Halliburton, one of the world's leading oilfield service companies, has confirmed that its corporate networks have been impacted by an unspecified issue following reports of a cyberattack. The incident has raised concerns within the energy sector, as Halliburton plays a crucial role in global oilfield operations, and any disruption to its networks could have far-reaching implications.
According to Halliburton, the company is currently investigating the issue, though specific details about the nature of the disruption or the extent of the impact have not been disclosed. The company has not yet confirmed whether the incident was the result of a cyberattack, but sources familiar with the situation have indicated that a cyber incident is being considered as a potential cause.
Halliburton has stated that it is working with cybersecurity experts to assess and mitigate the issue. The company has not provided a timeline for when its systems will be fully operational again, but it has assured stakeholders that efforts are being made to restore normal operations as swiftly as possible.
The potential cyberattack on Halliburton underscores the growing threat to critical infrastructure and companies within the energy sector. As oil and gas service providers like Halliburton rely heavily on sophisticated IT and OT (Operational Technology) systems to manage complex operations, any compromise to these systems could disrupt services and even impact global oil supply chains.
"This is a horrendous situation, but it is not unforeseeable. The lesson of the Colonial Pipeline attack was that a successful attack on one major service provider in an industry sector could shut down all organizations relying on its services," said Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice, at Spencer Fane LLP. "In the game of extortion, that's a lot of pressure. We just saw this recently with the attack on Change Healthcare which impacted all of the organizations relying on its services. Then we saw it again with CDK. Halliburton is a huge target in this energy sector and the impact will be substantial. Industry critical service providers have become a very valuable target to threat actors, and we can expect to see these types of attacks impacting similar industry providers in the future. Companies must be asking themselves about what service providers they depend on and how they will continue to operate if something were to happen to them."
Cybersecurity experts have long warned that energy companies are prime targets for cyberattacks due to the critical nature of their operations. A successful attack on a company like Halliburton could have cascading effects, potentially leading to operational delays, financial losses, and increased risk of environmental incidents if systems controlling safety mechanisms are affected.
"Since 2019, FBI and various defense agencies have continued to warn that nation-states, state-sponsored actors, and cybercriminals have taken a hybrid approach to their efforts to destabilize U.S. critical infrastructure services involving cyberattacks, counterintelligence, and crime," said VJ Viswanathan, Founding Partner, CYFORIX (former CISO and senior executive at Keurig Dr Pepper, Comcast, HD Supply, and GE). "Cybercriminals, on the other hand, are constantly profiling critical infrastructure services, as the attack surface of these services continue to expand with various digital transformation initiatives."
Halliburton's response to the incident is being closely watched by both the cybersecurity community and the energy sector. The company's swift acknowledgment of the issue and its engagement with security experts is a positive sign, indicating that Halliburton is taking the threat seriously.
However, the lack of detailed information has led to speculation about the severity of the incident. It remains unclear whether sensitive data was compromised or if the disruption has affected the company's ability to deliver services to its clients.
"Following this incident and depending on the scope of the attack, Halliburton and its many divisions could be expected to experience severe business interruption with internal staff productivity degraded, access to information and networks revoked out of caution, and large portions of both internal and external facing staff idled," said Donovan Tindill, Senior Director of OT Security at DeNexus. "In contrast, cyber incident response teams contain and eradicate the threat. Idled or severely degraded employee and subcontractor productivity during the cyber incident is potentially the best-case loss scenario."
The incident highlights the urgent need for robust cybersecurity measures within the energy sector. Companies like Halliburton must ensure that their networks are protected against increasingly sophisticated cyber threats. This includes not only securing IT systems but also ensuring that OT systems, which control critical infrastructure, are equally well-protected.
"Nation-state actors have already demonstrated their ability to penetrate and attack critical infrastructure systems in the U.S.," said Venky Raju, Field CTO at ColorTokens. "So far, it has been restricted to small utilities like the water supply system in Muleshoe, Texas, etc. We will soon know if the Halliburton attack is an escalation by one of these groups, or an attack on their IT networks by a different actor."
"Regardless, utilities and other critical infrastructure organizations should take immediate steps to prevent unauthorized remote access to IT and OT networks, and implement micro-segmentation controls inside networks to limit lateral movement," Raju said. "The latter is even more urgent, as the adversaries may have already planted backdoors by using undetected Zero-Day exploits."
In the wake of this incident, it is likely that Halliburton and other companies in the sector will reevaluate their cybersecurity strategies, focusing on enhancing threat detection, response capabilities, and incident management processes.
