The future of energy insecurity has arrived. In August, a devastating cyber attack rocked one of the world’s most powerful oil companies, Saudi Aramco, Riyadh’s state-owned giant, rendering thirty thousand of its computers useless. This was no garden-variety breach. In the eyes of U.S. defense secretary Leon Panetta, it was “probably the most destructive attack that the private sector has seen to date.”
What makes this kind of attack so worrying is the risk it poses to energy prices and hence the U.S. economy. Stopping oil production in Saudi Arabia could turn into a catastrophic loss of oil supplies. Even a short outage could cause prices to fly off the handle, setting off a scramble as market participants rushed to buy oil in case the shortage dragged on. Because the oil market is global in nature, a production outage anywhere can cause oil prices the world over to soar. U.S. officials should take note: A cyber threat to a company so central to the world energy market as Saudi Aramco poses a significant risk to the economic well-being of the United States.
The August attack on Saudi Aramco was only the most recent volley in what Washington has described as “low-grade cyberwar” in the Middle East, in this case likely involving Iran. The Shamoon virus the hackers deployed, judging by its sophistication and signature, was the handiwork of a state-supported effort, according to Secretary Panetta, though some U.S. investigators have disputed that assessment. Security experts surmise that the attack may have involved someone with privileged access to the company’s computer network.
Saudi Aramco was not the only casualty. RasGas, a Qatari natural gas company and the second-biggest producer of liquefied natural gas in the world, fell victim to an identical virus a short time after the Saudis. Like Aramco, RasGas announced that despite the attack, which left some of its computers “completely dead,” its energy production was not affected. Experts surmise that the Iranian attacks were likely payback for the apparently Western-backed Stuxnet virus, which struck the country’s Natanz nuclear plant.
Oil, gas and petrochemical companies are popular targets for hackers, who have ramped up their assault on these firms over the last two years. McAfee, an Internet-security firm, described in a recent study a barrage of “coordinated covert and targeted cyberattacks,” coming mostly from China, targeting energy companies around the world. The aim of these operations was to get ahold of proprietary data such as oil reserves, bidding strategies and critical infrastructure. The trade secrets that this string of attacks, dubbed Night Dragon by McAfee, sought to capture are big business. Stewart Baker, a former assistant secretary of homeland security, called information about “what oil exploration companies have found and not found” the “most valuable intelligence in the commercial world.”
But this summer’s attack on Saudi Aramco differs from these more traditional cyber espionage cases in a critical way: It wasn’t about the data. It was about disabling the company’s operations. Both are serious, but the former poses a systemic risk that, if successful, could make waves far beyond the health (or even survival) of a single company. American consumers could suffer because of an incident involving an oil company that they know little about and is located thousands of miles away.
The United States may have narrowly averted a disaster when Aramco was hit. The global oil market responds to any news about Saudi Arabia’s oil production practically instantaneously. Word from Riyadh about a future production increase or preferred trading range for crude oil can cause markets to swoon. Little surprise, considering that the company accounts for around 12 percent of global oil supply. Fortunately, Saudi oil operations were unaffected by the computer outage, at least as far as is known. Had the Shamoon virus prevented the flow of oil to market somewhere along the supply chain, though, the effect on prices would have been much less benign.
Virtual warfare against energy companies will not end anytime soon. Hackers are well aware that crippling oil operations offers significant leverage, strategically speaking, as acts of terror: a single successful act has the potential to hurt oil-consuming nations far beyond the Middle East. Small wonder that oil-industry assets around the world—oilfields, loading platforms, pump stations and so on—were long ago identified by Osama bin Laden as targets. Saudi Aramco’s CEO, Khalid al-Falih, reiterated after the August 15 attack that “this was not the first time nor will it be the last illegal attempt to intrude into our systems.” It is conceivable that a future one, if successful, could amount to the “cyber-Pearl Harbor” of which Secretary Panetta has long warned U.S. policy makers.
Defending the world’s major energy suppliers against debilitating cyber threats will not be easy, but it is essential. The risk cannot be eliminated; Washington’s ability to protect the corporate infrastructure of a foreign organization like Saudi Aramco is inherently imperfect. But if the United States is serious about its own economic security, this is one battle it cannot afford to sit out.
Blake Clayton is a fellow for energy and national security at the Council on Foreign Relations.