Recently, I’ve published a post in the form of Interview about Oil and Gas Cyber Security and it received a lot of attention.
It seems that nowadays researchers are really interested in learning more about industries they analyze. You know, some years ago it used to be much simpler. A company hired a specialist who has some pentesting skills and who can examine if their systems are vulnerable. Those specialists used some pentesting tools, then, if they are good specialists, they checked for vulnerabilities manually, escalated privileges and, as a result, wrote a report about vulnerabilities they discovered. It looked like “we found an X vulnerability on the server Y”. It was enough to know that hackers could penetrate into the system as pentesters could, and it was very impressive to provide just a list of vulnerabilities.
Now the situation is changing. It is known that almost every system is vulnerable, so now their impact and ease of exploit matter. The main question is what can happen after the exploitation and what kind of real risks to an organization it provides. Besides, it turned out that the risks depend on the system type. The hazards vary if one can hack a workstation, domain controller, backup server or company’s ERP system. Moreover, different types of organizations suffer different risks. Some of them are afraid of espionage, like Manufacturies that specialize on unique products. Others worry about Fraud. I suppose this threat is relevant for every firm but for financial organizations especially. Oil and Gas companies may not care about espionage, but they are anxious about sabotage because if somebody stops their daily operations or breaks some equipment they will face a real problem.
Because of that, my idea is to focus on industry-specific cybersecurity and associated risks. This post is the first part of the article series describing specific features of Cybersecurity for Oil and Gas organizations. It is the first in-depth public Oil and Gas Cybersecurity research. There are still more questions than answers. A more detailed analysis requires more practice and equipment. However, there are many software and hardware devices which are relatively easy to find if you really want. Anyway, my goal was not to write a comprehensive guide on Oil and Gas cybersecurity (but I don’t give up the idea to do it) but to lay the basis for further research. I also want to show that Operation Technology networks of Oil and Gas companies are now tied together with traditional business applications located on a corporate network. It means that vulnerabilities in one or another part can affect the security of the whole landscape.
Why have we decided to talk about Oil and Gas? First of all, this industry is one of the most important nowadays as it makes up a great part of some countries’ economy. Secondly, we have an experience and understanding of processes as we saw them in a real environment of our clients from Upstream, Downstream, and Midstream organizations. Finally, entities that deal with Oil, Gas, and other natural resources provide uncommon examples of Industry-specific attacks. All natural resources are not easy to be measured. Frankly speaking, they are not measurable at all, and it’s possible to spoof this data in a way that nobody will be able to investigate. Let’s compare it with the retail industry. You know how many Nike boots are stored in your warehouse and even if somebody gains access to it, steals shoes and then changes their quantity in ERP system, in some time you will find that something is wrong. If you deal with natural resources, nobody knows the real quantity. It’s basically calculated on a number of metrics such as pressure, temperature, etc.… According to the description of some of the popular technologies aiming to optimize Hydrocarbon Supply Chain, hydrocarbon volumes fluctuate depending on environmental temperature and pressure conditions. As product valuation needs quantity and mass, and simple weighing is not possible, one should derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. Imagine what can happen if an attacker accesses and modifies this data.
Who will benefit from this article series?
- Researchers – Oil and Gas Cybersecurity is a small universe which is almost unexplored. After reading the series, you will certainly know how to carry out your own research.
- Pentersters – you will learn how to break into the most critical network and how to impress decision makers during your pentests. Instead of “Hey, we have access to your domain controller”, you will be able to say something like: “Hey, I can change the gas pressure in your storage. Isn’t it critical enough?”
- CISOs – There are is a bad news, unfortunately. Now you will learn that there is no Air Gap between your enterprise network and Oil Refinery. The truth is that hackers can pivot into your production systems from the corp network or even from the Internet. This series will help you to understand how to prevent it.
- Admins – You, guys, are partly in charge for the cybersecurity of very important OT processes. Enterprise business systems such as ERP, MES, LIMS, etc. are connected with most of these systems in one or another way. These articles will highlight what exactly can go wrong.
As mentioned, our aim is to show that mission-critical business applications are often connected to each other using different types of integration technologies. What’s more important, enterprise applications which are implemented in the corporate network are usually connected with devices in OT network and there is no easy way to separate them. If you have some plant devices which collect data about oil volumes, for example, you should somehow transfer this data to the corporate network to display it on nice dashboards to management. That’s why even if you have a firewall between IT and OT there are some applications which are connected. That is why it’s possible to conduct such attack and pivot from IT network (or even the Internet) into OT network up to field devices and smart meter and vice versa.
