This month, researchers at Black Hat Europe will show how vulnerabilities in SAP applications can be exploited to hurt oil and gas industry processes. Many professionals are under the impression that the threat of a hacking attack is low—they’re wrong. Today oil and gas companies are more of a target than ever before. System vulnerabilities coupled with society’s dependence on oil and gas makes the industry particularly attractive. Here, we’ll discuss in-depth what makes the industry a target for hackers, and what can be done to protect your systems and equipment.
Real vulnerabilities
If high-profile attacks like the one on Saudi Aramco have showed us anything, it’s that all companies need to understand the threat of a cyberattack in the industry. Cybersecurity firm Symantec Corp found that computer-system invaders attacked 43% of global firms within the industry at least once last year.
In an article from Planet Engineering, the perception of lowered risk in the industry stems from the belief that standalone systems have no outside connectivity and therefore aren’t susceptible to attacks. This logic is flawed for two reasons: most control systems are often connected to the Internet, and true standalone systems are still vulnerable to attacks.
The industry is a target in part due to its role in society. Energy is used from running our vehicles to serving manufacturing plants. The United States relies on a vital pipeline network to transport oil and gas. The threat isn’t limited to data: equipment that runs on computer-based systems is vulnerable to takeovers, too. Computer science professor Alvaro Cardenas explains in the Bloomberg article, “Nowadays you have computers running everything…. You can create blackouts or oil spills and hurt a lot of people.”
Attacks on the oil and gas industry are also attractive from an economic standpoint. Hackers can access company systems to gain a competitive edge. Hacking on a larger scale can potentially impact oil prices, and disrupt the market. Black Hat Europe explains that SAP and Oracle systems also serve processes including Hydrocarbon Supply Chain management. Black Hat Europe that hydrocarbon volumes are dependent on environmental conditions such as temperature and pressure. Excise duties, pricing and transportation fees are dependent on these volumes, and the changing of the conditions by a hacker could severely disrupt pricing calculations, putting the entire system at risk.
Prevention
According to an OilPrice article, cyberthreats to the oil and gas industry can be divided into two categories. The first is the threat toward information technology (IT) systems. These include the most publicized attacks on office computers and the stealing of business information. Protection against IT threats is well understood, as firms like Palantir and Symantec specialize in cyber security and have solutions available for firms.
The second threat is toward Operational Technology (OT), which includes systems and controls that operate pipelines, power plants and transmission/distribution grids. Given that these attacks weren’t recognized as serious threats until 2007 be the United States government, the measures in place to protect them are still up in the air. The challenge comes with implementing updated OT systems that don’t interfere with or disrupt their functionality. Nevertheless, steps are being taken. The Department of Energy, for example, unveiled in 2011 their “Roadmap to achieve Energy Delivery Systems Security.” The goal is to put energy systems in place that can withstand a cyber attack by 2020.
On a company level, steps can be taken to help protect against IT and OT attacks. Among the most important is proper training. Dark Reading explains the gap that exists between control systems groups and IT security. Though control systems engineers recognize cybersecurity threats, they aren’t trained in IT security. The same holds true in the reverse.
It’s also important that companies have basic security measures in place before moving onto more advanced solutions. BeyondTrust CTO Marc Marrifet says that some companies jump right into these in-depth solutions without the basics, such as system patching or privilege. The lack of these measures means a lot of noise coming through the advanced solutions, therefore making it harder to identify legitimate threats.