Protecting operations in the energy sector against cyber attacks

Motorola Solutions

Tuesday, 06 June, 2017

The development of the digital oilfield promises new and more efficient ways of doing business for oil and gas companies, but at the same time exposes them to serious risk of cyber attack.

Driven by rising costs in exploration and production as well as by increasing competitive intensity and regulatory pressures, oil and gas companies are looking for new ways to increase production capacity and operational efficiencies. This has led to the rapid adoption of digital technologies to help run their organisations.

As these technologies are implemented across oil and gas operations, they are creating what is now called the digital oilfield. It is the result of a convergence between IT and operational technology (OT), and represents a new way of doing business that is helping oil and gas companies reduce operational costs, improve efficiency and production, and comply with regulations.

At the same time, this transition to the digital oilfield is exposing companies to serious risks from cyber attacks, putting worker safety, production, reputation and, ultimately, profits at risk. Today, more than ever before, a successful attack can lead to devastating consequences for infrastructure, intellectual property and corporate profitability.

The energy sector’s vulnerability to cybercrime

Security threats are expected to grow in the future. In the past four years alone, the financial impact of cybercrime has increased by nearly 78% and the time it takes to resolve a cyber attack has more than doubled. Across all industries and geographies, it has been estimated that cybercrime costs some US$400 billion in lost time and assets.¹

The oil and gas industry is certainly not immune to this threat. In fact, research shows the energy industry is unusually highly targeted. In 2014, the energy industry topped the list of all Australian private sector industries requiring the assistance of CERT Australia in relation to cybersecurity incidents, ahead of banking and finance, and even the defence industries.² According to IDC Energy Insights, security concerns are already ranked number nine among its “top 10 [global] oil and gas industry issues” in 2012.³

And the costs are high and rising. The average annual cost of cybercrime incurred by a benchmark sample of 30 organisations in Australia was AU$4.3 million, representing a 33% increase from when the study was conducted three years earlier.⁴ Moreover, an ABI Research study predicted that globally, cyber attacks against oil and gas infrastructure will cost companies US$1.87 billion by 2018.⁵ Oil and gas companies are high-risk targets for many reasons. Malicious actors seek to accomplish political or economic goals. Disgruntled employees want revenge. Others want financial gain or access to valuable proprietary data on reserves and discoveries. Whatever the motivation, high downtime costs and attack frequency rates necessitate strong cybersecurity protocols.

Migrating to the digital oilfield

The digital oilfield fuses two different technologies together using open IT protocols: operational technology (OT) with supervisory control and data acquisition (SCADA) and back office enterprise IT systems.

As a result, companies are realising vast gains from insights and actions as data is integrated and analysed in real time. For example, digital oilfield instrumentation is enabling horizontal drilling and multilateral wells. Sensors allow superior surveillance of pipelines. And real-time visibility into operations allows companies to better control costs and optimise the performance of employees, assets and facilities.

Modern two-way radio technologies are IP based and are enabling greater workforce efficiency and safer work practices by offering integrated field voice and data communication services. Advanced radio systems such as P25 and TETRA can be integrated with SCADA and back office IT systems to promote efficient work processes and enhanced management of critical assets.

But the combination of open standard-based IP protocols and integration into back office systems also puts companies at considerable risk of cyber attack.

Cyber threats are growing in new ways and places

The convergence of SCADA and IT environments is not the only security issue causing concern. Successful attacks in the form of viruses and worms have demonstrated that companies often underestimate the vulnerability of diverse systems.

Newer technologies such as those controlling drilling rigs and cloud-based services are subject to probes or attacks. So too are once-isolated plant control systems that are now integrated with corporate networks or vendors. Even private smartphones and devices used by company employees potentially open up a network to an increasing number of threats and malicious behaviour. It is estimated that 96% of such mobile devices do not utilise encryption protection.⁶ Such threats can target data at rest on the device and can be introduced through online web surfing.

