Oil companies consistently underestimating the hacking risks they face. Richard Sale explains how underestimating the threat can be fatal to a company’s future.
Globally-interconnected digital information and communications infrastructure – better known as “cyberspace” – underpins almost every facet of modern society and provides critical support for the US economy, its civil infrastructure, public safety, and national security. Security in cyberspace relies on interdependent networks of information technology, national infrastructure, the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Each of these plays a critical part in maintaining intellectual property, the efficient function of the banking and energy industries, and protection of key corporate and national assets.
Yet, it is abundantly clear that the activities of hackers or other spreaders of outlaw malware can severely impair industrial or government systems and their assets. There is a trend in the oil industry that aims at integrated management of control and safety systems resulting in improved use, efficiency, reduction in personnel, training costs, and cost savings. But industrial systems for the oil industry and offshore platforms remain extremely vulnerable to attacks by hackers. Such breaches, often called Advanced Persistent Threats (APT), can have a devastating effect on national economic security and public safety, and sophisticated hacker attacks can result in huge thefts of intellectual property, financial data, damaged integrity, as well as system disruption or even physical damage. The blunt fact is these APTs live and learn while remaining undetected on systems sometimes for years, and once they get the attack code, they could cause hardware malfunctions that may prove catastrophic to the asset and/or the onboard personnel.
A congressional source with intimate knowledge of the subject, said of APTs, “what used to be called an unlikely event should now be probably thought of as a persistent threat with potential systematic implications.” The increasing menace of hacker attacks “leapt to prominence as networks moved to the center of business operations,” said James Lewis, cyber expert at the Center for Strategic and International Studies (CSIS). The persistent threat facing the offshore oil industry is the continued plundering of value from systems and government agencies by hackers and other hostile actors, including state-proxies. Lewis added such breaches “have become big business.” The blunt fact is such attacks have resulted in “a very risky environment…Cyber Space is the Wild West,” he said
Hacking the easy way
According to serving U.S. intelligence officials, the newest oil rigs, some of which cost upward of $1 billion, employ cutting-edge robotics technology, but the software that controls a rig’s basic functions is often antique. Most rely on decadesold supervisory control and data acquisition (SCADA) software, written in an era before security was even thought of, said Jeff Vail, a former counterterrorism and intelligence analyst with the US Interior Department, in a news report. “It’s underappreciated how vulnerable some of these systems are,” he said. “It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail.”
A study of threats to oil and gas companies by Rice University noted, “Clearly by any means, the operator will be prepared to consent to any demands however bizarre, in order to avoid a catastrophic failure of the offshore asset, which is usually a multi-billion dollar investment. If the cyber criminal wishes to impose disastrous damage to the platform this is a very elaborate task requiring specialized coding intended to fool the automatic shut-down mechanisms.”
Another congressional source said, “Security is not simply a matter of funding or planning,” pointing out “the security systems for offshore oil platforms were not designed with security in mind. They simply had a layer of IP (intellectual property) thrown over them like a blanket. They are legacy systems and are all over the place, and they remain extremely vulnerable.” The cost of making improvements argues against industry making them. “Ultimately, it is the wallet that pushes the move to integration,” said Steve Elliott, director of Triconex product management for Invensys Operations Management. “If integration is cheaper, people will buy it.”
Ingenious attacks on offshore oil installations energy facility are using default settings on computer and network devices.
A default setting is when a system provider sets the password and the username “admin” and after the system ends up installed, users forget to reset the default setting. Cyber criminals then use these default settings to gain entrance. The use of the ordinary password is completely useless as a defense against hacking. The hackers lock in on known or publicly unknown (Zero Day) software vulnerabilities, misconfigurations, weak passwords and systems that leak information. Lewis said a clever 12-year-old can cause a serious breach. In addition, a professional hacker relies on the black market where automated malware kits are available that can steal personal data, credit card information, tools, passwords, and other attacking techniques. Some hacker devices can even download via the Internet.
“Cyber attack and terrorism have now moved into the automation and process safety stage,” Elliot said. Digital technologies are being deployed from the ground up in the form of smart field devices that send plant health diagnostics data into the plant-wide network. He pointed out that because digital communication technology is at the heart of these advances, the threat will only get greater, especially as digital communication “extends into the field.”
