A mind-set shift is slowly permeating the oil and gas industry that it's no longer immune to hackers.
"Before, we had insecure systems, and it didn't really matter because we didn't think of ourselves as a target. No one really knew about it," says an engineer for a U.S. oil and gas company, who spoke on the condition of anonymity. "Now that we are a hot spot, it necessitates a closer look."
Big changes in the threat landscape for the energy industry -- think Stuxnet and Saudi Aramco -- have changed the game, especially for the oil and gas industry, which increasingly is finding itself a target by nation-state threats as well as plain-old malware attacks.
The data-destruction attack last year on Saudi Aramco's internal corporate network that left the oil and natural gas giant having to replace hard drives on some 30,000 or so Windows machines continues to haunt the industry, which witnessed a major player getting hit in a big way.
"If it can happen to Saudi Aramco, it can happen to everyone," says Nate Kube, CTO of Wurldtech.
[Cyberattacks on oil and gas companies could have real-world economic consequences, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call.]
The Stuxnet and Saudi Aramco incidents, the attack on Qatar's RasGas, and other lower-profile attacks have forced some of these firms to face how to balance their signature productivity and availability priorities with security. Taking an oil production plant system offline to better lock it down means lost productivity and possibly lost revenue, so security typically gets back-burnered. But oil and gas companies are receiving some pushback from their techies, who are getting security religion. "You have to identify the risk and explain this to people who don't always see the threat; they see it as very remote, and, in a lot of cases, it is very remote," the U.S. oil company engineer says.
"A lot of times, I wait for a [planned] shutdown ... when the [system] is out of service, I can put passwords or [other types of security] protection [on it]," he says.
He says so far he has seen mostly nontargeted worms or ransomware malware spreading to plants in the oil and gas industry and resulting in temporary shutdowns for cleanup. "They are mostly ancillary, accidental attacks," he says.
Although the enterprise IT network of an oil and gas company is technically separate from the plants and oil rig production systems, for example, there is always the risk of an infected laptop getting plugged into the plant, or a malware-ridden USB stick polluting the control systems.
Meanwhile, a gap exists between the control systems group and IT security that's like the corporate rift between IT security and IT proper -- on steroids. Control systems engineers in the oil and gas industry aren't trained in IT security. "A lot of the control systems guys I know wholeheartedly understand the threat of cyberwarfare. It scares them because of the potential impact ... But their training and everyday job is not cyberwarfare," says Jim Butterworth, CSO at HBGary.
The control systems engineering process includes very little on cybersecurity, he says. "Even if you look at the controls systems engineering process, 15 percent of the course material is security. All the rest is how to control a valve, fix an HMI [human machine interface]. It's just [a] part of their job," Butterworth says. "They're just not looking at malware every day."
The reverse, of course, is that oil and gas industry IT security teams are not conversant in programmable logic controllers (PLCs) and HMIs. "Largely, the problem is there is a different language," he says. That leaves a dangerous air gap in security strategy and controls.
Physical safety, such as production system availability, traditionally trumps cybersecurity as well. Andrew Ginter, vice president of technology at Waterfall Security, says his recent visit to an oil firm site illustrates just where these firms' priorities are. Ginter says he had to scan in and out with his badge, which was also manually inspected by security. "There were three layers of security. They weren't worried whether we were going to damage or steal [information]. They need to be airtight on who is where in the facility if there's an innocent" physical emergency, Ginter says.
"Security looks the same as a government building or military installation, but it's focused on safety," he says.
The Saudi Aramco attack also raised another concern for the industry: partners as the weak link in the security chain. Oil and gas relies heavily on joint ventures and supply-chain arrangements for oil fields, for instance. While these organizations struggle to catch up with their own security weaknesses, they have little control over their partners'.
Saudi Aramco's breach was a reality check of the vulnerability of the global and interconnected industry. "There are significant number of joint ventures in oil and gas; most oil fields are [joint ventures]," Wurldtech's Kube says. "One of the key concerns with Saudi Aramco was, will these infections make their way into other oil and gas companies through the connection of other joint ventures? That's definitely top-of-mind."
There were no reports of collateral damage to other oil and gas companies as a result of the Saudi Aramco attacks, but the risk of such a ripple effect in such cases is very real, experts say. "That's definitely a possibility," says Giovanni Vigna, co-founder of Lastline. "One thing I know for sure is there is a lot of cross-pollination across those companies in [the Middle East]. I was especially surprised how much ... they talk to each other and even exchange IT resources with each other. This, of course, creates a vulnerable ecosystem."
Experts say oil and gas companies in the Middle East are even more vulnerable than their counterparts in the U.S. Most have not employed basic security measures, such as system patching or least-privilege controls, says Marc Maiffret, CTO at BeyondTrust.
"I think what is different is about the application of security technology [in the oil and gas industry in the Middle East] is some organizations are going from not having much of a basis in security to trying to jump immediately to advanced threat protection without even having a fundamental, such as system patching or least privilege in place," Maiffret says. "And that makes things difficult ... without the basics, the amount of noise you will deal with is enormous and makes it harder to find the targeted attacks."
Maiffret says it's not that advanced threat protection tools won't work for oil and gas firms. It's just that without basic security measures as well, companies could be wasting time and energy chasing fake AV attacks rather than nation-state attacks, for instance.
"If you do not have something as basic as a patching process, then you're going to be exploited [with] 2-year-old Java or Adobe bugs by any random hacker, and it will be harder to find that person leveraging a zero-day or something more advanced, [who] is really targeting you versus the run-of-the-mill hacker."
But the worst nightmare scenario would be a combination physical and cyberattack, which would wreak the most devastation, experts say. "If a coordinated physical and cyberattack took out computers and [oil] terminals at the same time ... then it [would be] absolutely chaos. This really is a big danger," says Eyal Aronoff, co-founder of the Fuel Freedom Foundation.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.