of Canada.
Cybercriminals are betting the company whose equipment no longer obeys instructions will be prepared to pay dearly to avoid this type of circumstance.
“It is no longer a lot a pimple-faced children in mommy and daddy’s basement — it is organized crime,” stated Daniel Tobok, CEO and co-owner of Toronto-based Cytelligence, who says his firm investigates 40 data breach attacks on private Canadian companies each month, often tracing the strikes to foreign hackers.
“It is theft of intellectual property, it is espionage, but it all comes down to money as a motivation.”
He estimates that the attacks cost Canada $3 billion to $5 billion each year in profits to offenders, including one Calgary energy company was forced to pay $200,000 in ransom three years ago to regain control of its corrupt digital production systems.
The growth of the so-called “Internet of Things” — where machines communicate autonomously with each other — means businesses are increasingly employing automation and remote management to drive bulldozers, diggers and heavy trucks, or control processing and drilling equipment. Such automation produces labour savings but also presents more targets for hackers, making the entire system more vulnerable to cyberattacks.
“Somebody may actually die,” said Tobok.
In a recent report, accounting company EY stated the cybersecurity risk to mining companies had jumped to third in 2017-18, from ninth the year earlier, on a top-10 worst threat list since the “attack surface” is becoming larger as linked IT and operational apparatus in a standard mine or ore transportation system grow into the thousands.
Experts agree that the threat is real but insist that they could keep hackers at bay with numerous manual and automatic shut-down systems, firewalls, strictly restricted internet connections and ongoing employee training.
Kevin Neveu, CEO of Precision Drilling Corp., the biggest Canadian driller that also operates in the USA, said the company hasn’t had a successful “intrusion” although it finds unsuccessful efforts “almost daily.”
“We are definitely concerned that someone could hack into a drilling rig,” he said.
“We are running 20 rigs that have automation systems on those who really control the rigs via software and let it go up and down, let it go to greater pressure or lower strain. That software possibly could be hacked.”
He said the company has “intrusion-sensing systems” which are intended to activate a fail-safe shutdown. The drilling crew may also shut the rig off and it is possible to override the automatic system and keep working without it, he said.
Steve Laut, CEO of Canadian Natural Resources Ltd., stated he does not need to “advertise” what the organization is performing in cybersecurity but noted it’s a strong plan with “four or five levels of security,” adding its major heavy oil production plants are not on the web.
“We are like any other company on the market, we get attacked all the time,” he said. “Most of it bounces off our firewalls.”
Potash Corporation of Saskatchewan Inc. uses constant boring machines which could mine up to 900 tonnes of ore per hour.
It would not comment for this guide but warns in its yearly report that cyberattacks could lead to “personal injury” to employees, contractors or the public in addition to computer viruses, property damage, disruptions to operations and reduction of information or confidentiality.
Michael Murphy, country manager for Citrix Canada, which offers remote access for clients to data and applications, said data protection is more challenging to guarantee these days because the amount of access points is multiplying.
Employees, third party partners and builders wish to use their own devices to access business systems and data, each presenting a potential entry point for a cyberattack.
“I am certain what keeps the chief information and security officers up at night is, ‘How do I ensure the software-defined perimeter is still quite secure but also available?”‘ he said.
“You can make something quite stable but it does not necessarily make it quite productive. It has to be simple to use and very secure at exactly the exact same time. The complexity of what a business must handle today is mind-boggling.”