Oil and Gas Cybersecurity
Oil and Gas Cybersecurity is tightly connected with ICS (industrial control systems) Cybersecurity. Industrial control systems play a vital role in every Oil and Gas company, and actually the biggest part of automatization in oil and Gas industry is provided by Operational Technology Network which consists of industrial automation and control systems such as SCADA (supervisory control and data acquisition), DCS (Distributed Control System), PLC (Programmable Logical Controllers), OPC servers, Field Devices, and other critical components which are often referred to as Operational Technology (OT).
OT is used to monitor and control physical processes in the oil and gas industry. The role of OT is the gaining of data coming from processes (temperatures, pressures, valve positions, tank levels, human operators) and the direct control of electric, mechanical, hydraulic or pneumatic actuators.
In the good old days, most OT networks were air-gapped from the business network (office network) and the Internet and operated independently using proprietary hardware, software and communications protocols. But in recent years, demand for business insight, requirements for remote network access, and spreading of hardware and software from traditional IT (e.g., TCP/ IP networking, Windows-based platforms) caused many oil and gas companies to integrate control systems and their enterprise IT systems, and some of them can even allow an access to OT network from the cloud.
So, today when we speak about Oil and Gas Cybersecurity we should bear in mind 3 different things:
Consequently, the next 3 articles will be focused on the listed topics, but before we should look at the most notorious incidents happened in the Oil and Gas industry and learn essentials of Oil and Gas Cybersecurity.
Oil and Gas Cybersecurity history
Oil and Gas Industry is one of the “most plagued” by cyberattacks.
Cybercrimes cost Oil and Gas, energy and utility companies an average of $13.2 million each year for lost business and damaged equipment, higher than in any other industry, Ponemon’s survey of 257 businesses states. Why does it cost so much and how did these incidents happen? The answers to the questions can be found in the history of incidents.
December, 2002 – Venezuela’s state oil company became embroiled in a bitter strike. At the same time, there were cases of computer hacking which caused a significant damage since many operations are centrally controlled by computers. Someone, probably an employee involved in the strike, remotely accessed a program terminal to erase all PLC programs in port facility. This and other physical sabotage cut Venezuela’s national production down to 370,000 barrels per day, compared with 3 million barrels before the strike.
2008 – Hackers interfered with alarms and communications for Baku-Tbilisi-Ceyhan pipeline in Turkey, super-pressurizing crude oil to cause an explosion that resulted in the spilling of more than 30,000 barrels of oil.
23 October, 2009 – An explosion happened in Bayamon, Puerto Rico. The fire blazed for three days, forcing residents to flee their homes. Investigators said it was a glitch in the facility’s computerized monitoring system. A storage tank was getting refilled with gasoline from a fuel ship docked along the San Juan harbor. Since the tank’s meter malfunctioned, the petrol kept overflowing until it met an ignition source.
2010 – Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. Although Stuxnet was not designed for Oil and Gas specifically, it seriously affected these companies as well.
2012 – As a result of a cyber attack on Aramco, Saudi Arabian national petroleum and natural gas company, 30000 computers were damaged by a Shamoon malware. An intrusion, for which a group Cutting Sword of Justice took responsibility, either partially or fully wiped files.
The attack was aimed to stop gas and oil production in Saudi Arabia and prevent resource flow to international markets.
10 September 2012 – Telvent, a supplier of remote administration and monitoring tools to the energy sector, became a victim of sophisticated advanced persistent threat. Its Canadian branch discovered on September, 10 that its internal firewall and security systems had been breached and notified its customers of the incident.
As stated by Telvent, every energy company in the Fortune 100 relies on their systems to manage their business. The systems now manage more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines.
The probable attacker appeared to be a Chinese hacking group. The malware names and network components used in the attack have been used in the past by a Chinese cyber-group called “Comment Group,” according to Dell SecureWorks. Comment Group targeted a variety of organizations, including chemical and electric companies as well as other industrial sectors.
After breaching the network and installing malware, the attackers stole project files related to the OASyS SCADA product, a remote administration tool that allows companies to combine older IT equipment with modern “smart grid” technologies.
The attackers may have wanted the code in order to find vulnerabilities in the software to launch future attacks against other energy companies directly.
2014 – Dozens of oil companies in Norway were victims of cyber attacks, including Statoil.The attackers have not been identified. It remains unclear what exactly the attackers’ motives were.
January, 2015 – A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups. Successful attacks can affect inventory control, data gathering, and delivery tracking, in turn impacting the availability of gasoline in local stations.