Open systems are open to all
The offshore oil world has been severely shaken by the development of Internet connectivity and terrorism, Elliott said. He pointed out these two entities “draw attention to a frightening reality: There are bad people across the water who would love to do great damage to the upstream asset and its surrounding environment.”
Oil companies are warning the worst case scenario would be one in which valves were accessed, which could set offshore rigs on fire, kill personnel, and halt production. The cost of down time on an offshore rig is $6.3 million a day, experts said. The financial loss could be huge. Stuxnet, which crippled Iran’s nuclear centrifuges, shows the potential devastation of a worm created to cause damage. Experts believe this kind of attack could be replicated on oil producing offshore rigs, and many think it has already.
The list of oil company cyber victims is growing all the time. In August 2011, a McAfee white paper exposed “Operation Shady Rat,” a five-year operation that targeted natural gas distribution, oil platforms, federal, state, and county governments, plus defense and construction industries. Then in October of 2011, the U.S. Department of Homeland Security warned of attacks on gas, oil, waste and sewage systems. In November 2011, hackers attacked Norway’s oil, gas and defense businesses, thanks to targeted emails that appeared to come from legitimate sources. The attackers pilfered drawings, contracts, current negotiation documents and others. In April 2012, DHS said attacks on oil and natural gas facilities had begun five months earlier, the attackers using tightly focused “spear-phishing” email attacks.
The recent discovery of malware like Flame (2012) and Stuxnet (2010) that targeted for the first time industrial control systems have highlighted the susceptibility of critical infrastructures to cyber threats. In other words, offshore oil rigs, like any major organization or company, have a target on their backs and need to develop an indepth defense program that employs strategies like whitelisting, effective patch management, and intrusion detection among others, which can ward off or isolate attacks that could injure the network.
U.S. congressional officials said any industrial component is liable to be an attack target. While oil companies try to keep it quiet, malware infections have occurred at several offshore rigs and platforms, knocking some offline. A congressional source said a tailored attack, directed to target a facility through widely distributed malware, could have dangerous repercussions. When infected devices have been connected to isolated networks, malware can spread like wildfire and create serious problems. One instance malware on a facility in the Gulf of Mexico caused a system to lock up, said Misha Govshteyn, co-founder of Alert Logic, a network security company. “They literally had a worm that was flooding their network, and they’re out in the middle of the ocean.”
A congressional source said if companies understood how Stuxnet propagated throughout the industrial control system at the Natanz nuclear enrichment facility in Iran, then it would be very easy to understand how an attacker could get into a system to control an offshore platform. With enough knowledge of a facility like an oil platform, refinery, or pipeline network, a cyber attack that used distributed malware, could lead to real physical damage. Lewis pointed to the case of the Iranian centrifuges at Natanz in Iran where acute damage was inflicted.
SCADA attacks
In the past, infrastructure networks were locally isolated and disconnected from the outside world. It was “security via obscurity.” However, the Stuxnet virus was the trigger that laid bare the weaknesses and vulnerabilities of the industrial control systems. Elliott said a major trend in process safety and prevention continues to be integration of control and safety systems. He added there is also a trend toward open standards and networked solutions, not just at the automation level but also at the business and IT levels. Yet, he said, more and more digital communication technology remains at the heart of these advances; the threats will only get greater, “especially considering that digital communication extends into the field.”
“Stuxnet is an interesting weapons design,” Lewis said. “You need to introduce the virus and then you need to trigger it. It only works against a specific configuration.” The first stage of the virus uses a “beacon” that performs surveillance of the target, mapping an electrical blueprint of Iran’s centrifuges, with the data sent back to the controller. The second stage, a trigger, added “Zero Day exploits” that can cause physical damage. The virus was only configured for Iranian nuclear facilities. It wasn’t designed to spread. But it did.
