New systems, new cyber threats
Threat actors constantly remain one step ahead of those seeking to prevent malicious attacks
As the oil and gas industry migrates sensitive business data to the cloud and increasingly adopts digital platforms in industrial processes—such as internet of things devices, smart grids and autonomous rigs—cyber threat actors are also exploring new ways to target such systems.
While these technologies have helped companies increase their competitiveness, connectivity and flexibility, they have also increased the potential entry points for attackers to exploit. The security flaws that follow rapid changes in technology allow attackers to explore vulnerabilities in emerging technologies as well as legacy systems. A broader lack of cyber security maturity in the industry also means that social engineering techniques, such as phishing emails, remain highly effective.
A successful cyber attack can spread from an initial computer in an office to operational technology (OT) facilities in other countries, disrupting operations and halting production and distribution as well as causing financial and reputational harm to organisations. An oil and gas company can face a plant shutdown, damage to its equipment, interruption to utilities, undetected spills, violations of safety controls, and potentially a loss of life, as flammable materials in refinery processes could ultimately lead to explosions.
The cyber security of industrial control systems (ICS) has also lagged behind the pace with which such systems are digitised as internet-connected machines increasingly replace manual workflows. For example, industrial facilities in the upstream, midstream and downstream oil and gas sectors now face a high threat from ransomware attacks on ICS and supervisory control and data acquisition (Scada) systems. Such disruptive attacks increasingly rely on the assumption that companies will pay significant ransoms to restore business operations without having to shut down systems or revert to manual methods, and that they have the resources to pay those ransoms.
Regional tensions drive disruptive activity
As well as criminals pursuing ransomware attacks and fraud through social engineering, state-linked threats to the industry have also grown over the past decade. In 2010, the US and Israeli-developed Stuxnet computer worm destroyed a fifth of Iran’s nuclear centrifuges. The worm targeted programmable logic controllers (PLCs) in Scada systems, which automate a range of industrial processes.
Rapid changes in technology allow attackers to explore vulnerabilities
Exploiting four previously unknown (so-called zero day) vulnerabilities, Stuxnet compromised Iranian PLCs and caused the fast-spinning centrifuges to tear themselves apart. The worm’s design meant it could also be used to target computers in non-nuclear facilities, including oil refineries, gas pipelines and power plants.
Two years later, the Iran-linked Shamoon malware was used to erase data from Saudi Arabia’s state-owned Saudi Aramco and Qatar’s RasGas, which also shut down the companies’ internal networks. In 2016, a cyber attack attributed to Russia caused an hour-long power outage in Ukraine after attackers took control over Scada human machine interfaces (HMI) to de-energise substations. The CrashOverride malware used in the attack was designed to disrupt power grids’ operations.
In 2017, a zero-day exploit was leveraged against the safety instrumented systems (SIS) of Schneider Electric’s Triconex controllers to compromise an oil and gas plant in Saudi Arabia and deliver a remote access Trojan (RAT) called Triton. The presence of a RAT on such a sensitive safety system suggests the attackers’ intention was to remotely manipulate the controller so it would not detect a possible safety hazard. In 2018, Italian oil services company Saipem was also hit by the Shamoon data-wiping malware.
These incidents demonstrate how geopolitical developments can have a significant impact on oil and gas companies, and how cyber threats to the sector tend to follow conflict between states. States with high cyber capabilities often conduct reconnaissance operations against critical national infrastructure to pre-position for more disruptive operations and demonstrate their ability to cause damage, or to retaliate for economic sanctions by disrupting adversaries’ own oil and gas production.
Although highly disruptive operations are largely confined to geopolitical hotspots such as the Middle East and Eastern Europe, oil and gas companies’ close integration with the shipping, logistics and energy sectors in complex, long-term and multinational projects mean their impact is likely to be felt globally and across supply chains. The increased availability of toolsets on the deep and dark web has also lowered the entry barriers for cybercriminals with lower capabilities than state actors, and the proliferation of such capabilities to compromise ICS will lead to more significant physical damage to companies’ assets.
States with high cyber capabilities often conduct reconnaissance operations against critical national infrastructure
Threat actors typically look for the lowest hanging fruit, which often includes contractors with privileged access to data they do not need. Cyber security is only as strong as the weakest link, and a risk-based approach towards security and data protection makes it critical to conduct due diligence across a company’s supply chain of contractors, vendors and third-party suppliers. The growing prevalence of remote monitoring, analytics and automation systems to control drilling, production, storage, transport, processing and refining systems makes it essential to understand the risks associated with ‘smart’ devices being integrated into operational processes. Many OT systems continue to run on legacy operating systems and remain unsegregated from corporate networks, which allows attackers to pivot from IT to OT systems.
A range of states also continue to conduct information-gathering operations against organisations’ commercial and OT environments. These are typically carried out by states that rely on oil and gas exports, seeking to disrupt a rival or to perform reconnaissance for a potential future attack. Such operations are also often carried out for commercial espionage, typically to benefit domestic competitors, obtain new technologies for generating efficiencies in production and refinement, and collect intellectual property data related to exploration and extraction.
Threat actors typically look for the lowest hanging fruit, which often includes contractors with privileged access to data they do not need
Broader economic and political developments continue to drive cyber espionage campaigns by states seeking strategic insight into adversary governments, organisations such as Opec as well as competitors of state-owned companies. Economic sanctions on oil and gas-producing states, growing LNG supplies, expanding military and energy co-operation in the Middle East, physical attacks on oil facilities and vessels, and developments around state-backed gas pipeline projects increasingly shape the sector’s cyber threat landscape.
Companies should have an incident response plan in place, which include decision-making processes and procedures, first-responder contact details, planned attack scenarios, and security and compliance measures for third-party providers. Companies should also implement a comprehensive data backup and retention plan as well as maintain regular and secure audit logs in ICS environments. Companies should further adopt network segmentation techniques, such as physically disconnecting corporate IT from OT systems, to prevent malware from spreading and infecting other parts of the network.
To ensure the confidentiality, integrity and availability of business operations and sensitive data, companies should adopt a defence-in-depth strategy that considers the interconnected network of supply chains and the effect that geopolitical developments can have on the cyber threat landscape. As attackers are often a step ahead of their victims, cyber threat intelligence solutions are a growing part of companies’ security frameworks, allowing them to identify cyber threats before an attack takes place.
Adlan Chaykin is a cyber threat intelligence analyst at Control Risks, a specialist global risk consultancy.