The interconnection of computer systems that run critical infrastructure is an increasingly significant policy problem. These networks are tremendously important, but the private sector’s assurances of network security often do not match actual conditions. In the energy industry, cyber attacks against private networks have occurred and will no doubt continue One important issue to consider is that energy production has historically been a wartime target, and it will likely be a target again in future conflicts. Even without the outbreak of war, the vulnerabilities that cyber interconnectivity creates will allow adversaries to target energy infrastructure in acts of economic brinksmanship or during international crises.
Targeting of Energy in Warfare
With the mechanization of warfare, hydrocarbon resources became a critical resource for militaries in the 20th century. Without significant domestic oil production, both Germany and Japan made strategic plays at capturing oil-producing areas in the Caucasus and Dutch East Indies, respectively. The United States’ refusal to continue supplying oil to the Japan following its invasion of French Indochina was a significant factor in Japan’s decision to attack the United Kingdom and the United States.
With the entry of the United States into the war, the Allies attempted to leverage Germany’s heavy reliance on Romanian oil production by launching costly raids against the refineries at Ploesti. The loss of Romanian supplies necessitated reliance on Fischer-Tropsch unconventional fuel production, but Fischer-Tropsch was no tonic. Germany’s loss of Romania and the interdiction of Japanese maritime supply by US aircraft and submarines starved the Axis of fuel. The forays of the Wehrmacht into the Ardennes and the Japanese fleet in to Leyte Gulf in 1944 were one-way trips due to fuel shortages.
Energy targets have often shown great resiliency. During the Iran-Iraq War, both Iran and Iraq made extensive attempts to curb each other’s energy exports with limited success. The Gulf War provides another case study. Even after Iraq’s scorched earth retreat from Kuwait, the emirate was able to return to exporting crude seven months after the cessation of hostilities. Physical attacks can be successful against certain types of energy targets, as Israel’s air strikes on Iraqi and Syrian uncompleted nuclear reactors attest to, Because other kinds of energy targets are distributed, repairable, and resilient by design, a great deal of sustained force is often needed to take them out. Can cyber be more effective against energy targets?
Cyber and Less-Than-War
Western military interventions since the end of the Cold War have reshaped how the United States applies force. As James Stavridis outlined in 2013, a “New Triad” of capabilities, “special operations forces, unmanned vehicles, and cybercapabilities,” are the chief instruments of power for the United States.
Over the last several years, significant consideration has been given to the topic of jus ad bellum in cyber conflict. In the context of cyber conflict, jus ad bellum is the set of cyber activities that may prompt one state to respond in kind or with the other tools of warfare available in the kinetic space of conflict. Cyberspace, though, presents new challenges in attributing these activities to specific actors. The difficulties of attribution may invite adversaries to use cyber capabilities more liberally than they otherwise would conventional capabilities.
When we consider the methods the Russian military employed in its operations in Ukraine, particularly Crimea, units applied force without clear identification. Well-armed and equipped soldiers erased Crimea’s Ukrainian status in hours. This covert-to-overt application of force is part of the risk equation for special operations, where successful operations are acknowledged and failed ones are easily written off.
Cyber operations are very similar because they represent a form of deniable covert action. There is also the possibility, as Duncan Hollis has raised, that because of the absence of directly applicable international law, “the Lotus principle—i.e., what international law does not prohibit, it permits,” information or cyber operations may be legally accepted. This vacant space has prompted much discussion on regime formation, but produced nothing in the way of formal accord. All the while cyber vulnerability has continued to grow with visible results.
The Technological Landscape of Vulnerability
A recent USENIX security paper employed a term that international security thinkers should better understand if they are to keep pace with the change in cyber conflict: phases of security. Studying the security of computers driving traffic signals in a Michigan municipality, the authors observed the security phases for these systems over decades of evolution. When first emplaced, stoplights were electro-mechanical devices that ran on timers. Computers were later added to dynamically adjust light timing based on input from sensors. Now “smart” cities have lights that coordinate activity to manage traffic flows across signals, connecting them to one another and centralized locations in an effort to reduce congestion.
