Oil & Gas executives may be fully aware of the risks that their facilities face in the cyber-sphere, but investments in cyber-security are still lacking. Cyber attacks can be more damaging to an operation than current levels of investment suggest
Cyber security has become a major concern throughout all industries over the past decade. Oil and gas companies have not been spared from the threat and consequences of malicious attacks on infrastructure and assets.
Between 2009 and 2011, oil, gas and petrochemical companies around the world were struck by a global cyber espionage campaign called Night Dragon.
The campaign involved a wide variety of tools from social engineering, spear phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities and the use of remote administration tools.
Night Dragon was designed to harvest sensitive competitive information about operations and project financing.
Then there was the Shamoon virus which attacked Saudi Aramco in September 2012 and a similar virus which hit Qatar’s RasGas facility.
The attacks were designed to disrupt hydrocarbon production by infecting not just the corporate networks, but also the industrial control systems (ICS).
In this instance, Sadu Aramco’s ICS was not affected because the virus was detected before it breached the air-gap between the corporate networks and the ICS, but 30,000 workstations were affected in the process and the virus was still highly disruptive to the company.
“The reality of cyber threats targeting the oil and gas industry is already here and unfortunately the security of these companies, including their industrial installations is not ready to meet them,” says Michela Menting, cyber security senior analyst at ABI Research, a technology market intelligence firm.
The perpetrators of these oil and gas infrastructure cyber attacks can generally be categorized into four groups: hostile insiders, terrorists, nation-states and hackers. “The assumed objectives range from political sabotage to economic espionage, including hacker demonstration and hacktivism.”
The oil and gas sector is underpinned by complex industrial environments running legacy control systems, explains Menting. Legacy control systems have traditionally been isolated, using proprietary standards and essentially relying on the rational of security through obscurity.
Currently, these systems are becoming more digitized, connecting to corporate information technology systems and external networks, taking advantage of open standards and commercial off-the-shelf software such as Ethernet, Microsoft Windows, HTTP, SNMP, XMP, cellular and other wireless technologies.
“These technological upgrades allow improved flexibility and efficiency, but integration has been accompanied by migration of existing cyber threats already present on the internet,” she says. “These systems are vulnerable however, and can be highly susceptible to cyber tampering.”
Article continues on next page …
Oil and gas facilitys’ vulnerabilities lie in the ICS’ supervisory control and data acquisition (SCADA) technology. SCADA enables the delivery and production of essential services in oil and gas; drilling, extraction and refinery. SCADA systems use legacy technology and transmission protocols that have long life cycles (10 to 30 years) and are not easily replaced or upgraded.
According to Menting, security audits on existing SCADA systems are not routinely performed, “penetration testing and even patching can be disruptive and large delays or down-times are not always tolerated,” she says.
At the same time, data is sent unencrypted through ICS because delay is often unacceptable. “Further, there is low security awareness and IT training of SCADA operators. Consequently, existing vulnerabilities are not easily patched and applying existing IT security solutions to the ICS landscape is difficult at best.”
Menting believes that there is a serious lack of drive in tackling the problem of ICS vulnerabilities in any comprehensive or thorough way.
“Despite the obvious shortcomings and repeated publications of CIS, little real effort seems to have been made over the past decade to address the problem comprehensively,” she says. “At the very best, vendors of vulnerable ICS components have a patch rate of about 70%, with most vendors taking over 30 days to issue patches for critical vulnerabilities, she adds.
Despite the knowledge of vulnerable ICS, the efforts made to address these issues are unnervingly slow, according to Menting. While governments in the United States and the EU have shown some promising governmental support, the industry has massively delayed taking significant action.
This is due, in part, to stronger concerns with most power grids and electricity generation in the energy sector. “Oil and gas is not yet a real priority for most governments, although they have acknowledged it as a vital sector,” muses Menting. “The industry perception is that cyber risks are low because few and limited attacks have actually occurred,” she adds.
ABI research has found that cyber security spending in the oil and gas sector reached US$810 million globally in 2012 and expects that it will double by 2018, totalling a forecasted $1.87 billion.
“While the private sector may be the primary driver of cyber security spending, governments will make some dedicated efforts to invest eavily in securing the oil and gas sector,” says Menting. But she also believes that such spending is practically insignificant compared to the estimated $17 billion that the financial sector will spend on cyber security in 2017.
“The security of the oil and gas critical infrastructure will be entirely dependent on the type of actions the industry is willing to invest in presently,” says Menting.
There are a number of tools which currently exist to counter cyber-attacks. Risk mitigation should be envisioned on the corporate network level and at the ICS level.
Threats can be minimized by reducing the likelihood of occurrence; this is done by patching vulnerabilities and strengthening security mechanisms, including securing the air-gap between IT systems and ICS. Response mechanisms need to be resilient and robust, able to ensure business continuity and reduce the impact of downtime, she advises.
Cyber security requires more than just the use of preventive and and reactive security tools but also deployment of proactive counter measures. Prevention mechanisms include penetration testing using exploit kits such as Metasploit, Nessus, IMPACT and Canvas.
These kits allow the discovery of vulnerabilities in SCADA systems, enabling penetration testers to know the type of attacks that could affect the ICS. This can enable better preparation for future attacks.