Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/28/2015
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How Hackers Can Hack The Oil & Gas Industry Via ERP Systems

Researchers at Black Hat Europe next month will demonstrate how SAP applications can be used as a stepping-stone to sabotage oil & gas processes.

Hackers can exploit weaknesses in enterprise resource planning (ERP) systems on oil & gas firms' corporate networks in order to sabotage pipeline pressure or hide oil spills, researchers have discovered.

Researchers at Black Hat Europe next month in Amsterdam will demonstrate these and other attacks on oil & gas networks by abusing holes in SAP ERP applications used in the industrial sector. Oil & gas industrial networks rely on ERP software to help manage and oversee the oil & gas production and delivery processes.

"We want to show that not only Stuxnet-type attacks using USB are possible," says Alexander Polyakov, CTO and founder of ERPScan, who with Mathieu Geli, a researcher with ERPScan, will demonstrate several proof-of-concept attacks at Black Hat in Amsterdam. An attacker could hack the systems remotely over the Internet, he says, or from the oil & gas firm's corporate network.

"SAP is a key to this kingdom because it has a lot of products specifically designed to manage some processes such as operational integrity or hydrocarbon supply chain. Since SAP systems are implemented in, if I’m not mistaken, about 90% of oil and gas companies, this key can open many doors," he said. "SAP is connected with some critical processes which, in their turn, are connected with other processes, and so on."

The researchers, who declined to give details on the actual SAP vulnerabilities prior to their presentation, say the bugs are software and configuration flaws in SAP xMII (Manufacturing Integration and Intelligence) and in SAP Pco software. SAP's MII supports the manufacturing side and includes real-time information for production performance, while the Pco manufacturing module software supports those production-floor operations.

"For those vulnerabilities we can disclose, we will provide details" in the talk, Polyakov said in an email interview.

Polyakov says there's no simple way to separate ERP applications from the industrial operations network. "If you have some plant devices such as wellheads, which pump oil and collect some data from them, you should somehow transfer this data to the corporate network to show managers who want to see all the information on their tablets on nice dashboards. That’s why even if you have a firewall between IT and OT [operations technology], there are some applications which are connected," he said. "What we want to show is that it’s possible to conduct such attack and pivot from IT network or even the Internet into OT network up to OPC servers, SCADA systems, field devices, meters, and dozens of other modules."

Among the processes with ties to ERP are pump control, blow-out prevention, flaring and venting, gas compression, peak-load gas storage, separators and burners, he said. He says he and Geli probably know about just 10% of the overall attack surface:  "The attack surface is huge."

The oil & gas industry already has been targeted by cyberattacks. One of the biggest and infamous attacks was that of oil giant Saudi Aramco, where malware wiped or destroyed the hard drives of some 35,000 computers. A group called the Cutting Sword of Justice claimed responsibility for the massive attack.

While the attack didn't directly affect Saudi Aramco's oil production and exploration systems, it raised concerns of market fallout in the industry, as well as market manipulation. The oil & gas industry is made up of many joint ventures, namely in the oil fields. So if one partner was attacked, another could be affected as well.

"Oil and gas cybersecurity is a small universe which is almost undeveloped, but extremely critical," Polyakov said. "Any changes made during the upstream, midstream, or downstream processes may have a significant impact." 

The ERPScan researchers previously have uncovered flaws in SAP that attackers could use to get to those systems: "Just to name a few, some issues such as SAP Router or SAP Portal or recent SAP Afaria or SAP HANA vulnerabilities, can be used to get access to the SAP infrastructure from the Internet," he said.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BarakPerelman
50%
50%
BarakPerelman,
User Rank: Author
11/13/2015 | 6:37:09 AM
Vulns in ICS networks
Will be interesting to see what the exploits look like, and in any case higher awareness about the risks in ICS networks is always good.

That being said, there's always going to be an exploitable software piece in the network. If not Windows then SAP, is not SAP then OSISoft. The inherent problem in these networks is the total lack of protection and logging in the controllers themselves. This creates a situation where any type of access to the network (malware, employees...) immediately poses a potentially devestating non-tracable threat.

My two cents anyway..
Helpthepeeps724
0%
100%
Helpthepeeps724,
User Rank: Apprentice
10/30/2015 | 2:57:17 PM
Electronic Speed Traps
Please people work on hacking the legal scamming companies that take the picture of a car and send a ticket in the mail.

https://www.onlinecitationpayment.com/auth/login.do

 

Hack their PII so that the municipalities complicit in this scam get sued along with them....hence no more electronic speeding cams!
MartinL703
50%
50%
MartinL703,
User Rank: Apprentice
10/30/2015 | 9:48:19 AM
Really?
Well I'll be interested to see this.  BOPs connected to ERP?  There may be some weaknesses in deployment of the integration of PCN and Enterprise Networks that would expose weaknesses but it is a fundamental principle of Process Control that you cannot penetrate the control elements of the system.  Looking forward to being proven wrong!
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3622
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2020-5221
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
CVE-2019-19834
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
CVE-2019-19836
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
CVE-2019-19843
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.