Critical infrastructure

Oil and Gas Cyber Security 101

Alexander Polyakov
March 7, 2016 by
Alexander Polyakov

Recently, I've published a post in the form of Interview about Oil and Gas Cyber Security, and it received a lot of attention.

It seems that nowadays researchers are interested in learning more about industries which product they analyze. You know, in the beginning, it was much simpler. A company hired a specialist who is familiar with pen testing and who can examine if their systems are vulnerable. Those specialists used some pen testing tools, and then, if they are good specialists, they checked for vulnerabilities manually, escalated privileges and, as a result, wrote a report about vulnerabilities they discovered. It looked like "we found an X vulnerability on the server Y". It was enough to know that hackers could penetrate into the system as pen testers could, and it was very impressive to provide just a list of vulnerabilities.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Now the situation is changing. Everybody knows that there are vulnerabilities in almost every system, so the problem lies in their impact and ease of exploit, and the main question is what can happen after the exploitation and what kind of real risks to an organization it provides.

Besides, it turned out that the risks depend on the system type. The risks vary if one can hack a workstation, domain controller, backup server or company's ERP system. Moreover, different types of organizations suffer different risk. Some of those organizations are afraid of espionage risks, like Manufacturers that specialize in unique products. Others worry about Fraud. I suppose it is relevant for every firm but financial organizations especially. Oil and Gas companies may not care about espionage, but they are anxious about sabotage, because if somebody stops their daily operations or breaks some equipment, they will face a real problem.

Because of that, my idea is to focus on industry-specific cyber security and associated risks. This post is the first part of the article series describing specific nuances of Cyber Security for Oil and Gas organizations. It is the first in-depth public Oil and Gas Cybersecurity research ever so far. There are still more questions than answers. A more detailed analysis requires more practice and equipment. However, there are many software and hardware devices which are relatively easy to find if you want. Anyway, my goal was not to write a comprehensive encyclopedia on Oil and Gas cybersecurity (but I don't give up the idea to do it later) but to lay the basis for further research. I also want to show that Operation Technology networks of Oil and Gas companies are now tied together with traditional business applications located on a corporate network. It means that vulnerabilities in one or another part can affect the security of the whole landscape.

Why have we decided to talk about Oil and Gas? First of all, this industry is one of the most important nowadays as it is responsible for some countries' economy. Secondly, we have an experience and understanding of processes as we saw them in a real environment of our clients from Upstream, Downstream, and Midstream organizations. Finally, entities that deal with Oil, Gas, and other natural resources provide very good examples of Industry-specific attacks. All those natural resources are not easy to be measured. To be honest, they are not measurable at all, and it's possible to spoof this data in a way that nobody will be able to investigate. Let's compare it with the retail industry. You know how many Nike boots are stored in your warehouse and even if somebody gains access to it, steals shoes and then changes their quantity in ERP system, in some time you will find that something is wrong. If you deal with natural resources, nobody knows the real quantity. It's calculated on a number of metrics such as pressure, temperature, etc. According to the description of some of the popular technologies aiming to optimize Hydrocarbon Supply Chain, hydrocarbon volumes fluctuate depending on environmental temperature and pressure conditions. As product valuation needs quantity and mass, and simple weighing is not possible, one should derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. Imagine what can happen if an attacker accesses and modifies this data.

Who should read this and why?

  • Researchers – Oil and Gas Cybersecurity is a small universe which is almost unexplored. After reading this paper, you will certainly know how to carry out your own research.
  • Pen testers - you will learn how to break into the most critical network and how to impress decision makers during your pen tests. Instead of "Hey, we have access to your domain controller", you will be able to say something like: "Hey, I can change the gas pressure in your storage. Isn't it critical enough?"
  • CISOs – There is bad news, unfortunately. Now you will learn that there is no Air Gap between your enterprise network and Oil Refinery, sorry. The truth is that hackers can pivot into your production systems from the corporate network or even from the Internet. This series will help you to understand how to prevent it
  • Admins – You, guys, are partly responsible for the security of very important OT processes. Enterprise business systems such as ERP, MES, LIMS, etc. have connections with most of these systems by one or another way. These articles will highlight what exactly can be wrong.

As mentioned, our aim is to show that mission-critical business applications are often connected to each other using different types of integration technologies. What's more important, enterprise applications which are implemented in the corporate network are usually connected with devices in OT network, and there is no easy way to separate them. If you have some plant devices which collect data about oil volumes, for example, you should somehow transfer this data to the corporate network to display it on nice dashboards to management. That's why even if you have a firewall between IT and OT there are some applications which are connected. That is why it's possible to conduct such attack and pivot from IT network (or even the Internet) into OT network up to field devices and smart meter and vice versa.