"Critical infrastructure providers and manufacturing companies are increasingly pursuing IT and OT convergence, as the data collection and analysis benefits can dramatically improve production efficiency, maintenance, and scaling," said Marcus Fowler, CEO of Darktrace Federal. "However, as OT security struggles between legacy systems and the expanding wave of IT and OT interconnectivity within their environments, the risk of cyber-physical attacks continues to grow."
"With IT/OT convergence expanding attack surfaces, security personnel have increased workloads that make it difficult to keep pace with threats and vulnerabilities," Fowler said. "Many organizations rely on Indicator of Compromises (IOCs) for threat detection, which often miss insider threats and novel attacks because the tactics, techniques, and procedures (TTPs) and attack toolkits have never been seen in practice."
"Anomaly-based detection is best suited to combat these types of threats," Fowler continued. "Thus, the adoption of AI-powered solutions that focus on anomalous behaviors to identify novel threats, can respond at machine speed, and help to guide recovery from cyber incidents in industrial systems is paramount for keeping critical infrastructure safe."
Al Lindseth is Principal at CI5O Advisory Services LLC, and he spent 23 years at Plains All American Pipeline, most recently as SVP of Technology, Process, and Risk Management. So, he is familiar with the risks, concerns, and opportunities for keeping the oil and gas sector secure.
"I used to treat other incidents that related to us in any way, even if they didn't directly affect us, as an opportunity. I'd do a one-pager for the management team and board as the incident was unfolding, with the intention to include in my next quarterly status update," Lindseth said. "I'd include a description of any activities we were taking, for example ISAC meetings or discussions with threat intel providers or other CISOs to gather whatever information we could, and internal assessments like scanning for indicators of compromise."
"In addition to results from those exercises, we would identify areas of improvement or gaps. It essentially was a drill," Lindseth said. "For example, I would have done those during the Clorox and MGM Resorts incidents and disclosures, and highlighted our own uplifts to the program due to the new SEC requirements, e.g., inclusion of materiality definition in internal notification levels to escalate/trigger the crisis management plan. You might as well be proactive about these headline-grabbers, as management and the board are going to ask you questions anyway; this organizes it and puts you in the driver's seat."
"I don't know the specifics other than what's publicly out there, but it's creating some healthy discussion around OT cyber, so I'll pounce on that, as well," Lindseth continued. "Make sure with your board/management team that OT cyber is framed as a problem, not just another ongoing element of your cyber program. These are critical systems which weren't designed with cybersecurity in mind, so now that we have increasing convergence and they're a huge target, it's a real dilemma."
"Segmentation and isolation was really the core strategy until our government saw BlackEnergy taking place in Ukraine and started asking if that could happen here," Lindseth said. "That's really when visibility into those systems became a priority across the board. Now, OT programs should directionally have the same Defense in Depth goals of any cyber program. Risk mitigation options are more difficult with OT."
"Also, regarding being able to assess well, if you haven't developed a full asset inventory, then you really don't have a good profile of what you need to protect. We are catching up from decades of not addressing cyber in these systems. It's going to take money, resources, effort, the right mindset, and a major team effort at all levels to get to where we need to be. AI has only increased the need to move on this."
"Energy sector is undergoing at scale transformation driven by increased investments in renewables, which also garners attention from cyberattacks," Viswanathan said. "Risk profile typically expands during transformation. Control Systems and Operational Technology vulnerabilities are a critical concern due to endemic security issues at the product and service layers; this coupled with constant profiling for vulnerable attack surface inevitably leads to disruptive attacks that has broader supply chain manifestation. It's crucial to continuously drive strategic risk assessments across the product and service stack."
"While the Colonial Pipeline ransomware attack caused significant fuel disruptions in 2021, Halliburton's cybersecurity incident is not anticipated to trigger similar supply chain issues," Viswanathan added.
SecureWorld News recently reported on the concern over increasing cyberattacks on railway systems and the OT security implications.
Al Lindseth will present on "Integrate Transformative OT Cybersecurity Programs to Increase Effectiveness" at the SecureWorld Manufacturing & Retail virtual conference on August 28th, and at the SecureWorld Dallas in-person event on October 3rd.
VJ Viswanathan will co-present with Col. Cedric Leighton, CNN Military Analyst; USAF (Ret.), Chairman, Cedric Leighton Associates, LLC, on "When Enterprise and World Events Collide: Driving Outcome-Based Cybersecurity Transformation" at SecureWorld Dallas on October 3rd.
Shawn Tuma will moderate the opening keynote panel at SecureWorld Dallas on Oct. 3rd, titled "The Hidden Costs of Cybersecurity: Unveiling the True Price of Protection."