Understanding and preventing cyber-attacks against the petroleum industry
ED CABRERA, TREND MICRO, WASHINGTON, DC
SUCCESSFUL CYBERATTACKS against the petroleum industry have been steadily increasing in frequency and complexity throughout the past decade. A recent ICS-CERT report for the US Department of Homeland Security indicates the energy sector had 46 cyber-incidents in 2015, making it the second-largest target for critical infrastructure attacks. Spear phishing, a method cyber-criminals use to retrieve personal information, and network scanning are the most common methods of attack.
In 2012, the Shamoon malware cyber-attack on Saudi Aramco was responsible for overwriting the hard drives of as many as 30,000 workstations of Saudi Aramco and RasGas. Although unsuccessful, the attack was aimed at stopping oil and gas production in Saudi Arabia and prevent the flow of resources to international markets. While an attack this notable has not hit the US to date, industry professionals should be aware of the very real cyber-threats that could bring down the more than 2.3 million miles of pipeline in the US as well as their business operations and livelihood.
© LagartoFilm | Dreamstime.com
IMPACT OF PHYSICAL AND VIRTUAL SUPPLY CHAINS
These attacks, and many more, compromise both IT networks and operational technology (OT) systems making petroleum the second most targeted industry for cyber-attacks against CI. Petroleum companies face a variety of serious threats such as plant sabotage and/or shut down, hydrocarbon installation or facility terrorism, undetected spills and production disruption. While a vulnerability in an OT system is rare and might not affect the IT network, the opposite is not true. With increasingly common IT network vulnerabilities, OT systems become significantly more exposed.
As businesses across all industries, including oil and gas, turn to highly networked and outsourced supply chain models to deliver information, products or services, the "attack surface," which are areas of potential vulnerabilities, expands dramatically. Both physical and information-based supply chains are interdependent with inherent complexities that traditional supply chain risk management (SCRM) strategies often fall short of addressing.
With this level of exposure in play, cyber-criminals are finding new ways to target larger organizations by infiltrating third-party vendors with access to the information supply chain that are often less security-minded. This technique allows threat actors to island-hop - aka "leapfrogging" - from technology system to system to collect sensitive information and manipulate operational data flow. Attackers typically use this method to gain access to their primary targets through third-parties or through a separate, less secure, portion of a business to then move laterally within network.
As of 2015, information and operational supply chain attacks increased significantly within all industries and sectors. This rise illustrates how cyber-criminals are evolving techniques, such as island-hopping, and enhancing the odds to execute a successful attack where organizations are most vulnerable.
PROTECTING INDUSTRIAL AND CORPORATE SYSTEMS
Industrial control systems (ICS) networks have historically enjoyed a level of "security through obscurity" with limited dependencies and complexity. Untrusted network communications in ICS systems have been extremely limited, and thus, most data communications required limited authorization or cybersecurity oversight. Unauthorized physical access has historically been the greatest risk to production networks and facilities.
However, CISOs today are challenged and, for the most part, unprepared for the increasing convergence of once-isolated ICS and corporate networks. According to a 2015 SANS report, "The State of Security of Control Systems Today," only 47% of critical infrastructure CISOs surveyed actually have a strategy for IT-ICS convergence. Business operations, now more than ever, demand real-time metrics for billing and remote access that require ICS networks to connect to external corporate networks and even the Internet.
By doing so, corporate networks that insecurely connect to ICS domains open themselves to cyber and destructive attacks where advanced cyber threat actors can island hop from one insecure corporate asset to another before landing onto the most vulnerable of ICS assets and databases. Wiping or encrypting critical files and/or processes within these assets could disrupt or halt ICS operations - elevating the risk of cascading effects.
Critical infrastructure dependencies and complexities are not limited to its security architecture. These systems do not operate in a silo. Rather, they are highly dependent on one another. The most critical of critical infrastructure, also known as "Lifeline Systems," such as transportation, communication, water, and energy are especially vulnerable.
Taken individually, or in the aggregate, all of these systems are intimately linked. Oil, for example, is responsible for power generation, transmission, and distribution, and if attacked in the types of situations that occurred in Turkey and Saudi Arabia, could lead to severe power outages - critically impacting the public's means of transportation and safety.
Interdependent and complex systems present a challenge for all risk managers. Only by containing reducing both can you more effectively manage risk and ensure resiliency. The concern of destructive attacks in today's rapidly evolving cyber-threat landscape requires comprehensive resilience across corporate and ICS networks. Resiliency depends on the ability to identify threats and vulnerabilities in real-time; protect vulnerable corporate and ICS infrastructure; quickly detect targeted attacks; and respond swiftly to contain damage to recover and restore operations.
SECURITY BEST PRACTICES
Critical infrastructure CISOs must maintain and routinely test comprehensive business continuity plans and procedures. Although major attacks on the petroleum industry have not been detected in the US, CISOs should be aware of how to proactively avoid a cyberattack. Action times to achieve this include:
- Segregate corporate and ICS networks as to reduce island-hopping attacks;
- Reduce and protect privileged users to detect and prevent lateral movement;
- Employ application whitelisting and file integrity monitoring to prevent execution by malicious codes;
- Reduce the attack surface by limiting workstation-to-workstation communication;
- Deploy robust network IPS, application-layer firewalls, forward proxies, and breach detection with sandboxing or other dynamic traffic and code analyses;
- Use and monitor host and network logging;
- Implement pass-the-hash mitigations;
- Deploy anti-malware reputation services to augment traditional, signature-based anti-virus;
- Run host intrusion-prevention systems; and
- Quickly shield and patch known operating system and software vulnerabilities.
ABOUT THE AUTHOR
Ed Cabrera is vice president of cybersecurity strategy for Trend Micro, a global provider of security software for corporations and consumers, established in 1988. He was previously the chief information security officer of the United States Secret Service with experience leading information security, cyber investigative, and protective programs.