Oil and Gas Cybersecurity

Oil and Gas Cyber Security is tightly connected with ICS (industrial control systems) Cyber Security. It's not a secret that industrial control systems play a vital role in every Oil and Gas company, and actually the biggest part of automatization in the Oil and Gas industry is provided by Operational Technology Network which consists of Industrial automation and control systems such as SCADA (supervisory control and data acquisition), DCS (Distributed Control System), PLC (Programmable Logical Controllers), OPC servers, Field Devices, and other critical components which are often referred to as Operational Technology (OT).

OT is used to monitor and control physical processes in the oil and gas industry. The role of OT is the gaining of data coming from processes (temperatures, pressures, valve positions, tank levels, human operators) and the direct control of electric, mechanical, hydraulic or pneumatic actuators.

In the good old days, most OT networks were air-gapped from the business network (office network) and the Internet and operated independently using proprietary hardware, software and communications protocols. But in recent years, demand for business insight, requirements for remote network access, and spreading of hardware and software from traditional IT (e.g., TCP/ IP networking, Windows-based platforms) caused many oil and gas companies to integrate control systems and their enterprise IT systems, and some of them can even allow an access to OT network from the cloud.

So, today when we speak about Oil and Gas Cyber Security we should bear in mind the security of 3 different things

  • Operational Technology security
  • Enterprise application security
  • Security of connections between them

Consequently, the next three articles will be focused on the listed topics, but before we should look at the most popular Incidents happened in the Oil and Gas industry and learn some basics of Oil and Gas Cyber Security.

Oil and Gas Cybersecurity history

Oil and Gas Industry is one "most plagued" by cyber attacks.

Cyber crimes cost Oil and Gas, energy and utility companies an average of $13.2 million each a year for lost business and damaged equipment, higher than in any other industry, Ponemon's survey of 257 businesses states. Why does it cost so much and how did these incidents happen? The answers to those questions can be found in the history of incidents.

December 2002 - Venezuela's state oil company became embroiled in a bitter strike. There were also instances of computer hacking which caused a significant damage since many operations are centrally controlled by computers. Someone, possibly an employee involved in the general strike, remotely accessed a program terminal to erase all PLC programs in port facility. This and other physical sabotage cut Venezuela's national production down to 370,000 barrels per day, compared with 3 million barrels before the strike.

2008 - Hackers interfered with alarms and communications for Baku-Tbilisi-Ceyhan pipeline in Turkey, super-pressurizing crude oil to cause an explosion that resulted in the spilling of more than 30,000 barrels of oil.

23 October 2009 - An explosion happened in Bayamon, Puerto Rico. The fire blazed for three days, forcing residents to flee their homes. Investigators said it was a glitch in the facility's computerized monitoring system. A storage tank was getting refilled with gasoline from a fuel ship docked along the San Juan harbor. Since the tank's meter malfunctioned, the petrol kept overflowing until it met an ignition source.

2010 - STUXNET was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. Although Stuxnet was not designed for Oil and Gas, it seriously affected these companies as well.

2012 – As a result of a cyber attack on Aramco, Saudi Arabian national petroleum and natural gas company, 30000 computers were damaged by a Shamoon malware. An intrusion, for which a group called Cutting Sword of Justice took credited, either partially or fully wiped files.

The attack was aimed to stop gas and oil production in Saudi Arabia and prevent resource flow to international markets.

10 September 2012 - Telvent is a supplier of remote administration and monitoring tools to the energy sector became a victim of sophisticated advanced persistent threat. Its Canadian branch discovered on September, ten that its internal firewall and security systems had been breached and notified its customers of the incident.

As stated by Telvent, every energy company in the Fortune 100 relies on their systems and information to manage their business. Telvent systems now manage more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines.

The probable attacker appeared to be a Chinese hacking group. The malware names and network components used in the attack have been used in the past by a Chinese cyber-group called the "Comment Group," according to Dell SecureWorks. Comment Group has targeted a variety of organizations, including chemical and electric companies as well as other industrial sectors.

After breaching the network and installing malware, the attackers stole project files related to the OASyS SCADA product, a remote administration tool. OASyS allows companies to combine older IT equipment with modern "smart grid" technologies.

The attackers may have wanted the code in order to find vulnerabilities in the software to launch future attacks against other energy companies directly.

2014 - Dozens of oil companies in Norway were targeted by cyber attacks, including Statoil.The attackers have not been identified. It remains unclear what exactly the attackers' motives were.

January 2015 - A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups. Successful attacks can affect inventory control, data gathering, and delivery tracking, in turn impacting the availability of gasoline in local stations.

One of the things we should be aware of is that sometimes hackers' intentions were not to destroy a company's production. But because the systems they hack are so complex and unique, an attack may have a dire effect if they do something wrong just because they are not so smart or lucky.

Oil and Gas 101

Before we can talk about Oil and Gas Security, in particular, we should learn some basics. Don't worry it's not as boring as you may think. The Oil and Gas industry consists of three separate areas: Upstream, Midstream, and Downstream with their processes, systems, and even risks.