This technological advance, from electrical to computerized and ultimately to interdependent network operations carries with it three distinct security phases. Subverting the electrical stoplight would have involved rewiring its circuitry, while the computerized one could be manipulated, but only after breaking open a locked metal box in plain view. But the lights in the Michigan study pass information via wifi, open to intercept and enabling remote manipulation of each signal and potentially the system of signals. Worse, after being networked, the traffic lights’ computers remained in a security configuration for a device accessible only by opening a locked box, not one able to send and receive messages by radio. The bottom line: traffic lights today are eminently hackable.
Although attention in cybersecurity is growing in computer science and related fields, the market for computing innovation advances today under the banners of an “Internet of Things” (IoT) and “Big Data.” The IoT refers to the addition of computers in all manner of important devices, from household appliances to industrial plants. There is an amazing growth in the number of computers on the planet communicating via the Internet Protocol (IP). According to Cisco Systems, the number of IP-connected computing devices on the planet exceeded the number of people sometime around 2008 or 2009. That ratio of networked devices to people will be more than six-to-one by 2020.
The business driver for all of this networked computerization is to wring out inefficiency, reduce costs, and apply the savings to balance sheets. This is where “Big Data” comes in. In oil and gas, computerized modeling of geological data has enabled computer-aided horizontal drilling and hydraulic fracturing production. While small and medium sized firms drove the “fracking” boom, we can assume it will be consolidated under a smaller number of big players. With that consolidation will come calls for efficiency met by computerization.
Other drivers will influence the deployment of information technologies in electricity, especially if production becomes widely distributed across micro-grids, interconnected via computer-mediated “smart grids.” And that grows the attack surface of the energy sector to cyber attack. The more computers are interconnected to drive energy production, processing, and distribution systems, the more avenues for disruption will emerge. The same sort of interconnection seen in stoplights is underway in energy, with similar security phase issues at wellheads, pipeline pumps, and electrical substations.
Employing the Cyber Weapon in Energy
Stuxnet was the first major, well-documented cyber attack with serious kinetic ramifications ostensibly launched by a state against another. It was also an attack against an energy target. The cyber attack on Iran’s nuclear enrichment facility at Natanz, which could be considered a dual-use or military facility, was an aggressive act of covert action against one of the world’s most unpredictable regimes.
After Stuxnet came Shamoon, far less sophisticated but a damaging, deleting the data contents of more than 35,000 personal computers at Saudi Aramco and other companies in the oil and gas industry. Together, Stuxnet and Shamoon demonstrate what is likely a new reality in international affairs—that cyber attacks may be employed well below the threshold of international conflict on energy targets.
As energy resources are a critical input for most of the world’s economic activity and are the near entirety of exports for several nations, they invite attention. Recent oil price declines threaten the viability of exchequers in Russia, Venezuela, and Iran. Putin’s Russia, a nation with significant cyber capability, may be considering what options exist for cyber action to push prices in a favorable direction for Moscow. That said, the chance for a massively debilitating attack on an entire supermajor or national oil company’s production remains a long shot. But can a cyber attack, launched at an especially opportune time, have outsized impact? Perhaps.
The United States should consider how cyber will play a part during international crises. Consider this. Following the August 2013 Médcins sans Frontières report of chemical weapons use by the Assad regime, the US announced that it was considering cruise missile attacks in retaliation. A day later, the Syrian Electronic Army brought down the websites of the New York Times and other media outlets. To the best of my knowledge, never before has one power been able to effectively censor the leading newspaper most widely read by officialdom of the party holding power in another half a world away.
For us to assume in future crises that cyber attacks won’t be aimed at economic infrastructure is foolhardy. It is a dial that can be turned up to express displeasure or influence decisions. Iran’s purported campaign of denial of service attacks against US banks is one example. Russia’s continued acceptance of sophisticated and well-organized cybercrime activities to continue from its soil is another. Will there be more Shamoons? Most definitely, and with increased computerization and interconnection of energy production and distribution, cyber attacks may well be very effective for short periods of time. How leaders handle the rise of the cyber component in such crises will be profoundly important.
Disclaimer: This paper was prepared and written in the author's personal capacity. The opinions expressed herein are the author's own.