Oil and gas drillers developing the country's hottest shale plays are hesitant to talk about cybersecurity risks to their booming business, but financial disclosures from those same operators show they are universally concerned about hacks.
S&P Global Market Intelligence contacted a dozen exploration and production companies active in the Permian Basin to gauge their concern about cyberrisks and discern what steps they are taking to secure their assets. The companies offered few details, but many in the industry have answered the questions before in annual filings with the SEC. In those 10-K filings, producers show cybersecurity has become a grave concern. Companies are not only concerned about the threat of having information stolen, but losing control of a rig or producing wells.
In its latest 10-K for instance, Chesapeake Energy Corp. said it was "increasingly dependent" on digital technologies in its exploration and production activities and it has already been subject to hacking attempts.
"We have been the subject of cyber-attacks on our internal systems and through those of third parties, but these incidents did not have a material adverse impact on our results of operations. Nevertheless, unauthorized access to our seismic data, reserves information or other proprietary or commercially sensitive information could lead to data corruption, communication interruption … any of which could have a material adverse impact on our results of operations," the company said. Chesapeake added that it would likely have to expend "significant additional resources" in order to enhance its protective measures against cyberattacks.
The threat to producers through the internet is diverse and awareness is becoming widespread, said Deloitte Principal for Cyber Risk Services Kevin Oswald.
"We've had a lot of clients where the executives have asked, how resilient is their infrastructure? If you go talk to a board of directors, cybersecurity is one of their top three concerns," said Oswald, who has nearly 20 years of experience working with companies on security strategy. "We've seen a lot of activity with non-super majors that are looking at cybersecurity. We're seeing it from internal audits and people in operations in the field. They're all trying to figure out their roles in protecting their companies and their assets."
While Apache Corp. declined comment for this article, their annual filing showed how widespread the company's concern is when it comes to malicious cyber activity. "A cyberattack directed at oil and gas distribution systems could damage critical distribution and storage assets or the environment, delay or prevent delivery of production to markets, and make it difficult or impossible to accurately account for production and settle transactions," Apache said.
Hackers are becoming an increasing concern for exploration and production companies.
Pioneer Natural Resources Co., one of the larger producers in the Permian Basin, mentioned the threat to its confidential information as a result of potential hacking attacks, but also brought up another issue: the threat of "terrorist acts."
"The potential for such security threats has subjected the company's operations to increased risks that could have a material adverse effect on the company's business," Pioneer said.
Even with producers pouring money into cybersecurity, dealmaking in places such as the Permian could make it tougher to defend against hackers while making it easier for malicious users to gain access. Not having a uniform security setup in place could leave companies vulnerable.
"With all the joint ventures and the M&A activity, those assets have changed hands between a lot of companies," Deloitte's Oswald said. "At the end of the day, it's important to realize who's controlling these upstream assets. I see a lot of focus on just the process and procedures related to all the [deals]. … You've got to know what all your assets are. Without that, you don't know what all you're protecting."
Oswald said many companies have outsourced their cyber support to third parties. After a deal, the new owner's IT group may have a tricky integration process ahead. For instance, Pioneer in its annual filing said it had outsourced at least some of its assets, including data hosting facilities, to third parties.
"When those assets change hands, those legacy relationships come with them," Oswald said. "We have to make sure we're connecting or de-connecting things in a safe and secure matter."
In its description of the threat posed by hackers, Anadarko Petroleum Corp. said cyberattacks against the company have become more sophisticated and have included attempts to access data, systems and facilities. The company said no attacks to date have been successful, but "there is no assurance we will not suffer [material losses] in the future."
In an effort to reduce the risk, producers are not just spending money on new software or firewalls. They are also training their employees to prepare for a cyberattack as "when," not an "if," scenario. Oswald said companies are drilling their employees to realize they all have a key role to play in making sure systems remain safe. "Addressing the risk isn't an overnight, one and done activity," he said.
In its discussion of cyber threats, EOG Resources Inc. said it had plans to implement new defenses "to monitor and mitigate … security threats", but it would increase capital and operating costs. Those drillers who don't spend on cybersecurity may be the ones facing the next big attack.
"It's always the weakest link, the low-lying fruit," Oswald said. "Stopping them is about doing the blocking and tackling right."