Make no mistake, APTs are watching, learning, and poised to attack
Globally-interconnected digital information and communications infrastructure—better known as “cyberspace”—underpins almost every facet of modern society and provides critical support for the US economy, its civil infrastructure, public safety, and national security. Security in cyberspace relies on interdependent networks of information technology, national infrastructure, the internet, telecommunications networks, computer systems and embedded processors and controllers. Each of these plays a critical part in maintaining intellectual property, the efficient function of the banking and energy industries, and protection of key corporate and national assets.
Yet, it is abundantly clear the activities of hackers or malware can severely impair industrial or government systems and their assets. There is a trend in the oil industry that aims at integrated management of control and safety systems resulting in improved use, efficiency, reduction in personnel, training costs and cost savings. But industrial systems for the oil industry and offshore platforms remain extremely vulnerable to attacks by hackers.
Such breaches, often called advanced persistent threats (APT), can have a devastating effect on national economic security and public safety, and sophisticated hacker attacks can result in huge thefts of intellectual property, financial data, damaged integrity, as well as system disruption or even physical damage. The blunt fact is these APTs live and learn, while remaining undetected on systems, sometimes for years. If they get an coded command to attack, they can cause hardware malfunctions that could prove catastrophic to the asset and onboard personnel.
A congressional source with intimate knowledge of the subject, says of APTs:“What used to be called an “unlikely” event should now probably be thought of as a persistent threat with potential systematic implications.” The increasing menace of hacker attacks “leapt to prominence as networks moved to the center of business operations,” says James Lewis, cyber expert at the Center for Strategic and International Studies (CSIS). A persistent threat facing the offshore oil industry is the continued plundering of value from systems and government agencies by hackers and other hostile actors, including state-proxies. Lewis added such breaches “have become big business.” Such attacks have resulted in “a very risky environment…cyberspace is the wild west.”
Hacking the easy way
According to serving U.S. intelligence officials, the newest oil rigs, some of which approach US$1 billion in cost, employ cutting-edge robotics technology, but the software that controls a rig’s basic functions is often antique. Most rely on decades-old supervisory control and data acquisition (SCADA) software, written in an era before security was even thought of, says Jeff Vail, a former counterterrorism and intelligence analyst with the US Interior Department, in a news report. “It’s underappreciated how vulnerable some of these systems are,” he says. “It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail.”
A study of threats to oil and gas companies by Rice University noted: “Clearly by any means, the operator will be prepared to consent to any demands, however bizarre, in order to avoid a catastrophic failure of the offshore asset which is usually a multibillion dollar investment. If the cyber criminal wishes to impose disastrous damage to the platform, this is a very elaborate task requiring specialized coding intended to fool the automatic shut-down mechanisms.”
Another congressional source says, “Security is not simply a matter of funding or planning,” pointing out “the security systems for offshore oil platforms were not designed with security in mind. They simply had a layer of IP thrown over them like a blanket. They are legacy systems and are all over the place, and they remain extremely vulnerable.”
The cost of making improvements argues against industry making them. “Ultimately, it is the wallet that pushes the move to integration,” says Steve Elliott, director of Triconex product management for Invensys Operations Management. “If integration is cheaper, people will buy it.”
Ingenious attacks on offshore oil installations can lead one to believe hackers are evil geniuses operating with deft, breathtaking skill in outwitting company security procedures. The truth is extremely deflating. In 2011 and 2012, surveys showed more than 90% of successful penetrations of company networks required only the most basic techniques.
More worrying is the fact breaches went undetected for weeks, sometimes even years, according to the Verizon 2012 Data Breach Investigations Report. The report states, “Most victims fell prey because they were found to possess an (often easily) exploitable weakness,” and 96% of the successful breaches could have been avoided if the victim had put in place simple or intermediate controls. In addition, 85% of the penetrations took five months to discover; the discovery in most cases made by a third party.
IP makes up most of a company’s value, but its accurate value is not known until it is put on the market. It usually takes time for a hacker to turn intellectual property thefts into a commercial product, but not always. China severely penetrated the design and the avionics of the new US F-35 fighter, says Vince Cannistraro, former head of CIA Counterterrorism. He says it is abundantly clear some of the stolen US data is already seeing the light of day on the latest Chinese fighter designs.
The sad fact is that losses from cyber intrusions can cost companies big money. When Saudi Aramco, Saudi Arabia’s national oil and gas company, suffered an attack last August, by Iran, at least 30,000 computers were infected (not damaged) and had data permanently erased, while hackers stole IP, military and commercial technology, marketing plans, plans for new products, plus confidential business information, according to US intelligence officials who say “other companies were affected.” These sources say the dollar loss “was extremely significant.”