In short, wherever there is digitally enabled technology or an intelligent device, even a simple device that controls a valve on the pipeline, there is a risk of it being used as a portal and taken over without authorisation. Cybercriminals are targeting the entire spectrum of potentially valuable data: data at rest, data in transit and data in use.

While IT and OT share many similarities, it is important to highlight some unique characteristics of OT systems. OT comprises SCADA systems that monitor and control critical infrastructure — threats to which, if realised, have real consequences such as personal injury, catastrophic equipment damage, lost production capacity, environmental impact or violation of legal and regulatory requirements.

Threats against IT and SCADA systems

Threats against IT and SCADA systems can come from a wide range of sources, some of which are adversarial such as hostile governments, while others arise from natural sources such as human errors and accidents. Data breaches committed by these sources can come from a variety of threat actions, some of which are discussed below.

TABLE 1 HERE: Caption: Table 1: Top 10 most critical SCADA vulnerabilities. Source: Idaho National Laboratory.

Malware

Malware is any malicious software that has been developed for the purpose of compromising or harming information assets without the owner’s consent. Cybercriminals often target IT data assets such as those stored on servers, data sent by emails and stored on mobile devices and even information backed up on USB memory sticks. Even two-way radio systems that are considered ‘isolated’ from the enterprise IT network are vulnerable to malware attacks. If a competitor steals blueprints to a company’s power grid or key pipelines, it could disable operations and cause serious economic damage.

Watering holes

Instead of directly inviting users to visit a website, this attack gathers information on targeted users and compromises a legitimate website they are likely to visit. Malicious software covertly added to the site then infects the viewers’ computers. By taking advantage of the user’s trust in a website, the watering-hole technique is an effective method and its use against Australian networks continues to grow. In fact, in October 2014, CERT Australia issued an advisory warning of watering-hole activity specifically targeting organisations in the energy sector.⁷

Spear phishing

Humans are notoriously susceptible to social tactics such as deception, manipulation and intimidation. A spear phishing attack exploits this weak point by using an email that appears to be from an individual or business known to the target. Data breaches based on social tactics have had a devastating impact on businesses, accounting for 37% of data stolen during cyber incidents in 2012.⁸

Advanced persistent threats

Advanced persistent threats (APTs) use targeted attacks as part of a longer-term campaign of espionage and sabotage, typically targeting high-value assets such as critical infrastructure. APTs are sophisticated and adapt to defenders’ efforts to resist their attacks.

Oil and gas companies depend on the transmission of data to apprise management of new oil field discoveries, productivity levels and other mission-critical data. Imagine the damage that could be done if a competitor accesses an oil company’s system and finds out where it has discovered vast oil or natural gas reserves.

Insider threats

A US Central Intelligence Agency analyst recently told an international group of government officials and engineers, as well as US security managers from electric, water, oil and gas and other critical industry asset owners, that “we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge.”⁹

This is not surprising. The Global Ponemon Institute report on cybersecurity found that the most costly cybercrimes are those caused by malicious insiders, denial of service (DoS) and web-based accounts. These account for 44% of all cybercrime costs per organisation on an annual basis.¹⁰

Denial of service

Oil and gas control system operation can be disrupted by delaying or blocking the flow of information through communication networks, thereby denying availability of networks to control system operators. This form of DoS can be caused by IT-resident services such as domain name system (DNS) — for example, using spoofed DNS requests. Clearly, where control systems are involved, DoS can have physical manifestations such as plant shutdowns.

These are just a few examples of how much can go wrong if an oil and gas company’s systems are hacked or compromised. But there are solutions, providing security measures are tailored to meet the unique real and present dangers of individual companies.

The NIST framework

A 2013 study by the CSIS found that 96% of successful breaches could be avoided if the organisations put simple or intermediate controls in place.¹¹ In February 2013, The NIST Framework for Improving Critical Infrastructure Cybersecurity was created as the result of a US Executive Order, in response to the growing security, economy, public safety and health risks caused by cybersecurity threats.