One of the things we should be aware of is that sometimes hackers’ intentions were not to destroy a company’s production. But because the systems they hack are so complex and unique, an attack may have a dire effect if they do something wrong just because they are not so smart or lucky.<.p>
Oil and Gas 101
Before we can talk about Oil and Gas Security in particular, we should learn some basics. Don’t worry it’s not so boring, as you may think. The Oil and Gas industry consists of 3 distinct areas: Upstream, Midstream, and Downstream. Each of them includes its own processes, systems, and even risks.
Upstream – The upstream sector includes the searching for potential underground or underwater crude oil and natural gas fields, drilling of exploratory wells, and subsequently drilling and operating the wells that recover and bring the crude oil and/or raw natural gas to the surface. The upstream oil sector is also commonly known as the exploration and production (E&P) sector.
Midstream – The midstream sector involves the transportation (by pipeline, rail, barge, oil tanker or truck), storage, and wholesale marketing of crude or refined petroleum products. Pipelines and other transport systems can be used to move crude oil from production sites to refineries and deliver the various refined products to downstream distributors.
Downstream – The downstream sector commonly refers to the refining of petroleum crude oil and the processing and purifying of raw natural gas, as well as the marketing and distribution of products derived from crude oil and natural gas. The downstream sector touches consumers through products such as gasoline or petrol, kerosene, jet fuel, diesel oil, heating oil, fuel oils, lubricants, waxes, asphalt, natural gas, and liquefied petroleum gas (LPG) as well as hundreds of petrochemicals.
You can find more Oil and Gas basics in this guide.
The upstream segment is also known as the exploration and production (E&P) sector which encompasses activities related to searching for, recovering and producing crude oil and natural gas.
The upstream sector consists of the following main business processes:
- Extraction, or Drilling, is the first process in Upstream Chain. This process can include the usage of systems such as Drilling Control systems, blow-out prevention system, flare and vent disposal systems, etc.
- Gathering – Transfer crude Oil from earth to separators using wells and manifolds.
- Separation. Here multiple 2/phase 3/phase separators separate oil, gas and water.
- Gas compression. Here gas is prepared for storage and transport.
- Temporary Oil Storage. Sometimes companies have small temporary Oil storages in Upstream to temporarily store before loading.
- Water disposal System. Needed to dispose water which was separated from Oil on the previous stages.
- Metering. This stage is needed to calculate quantity before loading. It includes Fiscal Metering, Liquid Flow Metering, Gas Flow Metering, and other Metering Systems.
The midstream sector involves the transportation (by pipeline, rail, barge, oil tanker or truck), storage, and wholesale marketing.
Midstream consists of the following main business processes:
- Terminal management. Obtain Oil delivered by Trucks, Pipelines, Barges and Trains from Upstream companies
- Gas Processing. Here natural gas and NGL are separated
- Gas Transportation. Transfer gas to storage via pipelines
- Oil transportation. Transfer Oil to storage via pipelines
- Gas storage. Temporary and long-term storage, including Peak load Gas Storage, Base Load Gas storage and LNG Storage
- Oil Storage. Long-term oil storage in Tanks
The downstream sector commonly refers to the refining of petroleum crude oil and the processing and purifying of raw natural gas, as well as the marketing and distribution of products derived from crude oil and natural gas.
Downstream consists of the following main business processes:
- Refining. Processing of Crude Oil
- Oil Petrochemicals. Fabrication of base chemicals and plastics. This area itself is like a small business inside and can include dozens of specific systems
- Gas Distribution. Deliver Gas to utilities
- Oil Wholesale. Deliver petrol to 3rd party
- Oil Retail. Deliver petrol to end-users on Gas Stations
Top 10 cybersecurity threats for oil and gas industry
According to the article published several months ago, with the use of digital technologies connected with corporate network and increased dependence on cyber structures, the oil and gas industry is exposed to new vulnerabilities and threats. The same things I’ve mentioned in the beginning.
The article also lists the top 10 cyber security threats to Oil and Gas Companies:
- Lack of cybersecurity awareness and training among employees
- Remote work during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cybersecurity culture among vendors, suppliers, and contractors
- Insufficient separation of data networks
- The use of mobile devices and storage units including smartphones
- Data networks between on- and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable software
- Outdated and ageing control systems in facilities
I would like to focus on number 5 – Insufficient separation of Data networks and Standard IT Products in Production environment. I absolutely agree those are among the main technical risks and the next articles will be focused on them in detail.
So, as I said it was a short introduction to Oil and Gas Cybersecurity. You have learned why you should be aware, what kind of incidents happened and, of course, the basics of Oil and Gas. As you saw, there are more than 20 different business processes in Oil and Gas industry; each can be managed by 5 or even 10 different ICS systems, which may be developed by different vendors. The next 3 articles will describe in detail how those areas look like and what the main risks are for Oil and Gas ICS Systems.