Yet, the ability to inflict such losses actually doesn’t require much talent.
“Hacking shouldn’t be as easy as it is,” Lewis says; 75% of the breaches of oil platforms exploited publicly known vulnerabilities found in commercial software, congressional sources say. Surveys, in 2011 and 2012, show only basic techniques are required to cause breaches and one of the easiest paths to invade an offshore energy facility is using default settings on computer and network devices.
A default setting is when a system provider presets the password and the username. After the system is installed, users sometimes forget to reset the default setting. Cyber criminals can use default settings to gain entrance. The use of the ordinary password is completely useless as a defense against hacking. The hackers lock in on know or publicly unknown (Zero Day) software vulnerabilities, misconfigurations, weak passwords and systems that leak information. Lewis says a clever 12-year-old can cause a serious breach.
Professional hackers also rely on the black market for automated malware kits that can be used to steal personal data, credit card information, and passwords. Some hacker devices can even download via the Internet.
“Cyber attack and terrorism have now moved into the automation and process safety stage,” Elliott says. Digital technologies are being deployed from the ground up in the form of smart field devices that send plant health diagnostics data into the plant-wide network. He pointed out because digital communication technology is at the heart of these advances, the threat will only get greater, especially as digital communication “extends into the field.”
The offshore oil world has been severely shaken by the development of internet connectivity and terrorism, Elliott says. He pointed out these two entities “draw attention to a frightening reality: there are bad people across the water who would love to do great damage to the upstream asset and its surrounding environment.”
Oil companies warn that the worst case scenario would be one in which valves were accessed, which could set offshore rigs on fire, kill personnel and halt production. The average cost of down time on an offshore rig is $6.3 million/day, experts say. The financial loss could be huge. Stuxnet, which crippled Iran’s nuclear centrifuges, shows the potential devastation of a worm created to cause damage. Experts believe this kind of attack could be replicated on oil producing offshore rigs, and many think it has already.
The list of oil company cyber victims is growing all the time. In August 2011, a McAfee white paper exposed “Operation Shady Rat,” a five-year operation that targeted natural gas distribution, oil platforms, federal, state and county governments, plus defense and construction industries.
Then in October 2011, the US Department of Homeland Security warned of attacks on gas, oil, waste and sewage systems.
Norway’s oil, gas, and defense businesses, thanks to targeted emails that appeared to come from legitimate sources. The attackers pilfered drawings, contracts, current negotiation documents and others.
In April 2012, DHS said attacks on oil and natural gas facilities had begun five months earlier, the attackers using tightly focused “spear-phishing” email attacks.
The recent discovery of malware such as Flame (2012) and Stuxnet (2010), that targeted, for the first time, industrial control systems, have highlighted the susceptibility of critical infrastructure to cyber threats. In other words, offshore oil rigs and facilities, like any major organization or company, require defensive programs that employ strategies like whitelisting, effective patch management, and intrusion detection, that can ward off or isolate attacks that could injure the network.
US congressional officials said any industrial component is liable to be an attack target. While oil companies try to keep it quiet, malware infections have occurred at several offshore rigs and platforms, knocking some offline. A congressional source says a tailored attack, directed to target a facility through widely distributed malware, could have dangerous repercussions. When infected devices have been connected to isolated networks, malware can spread like wildfire and create serious problems. In one instance, malware on a facility in the Gulf of Mexico caused a system to lock up, says Misha Govshteyn, co-founder of Alert Logic, a network security company. “They literally had a worm that was flooding their network, and they’re out in the middle of the ocean.”
A congressional source says if companies understood how Stuxnet propagated throughout the industrial control system at the Natanz nuclear enrichment facility in Iran, then it would be very easy to understand how an attacker could get into a system to control an offshore platform. With enough knowledge of a facility like an oil platform, refinery, or pipeline network, a cyber attack that used distributed malware, could lead to real physical damage.
In the past, infrastructure networks were locally isolated and disconnected from the outside world. It was “security via obscurity.” However, the Stuxnet virus was the trigger that laid bare the weaknesses and vulnerabilities of the industrial control systems. Elliott says a major trend in process safety and prevention continues to be integration of control and safety systems. He added there is also a trend toward open standards and networked solutions, not just at the automation level but also at the business and IT levels. Yet, he says, more and more digital communication technology remains at the heart of these advances, the threats will only get greater, “especially considering that digital communication extends into the field.”
