CALGARY – Data theft from high-profile hacks against companies like Uber and Equifax can cost consumers thousands of dollars but resource companies worry about millions in damage, along with potential injuries and death, if their technology is compromised.
The thought of a multi-tonne piece of equipment running amok or shutting down at a critical time in the resource gathering process is a nightmare scenario for chief information and security officers in the oilpatch and other resource-rich regions of Canada. Cybercriminals are betting the company whose gear no longer obeys instructions would be willing to pay dearly to avoid such a situation.
“It’s no longer a bunch a pimple-faced kids in mommy and daddy’s basement – it’s organized crime,” said Daniel Tobok, CEO and co-owner of Toronto-based Cytelligence, who says his company investigates 40 data breach attacks on private Canadian companies every month, often tracing the attacks to foreign hackers. “It’s theft of intellectual property, it’s espionage, but it all comes down to money as a motivation.”
He estimates the attacks cost Canada $3 billion to $5 billion per year in proceeds to criminals, adding one Calgary energy company was forced to pay $200,000 in ransom three years ago to regain control of its corrupted digital production systems.
The rise of the so-called “Internet of Things”, in which machines communicate autonomously with each other, means companies are increasingly employing automation and remote control to drive bulldozers, diggers and heavy trucks, or control drilling and processing equipment. Such automation delivers labour savings but also presents more targets for hackers, making the overall system more vulnerable to cyberattacks. “Somebody could actually die,” said Tobok.
In a recent report, accounting firm EY said the cybersecurity risk to mining companies had jumped to third in 2017-18, from ninth the year before, on a top-10 worst risk list because the “attack surface” is getting larger as connected IT and operational devices in a typical mine or ore transport system grow into the thousands.
Executives agree the threat is real but insist they can keep hackers at bay with multiple automatic and manual shut-down systems, firewalls, strictly limited internet connections and ongoing employee training.
Kevin Neveu, CEO of Precision Drilling Corp., the largest Canadian driller which also operates in the United States, said the company has never had a successful “intrusion” although it detects unsuccessful attempts “almost daily.”
“We’re certainly concerned that someone could hack into a drilling rig,” he said. “We’re running 20 rigs that have automation systems on them that actually control the rigs through software and tell it to go up and down, tell it to go to higher pressure or lower pressure. That software potentially could be hacked.”
He said the company has “intrusion-sensing systems” that are designed to trigger a fail-safe shutdown. The drilling crew can also shut off the rig manually and it’s possible to override the automated system and continue working without it, he said.
Steve Laut, CEO of Canadian Natural Resources Ltd., said he doesn’t want to “advertise” what the company is doing in cybersecurity but noted it has a robust plan with “four or five levels of security,” adding its major heavy oil production plants aren’t connected to the internet.
“We’re like any other corporation out there, we get attacked all the time,” he said. “Most of it bounces off our firewalls.”
Potash Corporation of Saskatchewan Inc. uses continuous boring machines that can mine up to 900 tonnes of ore per hour.
It wouldn’t comment for this article but warns in its annual report that cyberattacks could result in “personal injury” to employees, contractors or the public as well as computer viruses, property damage, disruptions to operations and loss of data or confidentiality.
Michael Murphy, country manager for Citrix Canada, which provides remote access for customers to applications and data, said data security is more difficult to ensure these days because the number of access points is multiplying.
Employees, third-party partners and contractors want to use their own devices to access company systems and data, each presenting a possible entry point for a cyberattack.
“I’m sure what keeps the chief information and security officers up at night is, ‘How do I make sure that the software-defined perimeter continues to be very secure but also accessible?”’ he said.
“You can make something very secure but it doesn’t necessarily make it very productive. It has to be easy to use and very secure at the same time. The complexity of what a company has to manage today is mind-boggling.”