Exxon Mobil Corp. bans its employees from using personal email and USB flash drives. It sends them simulated phishing emails, with alluring links, to see whether its workers would fall for tricks that would leave the computer networks of the nation’s biggest oil company vulnerable to attack.
These defensive measures are a response to the threat from hackers who increasingly target oil companies in efforts to steal money and intellectual property, or cause physical damage by taking over controls that adjust valves or regulate pressure pumps at refineries and pipelines. Online attacks against oil companies, whether by thieves, radical environmental activists or saboteurs, are on the rise. In a global survey last year, one third of oil companies said they’ve been hit more than twice by online attackers who penetrated their defenses, according to the SANS Institute, a nonprofit that conducts cybersecurity training.
“Any attacker with enough resources and enough determination will likely discover ways to breach a single layer of defense,” said Scott Robichaux, a cybersecurity manager at Exxon Mobil. For that reason, he added, oil companies should add several layers of security to keep hackers out their networks.