Talk at BlackHat Europe 2015 “Cybersecurity for Oil and Gas industries: how hackers can manipulate oil stocks”

The Oil and Gas sector is an attractive target for cyber threats, and the cyber-attacks against companies involved in the industry continue to grow in number and sophistication, experts agree.

SAP and Oracle systems are widely used in Oil and Gas industry and there are even specific SAP modules for Oil and Gas such as SAP Upstream Operations Management (UOM), SAP PRA (Production and Revenue Accounting), Oracle Field Service, and Oracle Enterprise Asset Management. Cyber-attacks on SAP and Oracle belonging to Oil and Gas industries can be critical in itself, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and OT (such as ICS, SCADA and Field Devices). SAP and Oracle systems that manage business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain, and Operational Integrity are also vulnerable to hacking.

Here is an example. Hydrocarbon volumes fluctuate depending on environmental temperature and pressure conditions. As product valuation needs quantity and mass, and simple weighing is not possible, one should derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. Imagine what can happen if an attacker accesses and modifies this data. Does it sound like a bad movie plot? The talk will proof that this scenario could actually happen in real life.

Alexander and Mathieu’s talk is based on several case studies conducted during professional services (SAP Penetration testing, SAP Vulnerability Assessment, SAP Security Assessment, SAP Custom code security review). The presentation will shed a light on this highly critical and very dark area. They will discuss specific attack vectors and vulnerabilities affecting oil and gas companies as well as practical tips to prevent them.