Amsterdam, Netherlands - November 12, 2015 Researchers with the ERPScan company, a world–renowned expert on SAP Security, Oracle Security, and Industry-Specific Enterprise Business Applications issues, revealed a number of vulnerabilities in business applications and industrial processes in Oil and Gas that can lead to very critical cyber attacks. In case of successful attack, cyber criminals would control about 75% of world total Oil production. Attack vectors identified during research were presented at the recent BlackHat Amsterdam conference.
Alexander Polyakov and Mathieu Geli delivered the first public talk that described most of the Cyber Security aspects of typical Oil and Gas organization in detail. The research revealed multiple ways how an attacker can get unauthorized access to OT (operational technology) network by exploiting vulnerabilities in ERP systems, Enterprise Asset Management systems, Manufacturing Integration systems, Project Portfolio Planning systems, LIMS and other enterprise applications, to name a few.
The idea is simple. We want to show that mission-critical business applications are often connected between each other using different types of integration technologies. What’s more important, enterprise applications located in the corporate network or even on the Internet are usually connected with devices in OT network; the number of such connections is growing since the integration between OT and IT systems becomes deeper.
For example, if you have some plant devices which collect data about oil volumes, you should somehow transfer this data to the corporate network to demonstrate it on nice dashboards managers to develop a long-term financial strategy and take decisions. That’s why even if you have a firewall between IT and OT, there are some applications which are still connected, and these connections are often insecure. So, it possible to conduct such attack and jump from IT network (or even the Internet) into OT network up to SCADA systems, OPC servers, field devices, and smart meters.
commented Alexander Polyakov, ERPScan’s CTO
In particular, the researchers have discovered vulnerabilities in SAP xMII system, SAP Plant Connectivity, SAP HANA, Oracle E-Business Suite platform and some widely used OPC servers such as Matricon OPC. Configuration issues and these vulnerabilities can be used to conduct a multi-stage attack and get access to connected systems which are like a bridge between corporate and industrial network.
The Oil and Gas industry is one of the most complex in terms of the number of different critical processes and their interconnections. We can name at least 20 the most important technology processes in Downstream, Upstream and Midstream sectors such as Pump controlling, blow-out prevention, Flaring and Venting, Oil and Gas Separation, Burner Management, Gas Compression, Peak load GAS storage, and, of course, Refinery. The risks associated with Oil and Gas cyberattacks are Plant Sabotage/Shutdown, Equipment damage, Utilities Interruption, Production Disruption (Stop or pause manufacturing processes), Product Quality changes, Fraud, Undetected Spills, Illegal taping and, of course, Compliance and safety violations.
The aim of the talk was to show that not only Stuxnet-type attacks via USB are possible. One can conduct an attack on these systems remotely - from the Internet or from the corporate network.
SAP applications are a key to the kingdom of the Oil&Gas Cybersecurity since SAP has a lot of products specifically designed to manage some processes such as operational integrity or hydrocarbon supply chain. SAP systems are implemented in 85% of Fortune 2000 Oil and Gas companies, so this key can open many doors. We are aware of numerous security issues in SAP systems: there are 3500+ vulnerabilities closed in SAP Products in total, and most of them give an attacker an unauthorized access to business critical applications.
SAP applications are responsible for some critical processes which are connected with other processes and so on. This is what makes SAP an important part of every Oil and Gas organization’s security. SAP’s Business applications collect data about critical processes via SAP xMII (Manufacturing Integration and Intelligence). SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to ICS systems and PLC devices and systems that manage critical processes. One of the attacks highlighted at the conference allows cybercriminals to obtain access to devices that control such processes as Oil and Gas separation, Burner Management, Fiscal Metering, and Tank Inventory Management.
Even if there aren’t any vulnerabilities in components of industrial systems, insecure configurations and not-updated business applications may put a company at the following risks:
Oil market fraud
Hackers can send fake information about oil quantity to managers who make their decisions based on this data.
Assume that every day one sends information that there is much more oil in stock that we really have. One day the company will have sold out all the oil and won't be able to deliver it to customers. The failure to perform the obligations could lead to a global scandal, changes in oil prices and huge losses to the extent of the company's bankruptcy.
Imagine what would happen if a cyber criminal uploads a malware that dynamically changes oil stock information in all Oil and Gas companies where SAP is implemented. According to the SAP’s statement, more than 70 million barrels per day of oil are produced by companies using SAP solutions. Oil Market Report says that oil production totals over 94 million barrels every day. If the attack is successful, cyber criminals can control about 75% of total Oil production. They can deliberately understate data about Oil in stocks of affected companies to increase Oil prices, or vice versa.
Described attacks can be conducted by exploiting SAP xMII and SAP Plant Connectivity solutions that transfer data from Tank Management Systems to SAP Systems such as SAP IS-Oil. With the help of this multi-stage attack, cyber criminals can modify parameters regarding oil quantity in stocks. What’s more important, SAP systems are connected with Tank Information Management solutions. Some of them such as Emerson Rosemount TankMaster allow commands to PLC devices to change values like the maximum filling limit of tanks. In that case, by gaining access to Tank Management Systems hackers can send these commands and perform a successful attack that can lead to oil explosion.
Burner Management Systems (BMS) and other critical systems are used in numerous processes including Separation and Refinery. Some of these systems not only send information but also allow you to manage them through third-party systems, such as ERP, EAS, LIMS remotely via intermediate systems SAP PCo and SAP xMII; and some of the solutions allow sending particular commands to PLC from ERP/MES systems. PCo provides a framework to create custom agents that can be used to send commands to PLC. This is one of the ways how to attack ICS even there are no vulnerabilities in PLC/SCADA/DCS systems.
Plant equipment sabotage
Hackers can fake data about temperature, pressure, and other conditions. For example, they can spoof a report about a problem with equipment in a remote facility. Companies will spend a lot of time and money to investigate the incident if this facility is situated somewhere in the middle of the ocean. This can be done by exploiting vulnerabilities described in the talk. The easiest way to do so is to hack an SAP’s or Oracle’s Asset Management solution. Another system which can be under attack is Rolta OneView. Rolta OneView provides Operational Excellence through OT-IT Integration & Pre-built Integrated Actionable Insights, and it’s widely used in the Oil and Gas industry. With Rolta OneView, companies can gather and analyze data across these key areas to support informed decisions that can help you improve performance. This solution uses SAP HANA database as a backend. Remote buffer overflow vulnerability that has been recently found in SAP HANA can be used to get access to SAP HANA database.
The attack vectors presented at the conference are only a small list of all possible issues. A method of gaining access to OT network via enterprise applications opens hundreds of new doors to penetrate into most critical processes. Before, it was easy to find a vulnerability in critical infrastructure devices as they were developed without any security measures (the increasing number of ICS vulnerabilities proves that fact). It was not a matter of finding vulnerabilities in ICS system but of finding the way to access those devices as they are located in a secure network. Now, by using the method described in the talk, the attackers can easily exploit any SCADA/ PLC vulnerability that they will discover or can buy in a black market. It makes attacks on critical processes in Oil and Gas companies as easy as hacking a website.