A reader recently brought to my attention an upcoming conference in London in the UK—The Oil and Gas Cyber Security Forum. Here’s a little blurb:

Despite investments into state of the art technology, a majority of the oil and gas industry remain blissfully unaware of the vulnerabilities, threats and capability of a malicious cyber attack on control systems.

The consequences of a cyber attack on the oil and gas industry’s critical infrastructure would be disastrous, causing major disruption to the supply chain which emphasizes the need for the implementation of effective security measures mitigate the risk.

SMi Group’s inaugural Oil and Gas Cyber Security Forum, taking place on 21-22 November 2011 in London, will bring together information security professionals from across the world to investigate the unique security challenges that the energy sector faces and methods of constructing effective security strategies.

The conference will include presentations from leading global oil and gas companies, hackers, consultants and other experts and will arm delegates with the knowledge to combat cyber threats global and national energy infrastructures.

I bring this up because it is relevant to the trends in cyber security that we see this year—that of the Advanced Persistent Threat. It is also relevant to my Son of Stuxnet post that I wrote yesterday.

The biggest fear from the APT is industrial sabotage. That’s what happened with Stuxnet. But my own analysis reveals that APTs also are about cyber espionage—sitting in a computer network and stealing information, sending it back to the writer of the malware in order to give them a competitive advantage. Indeed, we have seen multiple types of cyber attacks in the past 12 months:

1. Stuxnet showed us that some malware threats are designed to disrupt an industrial service.
2. Companies like Lockheed Martin, RSA, other government military contractors and Google were victims where the goal was to steal information.
3. Other APTs are designed to sit and remain idle awaiting instructions to launch distributed DOS attacks (particularly Chinese malware).
4. Still other threats (that are not APTs) are around simply to cause service disruptions such as the attacks against Sony and the US federal government by hacking groups.

The fear in large industrial control systems is that what might be a case (2) could turn out to be case (1). If something is lurking in your network somewhere (like a Cylon) and at first is “merely” stealing information, what happens if it turns hostile and starts sabotaging its hosts?

The oil and gas industry is one of the cornerstones of our economy today. We depend on energy and if a foreign state ever attacked energy infrastructure, it would cause serious pain to the developed world. On the other hand, you would think that attacking the energy infrastructure would hurt the attacker as well unless they were looking to drive competitors offline and increase their own profitability and importance (wasn’t that the plot of 24, season 2? Or maybe season 5? Where’s Jack Bauer when you need him!).

Anyhow, the conference looks interesting. Notice that it is the first Oil and Gas Security Summit. I’d bet that the scope will increase in the coming years.