Attacks/Breaches

10/14/2013
04:42 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Long Shadow Of Saudi Aramco

New threats, realities of targeted attacks forcing oil and gas companies to rethink and drill down on security

Second installment in a series on cyberthreats to the oil and gas industry

A mind-set shift is slowly permeating the oil and gas industry that it's no longer immune to hackers.

"Before, we had insecure systems, and it didn't really matter because we didn't think of ourselves as a target. No one really knew about it," says an engineer for a U.S. oil and gas company, who spoke on the condition of anonymity. "Now that we are a hot spot, it necessitates a closer look."

Big changes in the threat landscape for the energy industry -- think Stuxnet and Saudi Aramco -- have changed the game, especially for the oil and gas industry, which increasingly is finding itself a target by nation-state threats as well as plain-old malware attacks.

The data-destruction attack last year on Saudi Aramco's internal corporate network that left the oil and natural gas giant having to replace hard drives on some 30,000 or so Windows machines continues to haunt the industry, which witnessed a major player getting hit in a big way.

"If it can happen to Saudi Aramco, it can happen to everyone," says Nate Kube, CTO of Wurldtech.

[Cyberattacks on oil and gas companies could have real-world economic consequences, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call.]

The Stuxnet and Saudi Aramco incidents, the attack on Qatar's RasGas, and other lower-profile attacks have forced some of these firms to face how to balance their signature productivity and availability priorities with security. Taking an oil production plant system offline to better lock it down means lost productivity and possibly lost revenue, so security typically gets back-burnered. But oil and gas companies are receiving some pushback from their techies, who are getting security religion. "You have to identify the risk and explain this to people who don't always see the threat; they see it as very remote, and, in a lot of cases, it is very remote," the U.S. oil company engineer says.

"A lot of times, I wait for a [planned] shutdown ... when the [system] is out of service, I can put passwords or [other types of security] protection [on it]," he says.

He says so far he has seen mostly nontargeted worms or ransomware malware spreading to plants in the oil and gas industry and resulting in temporary shutdowns for cleanup. "They are mostly ancillary, accidental attacks," he says.

Although the enterprise IT network of an oil and gas company is technically separate from the plants and oil rig production systems, for example, there is always the risk of an infected laptop getting plugged into the plant, or a malware-ridden USB stick polluting the control systems.

Meanwhile, a gap exists between the control systems group and IT security that's like the corporate rift between IT security and IT proper -- on steroids. Control systems engineers in the oil and gas industry aren't trained in IT security. "A lot of the control systems guys I know wholeheartedly understand the threat of cyberwarfare. It scares them because of the potential impact ... But their training and everyday job is not cyberwarfare," says Jim Butterworth, CSO at HBGary.

The control systems engineering process includes very little on cybersecurity, he says. "Even if you look at the controls systems engineering process, 15 percent of the course material is security. All the rest is how to control a valve, fix an HMI [human machine interface]. It's just [a] part of their job," Butterworth says. "They're just not looking at malware every day."

The reverse, of course, is that oil and gas industry IT security teams are not conversant in programmable logic controllers (PLCs) and HMIs. "Largely, the problem is there is a different language," he says. That leaves a dangerous air gap in security strategy and controls.

Physical safety, such as production system availability, traditionally trumps cybersecurity as well. Andrew Ginter, vice president of technology at Waterfall Security, says his recent visit to an oil firm site illustrates just where these firms' priorities are. Ginter says he had to scan in and out with his badge, which was also manually inspected by security. "There were three layers of security. They weren't worried whether we were going to damage or steal [information]. They need to be airtight on who is where in the facility if there's an innocent" physical emergency, Ginter says.

"Security looks the same as a government building or military installation, but it's focused on safety," he says.

Partner Problems
The Saudi Aramco attack also raised another concern for the industry: partners as the weak link in the security chain. Oil and gas relies heavily on joint ventures and supply-chain arrangements for oil fields, for instance. While these organizations struggle to catch up with their own security weaknesses, they have little control over their partners'.

Saudi Aramco's breach was a reality check of the vulnerability of the global and interconnected industry. "There are significant number of joint ventures in oil and gas; most oil fields are [joint ventures]," Wurldtech's Kube says. "One of the key concerns with Saudi Aramco was, will these infections make their way into other oil and gas companies through the connection of other joint ventures? That's definitely top-of-mind."

There were no reports of collateral damage to other oil and gas companies as a result of the Saudi Aramco attacks, but the risk of such a ripple effect in such cases is very real, experts say. "That's definitely a possibility," says Giovanni Vigna, co-founder of Lastline. "One thing I know for sure is there is a lot of cross-pollination across those companies in [the Middle East]. I was especially surprised how much ... they talk to each other and even exchange IT resources with each other. This, of course, creates a vulnerable ecosystem."

Experts say oil and gas companies in the Middle East are even more vulnerable than their counterparts in the U.S. Most have not employed basic security measures, such as system patching or least-privilege controls, says Marc Maiffret, CTO at BeyondTrust.

"I think what is different is about the application of security technology [in the oil and gas industry in the Middle East] is some organizations are going from not having much of a basis in security to trying to jump immediately to advanced threat protection without even having a fundamental, such as system patching or least privilege in place," Maiffret says. "And that makes things difficult ... without the basics, the amount of noise you will deal with is enormous and makes it harder to find the targeted attacks."

Maiffret says it's not that advanced threat protection tools won't work for oil and gas firms. It's just that without basic security measures as well, companies could be wasting time and energy chasing fake AV attacks rather than nation-state attacks, for instance.

"If you do not have something as basic as a patching process, then you're going to be exploited [with] 2-year-old Java or Adobe bugs by any random hacker, and it will be harder to find that person leveraging a zero-day or something more advanced, [who] is really targeting you versus the run-of-the-mill hacker."

But the worst nightmare scenario would be a combination physical and cyberattack, which would wreak the most devastation, experts say. "If a coordinated physical and cyberattack took out computers and [oil] terminals at the same time ... then it [would be] absolutely chaos. This really is a big danger," says Eyal Aronoff, co-founder of the Fuel Freedom Foundation.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.