As the Middle East’s oil and gas sector picks itself up from another round of targeted cyber attacks against its main players, the region’s CEO’s should be grateful that, so far, the worst case scenario has not materialised.
Recent attacks by cyber criminal groups, such as Anonymous have highlighted the fact that the region may not be as well prepared as it ought to be for dealing with the online threat.
Fortunately, the recent attacks have led to little more than the loss of data, network downtime and crashed PCs. However, oil and gas companies in the Middle East need to face up to a far darker prospect – the threat of more drastic scenarios, such as loss of production, or potentially catastrophic attacks on physical production assets themselves.
Groups such as ISIL and Al Qaeda have already demonstrated their desire and ability to attack the region’s oil and gas infrastructure in the most brutal ways. The internet enabled world offers terrorist groups an entirely new frontier through which to unleash chaos, destruction and even potentially death.
With the Middle East NOCs looking to digital oilfields to increase productivity and monitor performance, human involvement is giving way to automated processes across a range of oil and gas applications.
The ability to remotely monitor and alter well pressure, temperature and flow extraction rates offers oil and gas companies the opportunity to stream line their operations and maximise production and profitability, but these newer systems create new areas of vulnerability.
“The worst case scenario for any cyber attack would be a kinetic cyber attack, in which you have physical outcomes from a cyber event. In the case of oil and gas, that could be disruption of exploration or production capabilities, resulting in explosions and fires. That is a very real outcome,” said Atif Kureishy, principal at Booz Allen Hamilton.
The Middle East’s oil and gas industry is the lifeblood of the region and is crucial to the provision of a reliable global energy supply. In reality, an attack on the region’s oil and gas sector is an attack on the country itself, especially in a region where such an industry is so integral to the national economy.
By introducing Trojans and malware into a compay’s IT network, cyber criminals are able to wrestle control of an oil fields critical operations and wreak havoc.
Disruption of a country’s oil supply has already proved a hugely effective tactic for militant organisations in Algeria, Yemen and Iraq in recent years. By cutting off a governments revenue stream, rebel groups have been able to strangle the life out of incumbent governments with startling ease.
Article continues on next page …
In Libya, where the government relies on oil exports for 80% of its revenue, rebel groups have successfully tipped the scales in their favour by depriving the government of sufficient quantities of cash to invest in military solutions. In short, the government cannot afford to effectively engage the enemy.
Until now, these tactics have focused on man power and manual sabotage of a country’s oil and gas infrastructure – be that the occupation of export ports, bombing pipelines or the killing of oil and gas maintenance personnel.
However, the region’s move towards fully automated digital oilfields potentially opens the door for cyber criminals to exploit and manipulate the region’s oil and gas infrastructure in an alarmingly effective way.
The evolution of Middle Eastern oilfields towards wireless, remote technology is changing the way oil and gas companies operate. However, it presents a significant number of challenges for ICT teams, especially at older
brownfield sites.
“Older fields are more at risk from cyber attacks because the newer sites have been designed with ICT security in mind. This is often not the case at the older, brownfield sites,” says Kureishy.
The problem lies in the fact that many of these systems were not designed to be connected. They are therefore unprepared to receive information they should not be receiving.
For example, a cyber attack on a SCADA system running processes on a digital oilfield, could cause the systems to operate outside of safe parameters. This in turn could cause mechanical or electrical failures, which could include safety guard failures and potentially lead to operational shutdowns, injuries and explosions.
“Thanks to the publicity that attacks like Stuxnet have gained, hackers and criminals have started discovering that SCADA/ICSS products could be attractive targets. The ability to modify control parameters could, in a cyber-attack, create havoc, with implications anywhere between loss of data to compromising operations of a field as an example. The positive news is that this would be possible only if malware gets in.
Developing malware for such highly targeted attacks and planning them requires in-depth knowledge about the SCADA/ICSS systems and very specific skill sets,” said Feroz Qureshi, Middle East business development manager, HoneywellProcess Solutions.
One of the main problems facing the oil and gas sector in fighting cyber attacks is the breadth and diversity of the cyber criminals themselves. Cyber criminals come in a myriad of different forms, from small time operators to high level government affiliates. The first step for oil and gas companies is to try and understand the profiles or personas of the people who are attacking them.
