Apr-2019

Countering cyber attack

The oil and gas sector is consistently among the most vulnerable to cyber attack. Can a security programme reduce the risks?

CHRIS CUNNINGHAM
PTQ

Article Summary

Cyber criminality is never far from the headlines, with constant attacks reported at state level, on banking and IT databases, or directed at the particularly vulnerable oil and gas industry. Towards the end of 2018, a malware attack directed at Middle East petroleum concerns hammered the PC fleet of Italian oil and gas contractor Saipem, whose operations are chiefly centred on the Gulf, with further related infections in India, Italy, and Scotland.

According to Rockwell Auto-mation, safety related security breaches can occur when employees or contractors plug an infected machine into the system, connect to an unsecure network or download the wrong program. The principal sources of these attacks generally include: employees, disenchanted with their current or former employer and knowing the ins and outs of a system, who break in and cause damage; individual hackers who attempt to break into an operations system for financial reasons; state-sponsored hackers who target critical infrastructure and production systems to disrupt operations or steal secrets; and cyber criminals with no motivation other than malice, who seek to disrupt, infect or shut down an operation.

Innocent invitation
A point to note, though, is that, for all of their misbegotten talents, cyber criminals find it extremely difficult if not impossible to break through the security systems of anything other than the most naive of corporate database structures. Aside from disgruntled employees, a successful raid on a company’s systems may well be the result of an inadvertent and innocent invitation to enter the building.

For instance, the next time you are about to plug a flash drive into your workstation, pause for a moment. The statistics say that you may be posing a risk to your refinery’s process control network.

The results of research released by Honeywell in November 2018 indicate that removable USB devices, including flash drives, pose a significant cyber security threat to a wide array of industrial process control networks.

The company’s Secure Media Exchange technology was used to scan and control USB devices at 50 locations. At 44% of the sites, the exercise detected and blocked at least one file with a security issue and showed that 26% of the detected threats were capable of significant disruption by causing operators to lose visibility or control of their operations.

The threats targeted a wide variety of industrial sites, including refineries, and the threats ranged in severity. About one in six of the threats targeted industrial control systems or internet of things (IoT) devices.

The threats detected in the scan included well-known intruders such as Triton, Mirai, and variants of Stuxnet which has been used at state level to disrupt industrial operations. In comparative tests, up to 11% of the threats discovered were not reliably detected by other anti-malware technology. The results of the study are in the Honeywell Industrial USB Threat Report which recommends that operators combine people training, process changes, and technical solutions to reduce the risk of USB threats across industrial facilities.

Password threat
Day to day use of corporate passwords is also a major source of risk to data security. In the case of the attack that affected Saipem, it is possible, according to consultant Synopsys, that an employee used the same password in multiple locations which led to the attacker’s ability to compromise the PC network. The attack could also be predicated by a phishing campaign or other compromising event. The attack, says Synopsys, was most likely brought about by cyber criminals who were specifically targeting Saipem. Employers should state in their password policy that employees should not reuse corporate passwords on other systems. Additionally, if an employee receives a suspicious email they should report it to their IT security group immediately.

The Middle Eastern attack involved a variant of the destructive malware Shamoon. According to software security provider Symantec, these Shamoon attacks are doubly destructive, since they involve a new ‘wiper’ that deletes files from infected computers before the malware wipes the master boot record.

Symantec had found evidence of attacks against two other organisations during the same week, in Saudi Arabia and the United Arab Emirates. Both organisations are involved in the oil and gas industry.

More destructive attack
The addition of wiping software makes these attacks more destructive than the use of the malware alone. While a computer infected by Shamoon could be unusable, files on the hard disk may be recoverable. However, if the files are first wiped, recovery becomes impossible.

The wiper is spread across the victim’s network from an initial computer using a list of remote computers. This list is in the form of a text file and is unique to each victim, meaning the attacker may well have gathered this information during an earlier reconnaissance. This list is first copied then passed on to another ‘spreader’ tool. A further component of the attack will then copy the wiper to the remainder of the listed computers, then simultaneously trigger the wiping malware on all infected machines.

Malware such as Shamoon has developed a history of its own. It made its first appearance in 2012 when it was used in a series of attacks against the Saudi Arabian energy sector.

Activity then ceased until it re-emerged in 2016. A modified version of the malware was used in attacks against a range of targets, again in Saudi Arabia, and the attacks were timed to cause maximum destruction, triggered as they were at the end of the Saudi working week. Computers were wiped after most staff had left for the weekend, minimising the chance of discovery before the attack was complete.

Why Shamoon has suddenly been deployed again remains unknown, says Symantec. However, the fact that the malware seems to be taken out of retirement every few years means that organisations need to remain vigilant and ensure that all data is properly backed up and a robust security strategy is in place.

Security strategy
What should a security strategy entail? Speaking at a recent conference, a Rockwell Automation executive said that teams from environment, health and safety, operations and IT should work together to identify safety data requirements for operations systems and develop a risk management strategy for security threats and vulnerabilities, as well as their potential implications for safety.

Basic cyber security hygiene involves knowing your assets and their potential risks. Very few plants have a complete list of all of their PCs, where they came from and how long they have been in operation, according to Rockwell which proposes a cyber safety assessment.