It provides some mild comfort to know that in spite of the fact that “thousands of places around the world were infected but only one was damaged,” the Iranian facility at Natanz, Lewis said. While past attacks focused on swiping terabytes of sensitive corporate data to gain a competitive edge for nation state corporations, the latest attacks – representing a serious escalation – have tried to gain the ability to manipulate American critical infrastructure: Power grids and other utilities. And this all leads back to the digitally weaponized world of Stuxnet, SCADA infiltration, destroyed machinery and networks – in other words, literal warfare, Cannistraro said.
The nightmare that many fear is that some critical piece of infrastructure on an offshore installation like the Master Control Station (MSC), which acts as the interface between the operator and the subsea equipment, could become infected by a virus brought on board by unsuspecting platform workers that simply just downloaded
some music or video. The virus would then attack the electronic messages from a human/machine interface to the subsea unit, sending false readings to the Subsea Control Model, the main brain of the system. Another case feared by many entails hackers, state-sponsored agents, or terrorists using a malicious code that could send false on-screen readings to the subsea well operators , similar to the Stuxnet attack where the virus seized control of Iran’s centrifuges and continued to give Iranian operators readings that belied the fact the machines were running wildly out of control and damaging themselves.
Like any other computerized system, offshore oil and gas floater systems are not immune to malicious cyber attacks. Another congressional source said oil companies have to take all the steps necessary to remove malware from the oil rigs’ system and protect them from any future attacks. Users could prevent quite a few of these malware attacks with anti-virus systems and updated system software, the source said.
Fighting back
Oil rig operators and strategists have done good analyses of the breaching techniques used by hackers, and they are learning steps to counter or forestall them, yet company owners have not used that information to prevent attacks. Lewis said oil companies consistently make the grave mistake of underestimating the risks of hacking they face, especially as dependence on computer systems continues to grow.
The New York Times reported only one of 45 types of malware ended up being detected by companies’ anti-virus defense. Lewis said that while companies are spending more money on cyber defense, it is used in many cases on measures and activities that are ineffective.
Shawn Henry, former head of the FBI counterintelligence unit and president of CrowdStrike Services, agrees that addressing vulnerabilities just does not work.
“Instead of addressing vulnerabilities, you have to know who your adversaries are. Our digital DNA is all stored or transmitted electronically and it is riding on an inherently insecure network,” said Henry during his keynote address at ABB Automation and Power World in Orlando, FL, in March.
One bright spot in this clouded sky rests on devising an effective strategy and tactics to block cyber attacks. Keeping a close account of hacking incidents is a start. Instead of seeing cyber security as central to a company’s welfare and growth, company leadership too often sees it as an IT problem best left to specialists, techies and information officers.
Persistent threats are not a “board room” problem, but on the margins of company operations. But as Lewis noted, such an attitude is dreadfully obsolete. One Price Waterhouse Coopers survey entitled, “Global State of Information Security Survey 2013,” made clear that while companies believed they were securing their networks, most were not. The old strategy centered on identifying a pattern of code and then blocking it. But if the malware has not been identified, then blocking can’t occur.
Meeting the threat: Mitigation Strategies
Meeting cyber threats requires much more corporate energy than is apparent today. The combination of weak defense and easy hacking is an extremely dangerous one to a company’s future. Perhaps the most promising program is a joint effort between Australia’s Defense Signals Directorate and the National Security Agency (NSA) of Ft. Meade, MD, which worked with private companies and government agencies like the FBI to analyze cyber breaches on the basis of their frequency and effectiveness. The study was based on measurable, repeatable data.
The result was a list of 35 mitigation steps, with four of them viewed as especially successful. Since most dangerous cyber attacks are carried out using steps that allow an attacker to infiltrate a system and steal data, the new approach allows companies to attack those steps one at a time. Using four mitigation strategies was effective in stopping 85% of intrusions, according to the five-year study.
Perhaps the most attractive aspect of this approach is that it saves companies big money by not having to mitigate a cyber incident and recover from the unplanned downtime. But, it also allows a company to become more productive, which allows for greater profitability. If users carry out the steps with vigilance, cyber attacks can, for the most part, be successfully managed.
It goes to show cyber security is a business decision about profit and risk, and underestimating the threat can be fatal to a company’s future. The promise of these steps is that cyber risks can be drastically reduce if the steps are followed. Companies have a better idea of what is going on and what works if they combine computer networks and computer power. OE Review