Article continues on next page …
‘Hacktivist’ groups like Anonymous run campaigns purely to disrupt oil and gas production in the region. “They are doing that for the perceived betterment of the world and to apply their own perverse sense of justice,” says Kureishy.
There are also sophisticated nation state actors who are looking at the oil and gas industry from an espionage perspective, with a view to acquiring intellectual capital. For example, there is a huge movement towards unconventionals where the US is now an exporter of oil and gas for the first time in its history.
This is based largely on the unconventional retrieval of tar sands and other innovative techniques. Such techniques are extremely valuable to nations that haven’t yet developed ways to apply those same knowledge.
“Getting access to that kind of information via a cyber attack could create a monumental shift in the geopolitical context, because energy is a national security issue,” says Kureishy.
Recent events in Iraq have seen US security firm CrowdStrike accuse hacking group “Deep Panda” of spying for the Chinese government, a claim which the Chinese government strenuously denies.
Arthur Melet, senior research analyst for oil and gas at IDC also believes that the diversity of the cyber criminal profile is causing the industry difficulties. There are several profiles of hackers, hence several types of motivations for their attacks.
“In other cases, hackers are simply motivated by financial gain, for example, hackers interested in stealing intellectual property, or hackers using DDoS to get ransoms,” he says.
“There is also the case of the “script kiddies” who are just trying to get fame or have fun by breaching large corporations, but they tend to be replaced by more professional attackers with a clear motivation ideological, financial, or commercial,” he adds.
Once the range of potential hackers are identified, solutions then have to be designed to counter the threat. One of the main challenges in implementing these solutions for oil and gas companies is overcoming a culture of IT security complacency that is endemic across the sector. “The first challenge to overcome is culture,” says Kureishy.
Typically, workers at oil and gas companies are divided into two distinct groups. The first group being the enterprise side –finance, HR professionals with a traditional corporate IT understanding. The second group is the industrial side – the people who take care of the processes and the operations.
Article continues on next page …
“The operational guys are classic in their way of thinking. They have been working on these industrial control systems for a long time. Their requirements and concerns are very different to a corporate environment,” explains Kureishy.
“They are more focussed on uptime and availability rather than confidentiality and integrity. They know their jobs, they understand the science behind it and the automation behind it. Then someone comes along and tries to tell them that they have to change the way that they do business. It is natural that there is going to be a lot of pushback on that,” he adds.
What exacerbates the problem is that the personas and temperaments of people on the corporate side and the industrial side tend to be quite different. It requires a lot of good leadership and vision to bring those two groups together and ensure that cyber security is given the importance that it deserves.
Traditionally these two areas of oil and gas were distinct and kept separate. However, the move towards digital oilfields means that a holistic, all-encompassing approach is needed to adequately secure a companies network infrastructure.
Many energy companies use extremely sensitive and bespoke technology, particularly with their SCADA systems. Companies need to be sure that the technology they are introducing to the network cannot interfere with these systems; otherwise it can be extremely expensive in terms of lost output.
According to John Spoor, director of emerging markets at Secunia, a critical factor for operating, monitoring and maintaining the physical infrastructures – and the security posture – of systems such as SCADA, is ensuring that operational technology (OT) and information technology (IT) successfully converge and integrate, and are aligned at all times, in order to avoid disruption to operations, productivity and output.
Oil and gas IT systems were traditionally designed to operate in isolation with separate networks. In the industry, there was comfort in the fact that there was an air gap of security between these systems and IT, other local networks and the internet.
This made it near impossible for attackers to reach important operational systems.
“The balance between adhering to OT security and safety guidelines versus the need for availability and achieving reliable outputs is, in general, skewed towards the latter – the all-encompassing prerequisite of accessibility and (perceived) productivity. As with other global sectors, the industry’s increasing reliance on cloud computing and the internet, and widespread deployments of networking technologies has resulted in greater levels of interconnectivity between control systems,” says Spoor.
While in the past, OT systems were isolated from networks and the internet, by placing the systems out of reach for cyber criminals, in recent years we see more and more integration between IT and OT.
“Many of the OT systems operating these days were designed 20, 30 years ago and therefore do not include security considerations against cyber attacks. Oil and gas companies are faced with the challenge to identify the real need for integration and ensure that security is built around such connections to reduce risk and be prepared to respond to attacks. The consequence, otherwise, can be costly breaches and long term damages to brand and reputation,” he says.