“Stuxnet is an interesting weapons design,” Lewis says. “You need to introduce the virus and then you need to trigger it. It only works against a specific configuration.” The first stage of the virus uses a “beacon” that performs surveillance of the target, mapping an electrical blueprint of Iran’s centrifuges, with the data sent back to the National Security Agency in Maryland. The second stage, a trigger, added “Zero Day exploits” that can cause physical damage. The virus was only configured for Iranian nuclear facilities. It wasn’t designed to spread, US officials say. But it did. It provides scant comfort to know that in spite of the fact “thousands of places around the world were infected but only one was damaged,” the Iranian facility at Natanz, Lewis says. While past attacks focused on swiping terabytes of sensitive corporate data to gain a competitive edge for nation state corporations, the latest attacks—representing a serious escalationhave tried to gain the ability to manipulate America’s critical infrastructure: power grids and other utilities. This all leads back to the digitally-weaponized world of Stuxnet, SCADA infiltration, destroyed machinery and networks— in other words, literal warfare, Cannistraro says.
The nightmare that many fear is that a critical piece of infrastructure on an offshore installation like the master control station (MSC), which acts as the interface between the operator and the subsea equipment, could become infected by a virus brought on board by unsuspecting platform workers that simply just downloaded some music or video. The virus would then attack the electronic messages from a human/ machine interface to the subsea unit, sending false readings to the subsea control model, the main brain of the system.
Another case feared by many would involve hackers, state-sponsored agents, or terrorists using a malicious code that could send false on-screen readings to operators of subsea wells. This could be similar to the Stuxnet attack, where the virus seized control of Iran’s centrifuges at Natanz and yet continued to give Iranian operators false readings that masked the fact the machines were running wildly out of control.
Offshore oil and gas systems are not immune to malicious cyber attacks. Another congressional source says oil companies have to take all the steps necessary to remove malware from offshore facilities and protect them from any future attacks. Users could prevent quite a few of these malware attacks with anti-virus systems and updated system software, the source says.
Oil rig operators and strategists have done good analyses of the breaching techniques used by hackers, and they are learning steps to counter or forestall them. Yet, company owners have not used that information to prevent attacks. Lewis says oil companies consistently make the grave mistake of underestimating the risks of hacking they face, especially as dependence on computer systems continues to grow.
The New York Times reported only one of 45 types of malware ended up detected by companies’ anti-virus defense. Lewis says while companies are spending more money on cyber defense, it is used in many cases on measures and activities that are ineffective.
Shawn Henry agrees addressing vulnerabilities just does not work.“Instead of addressing vulnerabilities, you have to know who your adversaries are,” says the former head of the FBI Counterintelligence Division and president of CrowdStrike Services. “Our digital DNA is all stored or transmitted electronically and it is riding on an inherently insecure network,” Henry said during his keynote address at the ABB Automation and Power World conference in Orlando, Florida, this past March.
One bright spot rests on devising an effective strategy and tactics to block cyber attacks. Keeping a close account of hacking incidents is a start. Instead of seeing cyber security as central to a company’s welfare and growth, company leadership too often sees it as an IT problem best left to specialists, techies, and information officers. Persistent threats are not a “board room” problem but on the margins of company operations. But as Lewis pointed such an attitude is dreadfully obsolete. A PricewaterhouseCoopers survey, entitled “Global State of Information Security Survey 2013,” made clear while companies believed they were securing their networks, most were not. The old strategy centered on identifying a pattern of code and then blocking it. But if the malware has not been identified, then blocking can’t occur.
Meeting cyber threats requires much more corporate energy than is apparent today. The combination of weak defense and easy hacking is an extremely dangerous one to a company’s future. Perhaps the most promising program is a joint effort between Australia’s Defense Signals Directorate and the US National Security Agency (NSA) of Ft. Meade, Maryland, which worked with private companies and government agencies like the FBI to analyze cyber breaches on the basis of their frequency and effectiveness. The study was based on measurable, repeatable data.
The result was a list of 35 mitigation steps, with four of them viewed as especially successful. Since most dangerous cyber attacks are carried out using steps that allow an attacker to infiltrate a system and steal data, the new approach allows companies to attack those steps one at a time. Using four mitigation strategies was effective in stopping 85% of the intrusions, according to the five-year study.
Perhaps the most attractive aspect of this approach is that it saves companies money by not having to mitigate a cyber incident and recover from the unplanned downtime. If users carry out the steps with vigilance, cyber attacks can be successfully managed.
Cyber security is a business decision about profit and risk, and underestimating the threat can be fatal to a company’s future. Cyber risks can be drastically reduced if they combine computer networks and computer power. OE
Richard T. Sale was United Press International’s intelligence correspondent for 10 years, and at the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars (2009) and Traitors (2003).