Cybersecurity experts aren’t surprised by the revelation contained within a package of leaked U.S. intelligence documents suggesting Russian-backed hackers successfully gained access to Canada’s natural gas distribution network.
But they say there’s a huge difference between gaining access to a company’s network or servers, and actually disrupting Canada’s energy supply or causing injury or property damage.
“There’s a big disconnect between gaining access to a computer, in the industrial world, and knowing how to make it do physical things,” said Lesley Carhart, director of incident response for North America at the industrial cybersecurity company Dragos Inc.
“Criminal groups gain access to industrial facilities all the time. But just hitting buttons isn’t necessarily going to cause anything meaningful to happen.”
An apparent release of Pentagon documents onto social media sites recently appeared not only to detail U.S. and NATO operations in Ukraine, but also contained a claim by Russian-backed hackers that they successfully accessed Canada’s natural gas infrastructure.
The leaked documents don’t name a specific company. The Canadian Press has not independently verified the claims.
The news has thrust the issue of cybersecurity in North America’s oil and gas sector back into the spotlight. The Communications Security Establishment (CSE), which oversees Canadian foreign intelligence gathering and cybersecurity, said in a statement it does not comment on specific incidents, but added it was “concerned about the opportunities for critical infrastructure disruption” on internet-connected technology “that underpins industrial processes.”
Geoffrey Cann, a B.C.-based author and speaker who specializes in digital issues affecting the oil and gas industry, said Canada’s energy sector is routinely targeted by cybercriminals for financial gain as well as by state-sponsored hackers hoping to create mayhem.
“It would be a shock if they weren’t targeting Canadian infrastructure, because they’re targeting energy infrastructure worldwide as a matter of routine,” he said.
“And industry is highly aware of this. This is a board-level topic.”
In 2021, a ransomware attack successfully targeted the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S. It was the largest cyberattack on oil infrastructure in the history of the United States, and forced the company to temporarily halt pipeline operations.
Carhart said it’s not a secret that state-sanctioned actors are also attempting to gain entry into oil and gas companies’ systems for the purpose of corporate espionage, sabotage or terrorism. But she pointed out that industrial sites have layers upon layers of safety protocols and equipment in place, and just gaining access to a computer server isn’t necessarily enough to really cause an impact.
“Industrial facilities are made to be very safe. They’re made to survive human error, and devices failing,” she said, adding it could take years for a cyber criminal to learn enough about a company’s internal processes and equipment to actually cause an incident.
“Yes, there are states with resources spending a lot of time and money to learn about these facilities so they can do something in the future. But does just getting access to these facilities mean they can? No.”
Cann agreed that while oil and gas companies themselves should be concerned about the financial and operational risk of a cyberattack, the risk that a hacker could significantly disrupt energy supply for Canadians for any significant period of time remains extremely low.
“For a hack to be successful in Canada, it would have to bring down enormous amounts of our infrastructure at the same time. And that’s possible, but the probability is infinitesimally small,” Cann said.
“Oil and gas infrastructure is being attacked constantly, and yet there are very few public incidents that we hear of. So we have that in our favour.”