Take a tour of 1366 Technologies, a startup near Boston that is developing a cheaper way to make solar cells, and you will see open spaces with low cubicles, engineers at their desks, a machine shop, and testing equipment running silicon wafers through their paces.
But the tour is a bluff: it’s what you don’t see that’s really interesting. In another part of the building—one with no obvious way in—sit the engineers working on the core technology, machines that could cut the cost of silicon wafers for solar cells in half. Perhaps most important, computers used for the real work are entirely cut off from the Internet.
“We are paranoid,” 1366 CEO Frank van Mierlo says. “We’ve taken our entire engineering server offline and air-gapped it, like the Department of Defense.”
There has recently been much talk in Washington about the need to guard critical infrastructure, such as power plants, against possible enemy cyberattacks. But energy companies say that their key inventions and business data are already the target of increasingly sophisticated cyper-espionage.
“[It] quietly kept getting worse and worse,” Dana Deasy, the former chief information officer of BP, said last November during a meeting of information technology executives in Barcelona, Spain. “You finally wake up one day and you’re sitting in a world where this is a serious threat to the industry as a whole.”
Attacks can go unnoticed for years, or are never reported. As a result, estimates of stolen intellectual property vary “so widely as to be meaningless,” according to a 2011 report on foreign cyberspying by the U.S. Director of National Intelligence, which cited calculations of between $2 billion and $400 billion a year.
Companies say they worry most about state-sponsored attacks, which tend to be “incredibly well organized, incredibly sophisticated,” according to BP’s Deasy.
Some of the hackers are looking for proprietary data about oil fields, painstakingly gathered using costly seismic surveys, which underpins a business worth $3 trillion a year. Adam Segal, a fellow for China studies at the Council on Foreign Relations, says stolen survey data is believed to have influenced bidding on Iraqi oil fields.
Attackers leave clues but are rarely caught. In 2011, the security firm McAfee described “operation Night Dragon,” a series of computer intrusions at oil and gas companies that they traced to China. Researchers at CrowdStrike have been tracking an “adversary group” they call Energetic Bear, based in the Russian Federation, which strikes western energy firms by installing malware that collects passwords. The United States allegedly spied on the Brazilian state oil giant Petrobras.
Few companies will admit they’ve been the victims of espionage. One that did is American Superconductor. In 2011, the Massachusetts company sued its largest customer, the Chinese wind-turbine maker Sinovel, saying it had stolen its key technology, a way of making it easier for wind turbines to integrate with the electricity grid.
In August, a federal grand jury indicted Sinovel, alleging that it had offered money and an apartment in Beijing to induce an American Semiconductor employee to e-mail the source code for the technology to China. American Superconductor says it lost $800 million in revenues and its stock cratered, falling more than 75 percent.
The case points to how intellectual-property theft often relies not only on sophisticated computer attacks but also on insiders. But it justifies the care that 1366 takes, says CEO van Mierlo: “You only have to listen to the horrible stories of American Superconductor to know how damaging this stuff can be.”