Oil and gas companies, including some of the most celebrated industry names in the Houston area, are facing increasingly sophisticated hackers seeking to steal trade secrets and disrupt operations, according to a newspaper investigation.
A stretch of the Gulf Coast near Houston features one of the largest concentrations of refineries, pipelines and chemical plants in the country, and cybersecurity experts say it's an alluring target for espionage and other cyberattacks.
"There are actors that are scanning for these vulnerable systems and taking advantage of those weaknesses when they find them," said Marty Edwards, director of U.S. Homeland Security's Cyber Emergency Response Team for industrial systems.
Homeland Security, which is responsible for protecting the nation from cybercrime, received reports of some 350 incidents at energy companies from 2011 to 2015, an investigation by the Houston Chronicle has found. Over that period, the agency found nearly 900 security flaws within U.S. energy companies, more than any other industry.
Steps are being taken to thwart attacks. For instance, the Coast Guard in a joint operation with Houston police patrolled the waters southeast of Houston last year conducting sweeps for unprotected wireless signals that hackers could use to gain access to facilities. The operation was one of the first of its kind in the U.S. concentrating on cyberattacks by sea.
But the vast network of oil and gas operations makes it difficult to secure. Thousands of interconnected sensors and controls that run oil and gas facilities remain rife with weak spots.
Many companies the technology and personnel to detect hackers. Equipment was designed decades ago without security features, and efforts over the years to link computer networks to devices that monitor pressure or control valves have exposed operations to online threats.
"You could mess with a refinery or cause a vessel to explode," Richard Garcia, a former FBI agent who became a cybersecurity specialist, told the Chronicle.
Power, chemical and nuclear facilities must adhere to strict cybersecurity measures, but federal law doesn't impose such standards on the oil and gas sector. And when oil and gas companies have been infiltrated by a hacker, they're not required to report the incident.
More than 20 of the nation's largest oil companies — including Exxon Mobil Corp. and ConocoPhillips, refiner Phillips 66 and pipeline operator Kinder Morgan — declined to comment or did not respond to multiple requests for comment. The American Petroleum Institute, the national trade association for oil and gas, also declined to comment.
Charles McConnell, executive director of Rice University's Energy and Environment Initiative, said oil companies tend to rush to deploy new computer technologies that make operations more productive, but only afterward considering ways to defuse online threats.
"The pace of change of the technology we've adopted is every step of the way more and more vulnerable to cyberattack," McConnell said.