Ensuring Oil and Gas Critical Infrastructure Security
from Aleksander Gorkowienko, Managing Consultant at Spirent SecurityLabs
The oil and gas sector has never been so vulnerable to cyberattack. Every part of the oil and gas value chain is currently exposed, and conventional static defences no longer suffice.
Particularly vulnerable are the industrial control systems (ICSs) that underpin every link in the oil and gas value chain—from exploration submersibles and oil production platforms to refineries, depots, and transportation pipelines. The truth is that not all of the control systems that currently hold the oil and gas critical infrastructure together were designed to resist cyberattacks In addition, expanded Internet and IoT connectivity make matters worse, exposing these control systems to a range of increasingly sophisticated malware designed specifically to attack them.”
In recent months, the pace and number of such attacks has accelerated. In April, it was reported that the Russian government-linked malware, Triton, was used in a second attack on a Saudi oil facility. (The previous Triton attack, in August 2017, was an attempt to cause a series of explosions to destroy an oil facility.) Triton is designed to infiltrate a target's networks and sabotage their ICSs.
The natural gas pipeline infrastructure in the United States has also been the target of repeated attacks over a number of years. One of the most recent was a coordinated attack on four of the country’s biggest gas pipeline companies.
In December, a Chennai-based hacker group attacked the computer infrastructure of the Italian oil and gas company Saipem. The hackers deployed the Shamoon virus, which had been used in repeated attacks on Saudi Aramco systems.
Every sector is vulnerable
Cyberattacks can be directed at operators in any of the three major oil sectors: upstream, midstream, or downstream. In a truly nightmare scenario, an oil producer might experience attacks against operations in all three sectors simultaneously.
Each sector includes vulnerable IT and operational technology (OT) systems—in exploration platforms and production rigs, pipeline systems, trucks and oil tankers, and refineries and depots. The goal of the attack could depend on the origin of the attack and include sabotaging plants, damaging equipment, disrupting utilities or production, harming product quality, preventing the discovery of spills, accommodating illegal pipeline tapping, violating compliance requirements, and causing safety violations.
While attacks against computing systems can halt operations, resulting in lost revenue and increased costs, attacks on oil and gas SCADA and ICSs, especially burner management systems, can actually kill personnel while seriously damaging oil and gas production, processing, and storage equipment.
Obstacles to cybersecurity
The programmable logic controllers (PLCs) and ICSs that form the backbone of SCADA systems were not designed with cybersecurity in mind. Making SCADA systems accidentally accessible through the Internet inevitably exposes them to the risk of exploitation by hackers. And significant obstacles impede SCADA system component protection.
For one thing, individual SCADA devices are designed to perform specific tasks and produce particular results. (For example, the top priority for an ICS is availability.) As long as a SCADA device is performing the intended task, there is no incentive to change it.
In addition, oil and gas installations can rely on a mixture of technologies from a variety of vendors. Devices engineered in the 1970s and 1980s coexist peacefully with the newest IoT sensors and other more modern technologies, and protecting devices engineered before the Internet Age can prove to be difficult, at best.
And finally, even if a device vendor can provide a security patch, applying that patch can be problematic. A production line or oil refinery is not like a web server—you cannot just shut it down, apply the patch, and start it up again. The maintenance downtime can cost millions of dollars a day, and every change in configuration must be tested ten times before being put into production.
SCADA threats are real
At Spirent, we recently had an opportunity to assess the security of a subsea drilling management system prior to field deployment. The system was designed and built by a team of exceptionally knowledgeable engineers. However, our security specialists managed to find a variety of flaws in the operation control system. As is crucial for drilling operations, all electronics were located in a highly secured environment, in heavy metal cabinets with limited remote access. Despite this, it was still possible to establish a remote connection, compromise the system, and basically shut it down.
Although hacking ICSs requires above average technical knowledge, the fragments of the source code for many exploits, including state-sponsored Stuxnet and various tools leaked from the NSA, is freely available on the web. In addition, attackers are energetic, working around the clock, playing with existing code, and devising innovative ways to infiltrate and exploit SCADA systems.
Reducing risk and protecting SCADA systems
It is simply not feasible to replace every PLC and ICS device with a new version that has been designed with cybersecurity in mind. But thankfully, even without such extreme measures, risk can be managed and reduced. Risk management and reduction requires understanding your IT and OT systems and adopting a holistic approach to security.
The first step is to map the network used by the SCADA system. Create an accurate picture of your entire environment, and identify how your networks, both IT and OT, are connected or segmented.
Second, you cannot protect things of which you are not aware. Develop and maintain a complete inventory of every device connected to your networks, and make sure new devices are protected and the inventory is up to date.
A third step is to identify critical systems and prioritize your industrial assets. When considering which assets are more critical, consider the intrinsic value of the asset, the potential costs if the asset is compromised, the relative security of the asset, any mitigating factors protecting it, and whether it is one of the assets most likely to be targeted by attackers. It is also a good idea to hire an outside company to conduct both a security audit and a network penetration test, to help identify security gaps.
The fourth step is to reduce the potential attack surface. Review all assets and services on the network to identify any that are unused or unnecessary. Devices and services that are not needed should be removed or disabled to minimize potential attack vectors and reduce the overall attack surface. Always think twice before making services available remotely, even through VPN.
Finally, patch and update dutifully, even though many devices in SCADA systems can’t be patched or updated easily. But, insofar as possible, identify any available patches or updates for your devices and applications and deploy them.
Protect your SCADA systems
SCADA is a backbone of the oil and gas industry’s critical infrastructure. The Internet Age has enhanced and expanded the functionality of SCADA systems, but it has also exposed them to new and unique risks. In the event of a cyberattack, it may not be possible to react quickly enough to stop the attack, and the resulting damage can be immense. The key to defending SCADA systems effectively is to be aware of potential issues and plan ahead. Investing in effective defence is no longer simply “nice to have”— it is a business imperative.
About the author
Aleksander is a cybersecurity expert with more than 20 years of experience in the U.S., U.K. and Europe. He and his team of security consultants at Spirent SecurityLabs work with global companies, states, and local municipalities and agencies to protect their critical data, intellectual property, and reputation.