Cyberattacks are on the rise in the oil and gas industry. 68% of US oil and gas firms have experienced a cyberattack, according to a 2017 report from the Ponemon Institute. Successful attacks can lead to disastrous consequences.
In 2012, Saudi Arabia’s national oil company, Saudi Aramco, was hit by the Shamoon virus which destroyed files, erased data, and shut down critical equipment. Around 35,000 computers were impacted, and it took the company five months to fully recover. The attack started when an employee opened a phishing email and clicked on an infected link which triggered the virus.
In December 2018, a variant of the same virus hit Italian subsea engineering company Saipem even though it was a known cyberthreat. This time, the Shamoon virus affected more than 300 servers and disabled approximately 100 workstations.
Oil and gas companies are increasingly vulnerable to cybercriminals, nation state adversaries, and hackers and the sector’s drawing more of their attention.
But why’s this industry so attractive to cybercriminals?
Expansion of Attack Surface
Oil and gas companies build their process architecture around industrial control systems (ICS) which utilize both operational technology (OT) and information technology (IT). Interconnected systems run the oil rigs and monitor their safety systems, and the complexity of these environments create a large attack surface.
The safety, reliability, and stability of ICS are critical to a company’s success, but the systems often have the following weaknesses:
- Use of aging infrastructure and older legacy systems like Windows XP
- Nonstandardized equipment and software
- Single-use or function devices introducing Internet of Things (IoT)-based threats
- Inability to quickly deactivate a system for applying an update or patch
Additionally, cyberdefenses used for IT systems aren’t always well suited for OT, and there’s a general absence of laws and regulations around cybersecurity which result in the lack of strong security policies, procedures, and technologies. If they’re not required, companies are compelled to skip implementation.
Internet of Things (IoT)
The intersection of OT and IT has blurred as more data is exchanged between systems.
Companies now allow their OT systems to be managed remotely. Digital monitoring systems track data and production operations through Internet of Things (IoT) devices; this includes single function devices like smart temperature and pressure monitoring and safety systems, as well as for heating, ventilation, and air conditioning (HVAC) environments.
A lot of IoT technology are devices that monitor safety equipment and safety environment— nontraditional computing devices that people don’t view as computers despite their functionality. Oftentimes, they operate on the same corporate networks as the servers and—for a cybercriminal—provide another entrance point for attack.
Rather than go after a server or a workstation, a cybercriminal will attack a remote monitoring device and see if it can be compromised.
Another question remains—who’s behind these attacks?
A company’s biggest cybersecurity risks come from the inside.
Here are two examples:
- Inadvertent insider. This is an uninformed, uneducated employee who inadvertently commits an act that puts the company at risk, like unknowingly opening a phishing email that triggers a ransomware attack. The incident could also be as simple as sending confidential survey plans for an oil rig through email as opposed to a secure server.
- Malicious insider. This could be an employee who’s willing to commit sabotage and has just enough access to do so; potentially an IT or OT person who understands the company’s software and systems and either has an issue with the company or is being paid for their deception.
Whether or not the insider commits fraud knowingly, the potential for inside attacks is a good reminder that cyber defenses need to be strong and flexible.
For more detailed information about how to prevent insider threats at your organization, please read Take a Solutions-Based Approach to Fraud Prevention.
While insider threats represent the greatest opportunity to invite attacks, the industry still faces a plethora of external threats as well.
Nation State Attacks
These are the top external threat to oil and gas companies, particularly those serving the upstream market.
Nation state attacks try to disrupt the supply of oil and natural gas and cause a ripple effect in the target country’s economy. They occur over geopolitical tensions stemming from natural resources, foreign policy, and leadership and usually target companies within Saudi Arabia and the United States.
They tend to rely on tactics like phishing to gain an initial foothold into the IT environment. The primary interest appears to be intelligence gathering, but some have been destructive and disabled systems as well. The attack mentioned earlier on Saudi Aramco is believed to be a nation state attack.
Additional external threat actors to consider include the following:
- Terrorist. Their goal is to undermine the economic value of a country and potentially create a global impact. The attacks tend more toward violence and bodily harm than other threats.
- Activist. These attacks are often perpetrated to promote social change and the group will try and retain the anonymity of individual members.
- Hacker. This individual’s prime motivator is street credit or bragging rights; they’ll post about their exploits in the various hacker forums on the dark web and surface web.
- Criminal. Their primary motive is money and they’ll use various techniques at extortion.
Another important consideration is whether or not federal governments provide proactive defenses against outside attackers. In most cases, the onus is on individual companies to ensure operations are protected.
Here are the most commonly known attack types and what could happen if the attackers are successful.
Examples include drone spying or airstrikes. They could result in oil spills, loss of an entire rig, or even physical injuries to employees.
Publicly Exposed Systems
This could make a company susceptible to malware and ransomware attacks. Data could be modified and result in false reports and supply chain disruption.
This is where a lot of the IoT devices are vulnerable because they’re not always protected by firewalls or consistent and regular software patching and updating.
Lack of Network Segmentation
There should be distinct subnets or zones within an oil and gas company’s network to segment the OT and IT systems. Segmentation should help to isolate systems and stem the propagation of an attack resulting in a virus or ransomware infection.
A company needs to understand the data flow of critical or sensitive information during its lifecycle to understand the network segments the data traverses and where the data ultimately ends up. It should then implement the necessary controls, such as a firewall, to limit or restrict all other types of data into the subnet.
If too many of its servers or devices are connected without segmentation, the attack surface increases, and one entry point could allow a hacker to access many different parts of the network.
Social Engineering Techniques
This includes phishing, phone pretexting attacks, or even instances of physical site penetration in which attackers impersonate someone like a repair person. These attacks result in unauthorized access to data, the release of network login credentials, and the authorization of monetary payments through deceptive means. It could also result in attackers gaining access to the control center system.
The use of older software that doesn’t get patched or regularly updated with security fixes could make the company susceptible to malware and ransomware attacks and result in the network being commanded by a botnet without the company’s knowledge.
The range of vulnerabilities is broad and their potential consequences are just as vast.
Here’s a brief outline of the initial steps a company could take to protect themselves:
- Inventory all assets and identify which areas need priority protection
- Monitor data flows to understand where vulnerabilities may exist
- Create protected zones within OT and IT environments to isolate data flows
- Implement robust security monitoring controls such as a security incident and event monitoring (SEIM) system
- Create a continuous response model to test protections and plans on a regular basis
- Train employees to recognize cyberthreats and attacks
Cyberattacks are a constant risk of doing business. There are always new avenues for hackers to try and steal data, plunder resources, or be a nuisance.
Don’t let an attack be the trigger that makes you pay attention to cybersecurity and spurs action.
We’re Here to Help
To learn more about combatting cyberthreats in the oil and gas industry or to help strengthen your cybersecurity posture, contact your Moss Adams professional.