Upstream - The upstream sector includes the searching for potential underground or underwater crude oil and natural gas fields, drilling of exploratory wells, and subsequently drilling and operating the wells that recover and bring the crude oil and raw natural gas to the surface. The upstream oil sector is also commonly known as the exploration and production (E&P) sector.

Midstream- The midstream sector involves the transportation (by pipeline, rail, barge, oil tanker or truck), storage, and wholesale marketing of crude or refined petroleum products. Pipelines and other transport systems can be used to move crude oil from production sites to refineries and deliver the various refined products to downstream distributors.

Downstream - The downstream sector commonly refers to the refining of petroleum crude oil and the processing and purifying of raw natural gas, as well as the marketing and distribution of products derived from crude oil and natural gas. The downstream sector touches consumers through products such as gasoline or petrol, kerosene, jet fuel, diesel oil, heating oil, fuel oils, lubricants, waxes, asphalt, natural gas, and liquefied petroleum gas (LPG) as well as hundreds of petrochemicals.

You can find more Oil and Gas basics here


Upstream

The upstream segment is also known as the exploration and production (E&P) sector which encompasses activities related to searching for, recovering and producing crude oil and natural gas.

The upstream sector consists of the following main business processes:

  • Extraction, or Drilling, is the first process in Upstream Chain. This process can include the usage of systems such as Drilling Control Systems, blow-out prevention system, flare and vent disposal systems, etc.
  • Gathering - Transfer crude oil from the earth to separators using wells and manifolds.
  • Separation. Here multiple 2/phase 3/phase separators separate oil, gas and water.
  • Gas compression. Here gas is prepared for storage and transport.
  • Temporary Oil Storage. Sometimes companies have small temporary Oil storage in Upstream to store temporarily before loading.
  • Water Disposal System. Needed to dispose of water which was separated from the oil in the previous stages.
  • Metering. This stage is needed to calculate quantity before loading. And it includes Fiscal Metering, Liquid Flow Metering, Gas Flow Metering and other Metering Systems.

Midstream

The midstream sector involves the transportation (by pipeline, rail, barge, oil tanker or truck), storage, and wholesale marketing.

Midstream consists of the following main business processes:

  • Terminal management. Obtain Oil delivered by Trucks, Pipelines, Barges and Trains from Upstream companies.
  • Gas Processing. Here natural gas and NGL are separated.
  • Gas Transportation. Transfer gas to storage via pipelines.
  • Oil transportation. Transfer Oil to storage via pipelines.
  • Gas storage. Temporary and long-term storage, including Peak Load Gas Storage, Base Load Gas storage, and LNG Storage
  • Oil Storage. Long-term oil storage in Tanks.

Downstream

The downstream sector commonly refers to the refining of petroleum crude oil and the processing and purifying of raw natural gas, as well as the marketing and distribution of products derived from crude oil and natural gas.

Downstream consists of the following main business processes:

  • Refining. Processing of Crude Oil.
  • Oil Petrochemicals. Fabrication of base chemicals and plastics. This area itself is like a small business inside and can consist of dozens of specific systems.
  • Gas Distribution. Deliver Gas to utilities.
  • Oil Wholesale. Deliver petrol to a 3rd party.
  • Oil Retail. Deliver petrol to end-users on Gas Stations.

Top 10 Cyber Security threats for oil and gas industry

Oil and Gas Cyber Security is changing.

According to the article published several months ago, with the use of digital technologies connected to the corporate network and increased dependence on cyber structures, the oil and gas industry is exposed to new vulnerabilities and threats. The same things which I've mentioned in the beginning.

The article also lists the top 10 cyber security threats to Oil and Gas Companies:

  1. Lack of cyber security awareness and training among employees
  2. Remote work during operations and maintenance
  3. Using standard IT products with known vulnerabilities in the production environment
  4. A limited cyber security culture among vendors, suppliers, and contractors
  5. Insufficient separation of data networks
  6. The use of mobile devices and storage units including smartphones
  7. Data networks between on- and offshore facilities
  8. Insufficient physical security of data rooms, cabinets, etc.
  9. Vulnerable software
  10. Outdated and aging control systems in facilities

I would like to point on number 5 – Insufficient separation of Data networks and Standard IT Products in Production environment. I absolutely agree those are among the main technical risks and in next articles will be focused on them in detail.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Conclusion

So, as I said it was a short introduction to Oil and Gas Cyber Security. You have learned why you should be aware, what kind of incidents happened and, of course, the basics of Oil and Gas. As you saw, there are more than 20 different business processes in Oil and Gas industry and each can be managed by 5 or even ten different ICS systems, which may be developed by different vendors. The next three articles will describe in detail how those areas work and what the main risks are for Oil and Gas ICS Systems.

Links

Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.