The NIST Cybersecurity Framework provides a common mechanism on which organisations can:

describe their current cybersecurity posture;
describe their target state for cybersecurity;
identify and prioritise opportunities for improvement;
assess progress towards the target state;
communicate among internal and external stakeholders about cybersecurity risk.

Cybersecurity involves much more than protection and prevention. It also involves the ability to quickly detect breaches and thoroughly research the extent and impact of those breaches.

New ways of doing business demands smarter cybersecurity

So what are the best practices to improve the security posture of the industrial control and IT systems supporting critical infrastructure? What actions need to be taken to secure legacy systems? The cybersecurity strategy below is consistent with the NIST Framework and highlights a set of processes which, when executed concurrently and continuously, serve to improve an organisation’s cybersecurity posture.

Know your critical assets: Identify your organisation’s business objectives and high-value assets, then conduct risk assessments to find any vulnerabilities.
Protect your IT, radio network and OT environments: Establish defences to block intruders before they reach your critical business assets, and educate your employees to recognise and avoid cyber attacks such as spear phishing and watering holes.
Detect potential threats before they occur: Use the right tools to gain a comprehensive view of your security environment and monitor potential threats both externally and internally.
Respond and recover: With the speed and intelligence of many of today’s cyber attacks, cyber breaches may still occur, even in the most secure infrastructure. Having a contingency plan in place can help you respond immediately if a breach should occur.

The digital oilfield brings huge advantages but also tremendous issues should a company’s systems be hacked or compromised. However, there are solutions for protecting SCADA systems, mobile communication networks, smart sensors or other physical assets. Where oil and gas companies can stumble is when they fail to address vulnerable interfaces between their diverse systems or consider how their security infrastructure functions as a whole.

Best practices can improve the security posture of the OT and IT systems that make up the digital oilfield, greatly reducing the risk and potential cost of cyber attack. With the speed and intelligence of many of today’s cyber attacks, breaches may still occur, even in the most secure infrastructure, but having a contingency plan in place can help ensure an immediate response if a breach should occur.

In short, the mantra for a healthy digital oilfield is to know your critical assets, protect the IT radio network and OT environments, detect potential threats before they occur and be able to quickly respond and recover.

References

Ponemon Institute 2013, 2013 Cost of Cyber Crime Study: Global Report.
Connolly B 2015, Government security breaches decrease: report, CIO, 29 July 2015, <https://www.cio.com.au/article/580697/government-security-breaches-decrease-report/>
IDC 2011, 2012 Worldwide Oil and Gas Top Predictions, IDC Energy Insights 2011.
ASM 2014, 'HP Reveals Cost of Cybercrime in Australia Escalates 33 percent to $4.3 Million', Australian Security Magazine, 19 Dec 2014, <https://australiansecuritymagazine.com.au/hp-reveals-cost-cybercrime-australia-escalates-33-percent-4-3-million/>.
ABI Research 2013, Cyber-attacks against oil and gas infrastructure to drive $1.87 billion in cybersecurity spending by 2018, 29 Jan 2013, <https://www.abiresearch.com/press/cyber-attacks-against-oil-gas-infrastructure-to-dr/>.
McClain C 2012, Cybercrime: Mobile Changes Everything — And No One’s Safe, WIRED, 25 Oct 2012, <https://www.wired.com/2012/10/from-spyware-to-mobile-malware/>.
Australian Government 2015, 2015 Threat Report, Australia Cyber Security Centre, Jul 2015, <https://www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf>.
Verizon 2012, 2012 Data Breach Investigations Report, <http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf>.
Espiner T 2008, CIA: Cyberattack caused multiple-city blackout, CNET, 22 Jan 2008, <https://www.cnet.com/news/cia-cyberattack-caused-multiple-city-blackout/>.
Ponemon Institute 2013, 2013 Cost of Data Breach Study: Global Analysis.
Lewis JA 2013, Raising the Bar for Cybersecurity, Centre for Strategic and Studies, 12 Feb 2013,<https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf>.