The oil and gas sector is an industry with a continuous operational cycle. Any break in production, however brief, can mean an enterprise suffers huge losses. Any computer-related incident, be it an attack by an unscrupulous competitor, or an attempt at industrial fraud, can result in a loss of continuity. This is even more relevant in the GCC region, as the oil and gas industry enjoys a prominent position as the sector responsible for the region’s abundant natural resource, and as the custodian of a key national assets.
Only a few years ago, the main concerns keeping company management awake at night were the cost of oil or gas, and the political situation in a particular country or region. In other words, traditional macroeconomic indicators that were easy to understand and follow. At best, cyber incidents might make it into the lower half of the top 20 risks.
Today, the situation has changed drastically. Cyber threats now rank as the third biggest concern for top managers – behind business downtime and legislative changes affecting company operations.Â
Any cyber incident that occurs inside a company can interrupt production processes because, in this context, it’s a question of a cyber-physical system rather than a conventional computer attack. In other words, the computing resources are integrated into the technological processes and come into contact with physical assets.
For years, Kaspersky Lab has been providing users with antivirus solutions as a kind of ‘pill’ to treat their systems against diseases. However, in the case of cyber incidents within the secure perimeter of an industrial enterprise, what we are dealing with is more like traumatology – and fractures cannot be treated with pills.Â
This is a figurative comparison, but if an attacker from an anonymous computer can disrupt or even break the operation of a cracking unit or a pump on a trestle for unloading oil products, the consequences are comparable to those of a fracture to the human body. The physical integrity of the company is violated: a cyberattack can result in the very real breakdown of equipment or a production line.Â
The cost of daily downtime at an oil refinery, according to our estimates, can be upwards of $1mn. An incident may require the urgent shutdown of technology systems that will then have to be rebooted and may not resume normal operations for a couple of days.
To understand how best to deal with cyber incidents, we need to identify the principal areas where they occur.
The first area concerns incidents caused by human error. In one case that Kaspersky Lab specialists encountered at an enterprise the company supports, an employee launched the wrong version of an engineering software by mistake. It could have resulted in changes to the data formats and other serious repercussions for specific controllers working with physical processes. With the help of Kaspersky Lab’s specialised solutions, the situation was caught in time, however, and potentially catastrophic damage was prevented.
The second area, which is especially relevant for the oil and gas sector, is industrial fraud. A group of people – sometimes including company insiders – that are well-versed in technological processes, realise that they can make certain adjustments to technological information and use it for financial gain.Â
For example, it’s possible to change the density of a shipped product and end up with a substantial surplus that the fraudsters can then dispose of at their own discretion. It is almost impossible to track this sort of interference using business applications. At our most recent annual conference dedicated to industrial control systems (ICS) cyber security, there were two reports of how vulnerabilities in infrastructure were leveraged to steal light oil products.Â
But today a much more serious threat than human errors or fraud has emerged – targeted computer attacks performed without any physical interference. Intruders gain control over all the equipment, while the attacks are invisible to ordinary controllers. In one of our projects, we demonstrated how attackers could gain access to a vacuum gas oil unloading system within 14 hours, and how the intrusion would go unnoticed. Another example was an attack on Saudi Aramco in 2014, in which 2,000 computers responsible for the company’s operations were infected. As a result, the company couldn’t ship its products for two weeks.Â
Another recent disturbing trend in modern cyber crime, which also affects the ICS field, is that of ransomware programmes. One of the first cases of cyber extortion involving an industrial enterprise was registered last year at a company that supplies water in the US state of Michigan. The attackers got access to the company management system, blocked its operation, and demanded a huge ransom. According to public sources, the losses amounted to US $1.9mn, including the cost of recovering from the incident.
The logical question here is what can be done to protect against these threats? After all, it’s impossible to ensure the safety of industrial facilities using traditional corporate security solutions. We have thoroughly investigated all these cases and, based on the results, developed our own solution to prevent similar incidents. Kaspersky Lab’s work in this sphere consists of several aspects.
The first thing to do is to train employees. Engineers may know all the nuances of production automation, but often they know nothing about cyber security. Even many developers of controllers and their software are unfamiliar with the term ‘zero-day vulnerability’. In the last six months alone, Kaspersky Lab has detected more than 80 zero-day vulnerabilities in industrial equipment. Each of those vulnerabilities could lead to a situation where control of the equipment could be seized by ‘dark forces’ and the company management and the head of ICS would be none the wiser.
The next step is monitoring abnormal activity in production processes and equipment. Today, there are practically no isolated ICSs, so any connection can become a ‘hole in the fence’, which the attackers will use to penetrate a corporate network.
However, successfully combating cyber threats requires more than just the efforts of individual enterprises; measures are needed at the regulatory and industry level as well. Regulatory authorities around the world understand the urgency of the industrial protection problem, which is why we are already seeing laws dedicated to the security of critical information infrastructure. Notable in the region is the Dubai Cyber Security Strategy, which brings together government, industry, and technology solutions with a view to providing a safe cyberspace to individuals and organisations, and making Dubai the safest electronic city in the world.
In addition, many state agencies and organisations concerned about cyber security have special structures that analyse computer incidents – so-called computer emergency response teams, or CERTs. There is also an industrial CERT at Kaspersky Lab that performs investigations and analytical activities that help to evaluate changes in the cyber-threat landscape.
Attacks on industrial enterprises are becoming an increasingly frequent occurrence, and it is more and more evident that we have entered a new phase of cyber warfare and cyber aggression. We must be ready for it.