Oil and Gas

Published on 01 Jul 2019

Updated on 08 Oct 2019

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


OVERVIEW

The oil and gas vertical in the Energy sector faces more disruptive and potentially destructive cyber-attacks than before. On one hand, increasingly-connected systems provide a growing threat surface; on the other, threat actors are on constant lookout for targets for a wider range of effects. These actors, often guided by geopolitical or commercial objectives, are targeting oil and gas companies to conduct espionage, disruptive attacks, or even outright destruction.

Cyber threats to the oil and gas industry have grown on two counts. One, the threat surface has increased. In recent years, operational technology (OT) used in the industry has been increasingly connected to the Internet for various reasons, including to enable remote monitoring for efficiency. In so doing, OT is inadvertently exposed to the cyber threats that Internet-facing devices would. Two, determined attackers have improved their ability – their tactics, techniques, and procedures (TTPs) – to target OT. A successful strike against OT can cause operational disruption or even destruction, making it a high-impact and valuable target type.

In 2017, reports of malicious cyber activity against energy and related companies emerged. Of concern was the discovery of a malware TRITON, which had targeted safety systems in an energy company. The safety system is also used in other sectors. The discovery of TRITON suggests that malicious actors have the intent, willingness, and now the capability to inflict serious physical damage that could impact human safety.

timeline

Known malicious cyber activity reported in oil and gas industry since 2011


REPORTS

SUPPLY CHAIN ATTACKS

On-going hacking attempts on oil & gas companies and third-party service providers reflect attackers’ persistent interest in the industry. In April 2018, five American gas pipeline operators experienced service disruptions to their customer communications systems after the service provider for those systems was hacked. The incident highlights the importance for the sector to consider all parts of the supply chain when it comes to cybersecurity.

Read on by clicking on the story below:


MORE DESTRUCTIVE CYBER-ATTACKS

A watershed cyber-attack was attempted on the oil and gas industry: A petrochemical company with a plant in Saudi Arabia was hit in August 2017 by a remote cyber-attack meant to sabotage operations and trigger an explosion. It was the first time that the affected Schneider Electric Triconex systems were known to be remotely sabotaged. The malware, dubbed TRITON or Trisis, was custom-built to evade detection and affect specific valves to trigger an explosion. The only thing that prevented significant damage was a mistake in the malware code.

Attempts on industrial control systems (a subset of OT) have been relatively rare, given they have been typically harder to penetrate and navigate within. Notable – and successful – attacks in recent times have been few, but significant. These include the 2010 Stuxnet worm infection and the 2012 Shamoon wiper virus attack.

For TRITON, industry observers have highlighted three key concerns: First, the attack can be replicated in other industries and countries where Triconex systems are in use. Second, attackers could have corrected the coding error, meaning that the next attack may successfully cause the intended explosion. Third, the attack may have been a proof of concept or a precursor to even more destructive attacks.

Read on by clicking on the story below:


BETTER CYBERSECURITY NEEDED

Recent media reports suggest that the oil and gas industry globally may not be spending enough on cybersecurity. One reason for this could be that “lower-for-longer” oil prices in 2015 and 2016 led to cutbacks in “less essential” areas like cybersecurity investment. Another might be that the C-suite may not yet see cyber risk as a major concern, and companies do not pay enough attention to cybersecurity protection and awareness training.

Read on by clicking on the story below:


WHAT’S BEING DONE

The US government proposed legislation in April 2018 to improve physical and cybersecurity for pipelines and liquefied natural gas facilities. In addition, it is also offering a US$25 million (SG$33 million) grant to enhance cybersecurity in the nation’s energy sector. The areas of focus include improving resilience in the oil and gas industry, and secure communications.

In October 2017, Saudi Arabia set up a new authority for cybersecurity to “protect its vital interests, national security and sensitive infrastructure”, foremost of which is oil, its main export and economic lifeline.

Read on by clicking on the story below:


Increasing cybersecurity spending is just part of the solution. Appreciating the cyber threat landscape specific to the oil & gas industry, establishing robust cybersecurity governance and practices, and conducting holistic assessment of cyber risk to IT and OT environments are other considerations.

The World Economic Forum’s knowledge platform may be a starting point to get strategic perspectives on oil and gas security. The US Congressional Research Service also offers some reports on oil and gas cybersecurity, and the US Industrial Control Systems (ICS)-CERT is a reliable source for technical alerts and information on malware and vulnerabilities potentially affecting oil and gas OT.

WEF

Read on by clicking on the story below:


QUICK BYTES

ART IMITATING LIFE OR LIFE IMITATING ART?

In Live Free or Die Hard a.k.a. Die Hard 4, a hacker seizes control of a natural gas distribution system and redirects all the natural gas into a utility station, causing a massive explosion.

This may be art imitating life: in 1982, there was a large blast on a Soviet pipeline. There are claims that the blast resulted from a logic bomb planted by the US’s Central Intelligence Agency (CIA). Opposing claims explain the blast as a result of poorly constructed infrastructure.

Even if it did not happen before, such an attack may yet occur in real life, as malicious actors develop cyber-attack capabilities with more severe physical consequences.

Read on by clicking on the story below:


SOURCES INCLUDE: Bloomberg, FireEye, OilPrice.com, The Houston Chronicle, Reuters, the US Central Intelligence Agency, the US Congressional Research Service, the US Department of Energy, US ICS-CERT, Utility Dive, Wired, World Economic Forum.