Cybersecurity Pro: Oil and Gas Supply Chain Can Be Weak Link

Oil and gas companies employ various measures to protect their increasingly sophisticated operational infrastructure. Nevertheless, cyber-criminals are adept at finding vulnerabilities to gain access to these critical systems – and their efforts appear to be paying off. As a 2016 white paper from Underwriters Laboratories (UL) observes, cyberattacks against critical energy infrastructure systems have been on the rise in recent years.

A key vulnerability that cyber-criminals exploit is the oil and gas supply chain, says UL Cybersecurity Lead Ken Modeste.

A Cybersecurity Benchmark

Organizations such as UL provide cybersecurity standards that oil and gas facilities can use to assess – and overcome – vulnerabilities in their operational equipment.

“Support of these standards and their use in procurement, as well as the testing of vendors and their equipment, helps provide oil and gas facilities with a benchmark of what they should expect from every piece of equipment, or software that may be used in the OT or connected into a system such as HVAC, cameras or building automation,” UL’s Ken Modeste told Rigzone.

“Oil and gas facilities can use these standards to vet equipment to industry best practices to ensure that systems have security designed into them and can start addressing weaknesses that are being exploited.”

“Attackers are using techniques to infiltrate oil and gas with the intent to disrupt service, and these techniques are being understood as finding a weaker link in a less secure environment to then pivot to the oil and gas infrastructure,” Modeste said. “A foundation for working on a solution is to drive the supply chain into best practices that are adopted by the organization.”

To learn more about the oil and gas supply chain’s susceptibility to cyberattacks, along with approaches to mitigate them, read on for excerpts from Rigzone’s recent conversation with Modeste.

Rigzone: What are some of the key trends you’re seeing regarding cyberattacks against energy infrastructure, particularly in oil and gas?

Modeste: Since the Ukraine power grid attacks occurred in the last two years, trends focusing on energy and oil and gas tend to be increasing. The U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recently alerted in October that “DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.” This alert is identifying a trend where multi stage attacks are being performed. Lower-level targets like third party suppliers are being used as staging grounds for the true intended primary target. Going after a third party to get to the intended victim involves different levels of engagements as the softer, less-secure target is infiltrated and then pivoted to the real asset.

Rigzone: Which types of oil and gas facilities are most vulnerable to cyberattacks?

Modeste: At the beginning of the decade, there was more of a surveillance around oil and gas which was based on the reports of American utility companies as primary targets. Therefore, oil and gas producers and liquid distributors could be a step to focusing on utilities. National energy infrastructure organizations and oil production facilities may become primary targets when the ultimate goal is to disrupt the utility supply to the broader economy. The most vulnerable would be those that are least prepared in terms of risk assessment and management, who may have flawed supply chain partner practices and improperly trained staff. As an example, if employees can download a menu from the nearby favorite food delivery company, then all you need to attack is a small family-owned restaurant website which is based on reconnaissance of targeted employees’ eating habits.

Rigzone: How do these attacks typically occur, and what are some potential effects?

Modeste: These attacks begin with reconnaissance of regular public data. For example, knowing from which restaurants targeted company staff tend to have food delivered or picked up. This means that current employees’ public habits are easily discovered. Then either a phishing email campaign, or “watering hole attack” malware, can be utilized to infiltrate either the primary target or a less-secure target. A phishing email is one that is meant to hide its true intent and source, and a watering hole attack can consist of embedding malware in a popular website destination. A lesser (less secure) target could be a supply chain vendor, like a law firm, consulting firm, facility contracting firm or similar. Once this target is compromised, the attack can pivot to the true intended target. One of the tried and true methods also includes acquiring credentials for secondary systems by focusing on victims with some weaker security practices.

 

Rigzone: What are the unique cybersecurity challenges in oil and gas?

Modeste: Asset owners in the oil and gas space have the unique challenge that their operational technology (OT) networks are large and operational and doesn’t lend itself to massive upgrades. With some of these OT networks either having public internet connections, old legacy systems that are either not supported by the vendor or are unpatched, non-secure OT protocols that communicate authentication and authorization means in easily circumvented means, and the typical use of remote connectivity for either support, troubleshooting or remote administration. Adding to this, slow industry adoption of either malware detections and anomaly detection systems, oil and gas could potentially be a rich target. Standards and specifications that guide to secure use of OT systems that understand the risks and mitigate for events need to be more widely debated and adopted.

Rigzone: What’s the industry doing right regarding preventing cyberattacks?

Modeste: Education of users is probably the number one thing that is moving in the right direction. Industry is recognizing the potential for disruption and is beginning to heed some of the public information. DHS and FBI continuous monitoring and notification, especially with the latest alert, can start providing guidance for an operator to begin to build practices that can shore up defenses. Being aware of the methods of attack are the first key steps.

Rigzone: Where is there room for improvement?

Modeste: Securing the supply chain and third-party partners needs to be improved. As can be seen by the trends, they are both being used as a pivot into organizations. Defining standards and best practices that are required within an organization doesn’t help if it is not expected of an organizations’ partners. These methodologies should be promoted – in a connected way – through to all entities with which oil and gas is doing business.