September 2016, Vol. 243, No. 9

Features

Pipeline Cybersecurity Issues from Marcellus and Beyond

The Marcellus Shale has had a tremendous effect on several states in the Northeast, including Pennsylvania. The exploration, production, and transportation of billions of cubic feet of natural gas has brought many jobs and an influx of people and cultures previously unseen to north-central Pennsylvania.

In order to maintain the high level of safety demanded by the public, the energy industry relies on the use of supervisory control and data acquisition (SCADA) systems, most notably on the pipelines. These pipelines comprise thousands of miles of transportation infrastructure, moving natural gas throughout the United States and even to ocean-going vessels for shipment overseas.

Natural gas pipelines face a variety of hazards that include acts of nature, physical assaults and cyberattacks by a variety of actors, including subjects in China. Currently, the threat of cyberattack has garnered the most attention and promises the most-dire consequences. Human negligence also accounts for a substantial number of network compromises.

This article examines some of the cybersecurity issues associated with SCADA systems and the threats that can undermine their safe operation.

Over the next three years, the Marcellus Shale region can expect to see 17 new pipeline projects, which will ship about 17.3 Bcf/d to end users in various communities. The new pipelines will be expected to transport natural gas throughout the Atlantic and Gulf Coast areas and to new gas-fired generation plants.

In north-central Pennsylvania, several new generation plants have been built to convert natural gas to electricity. Plant construction costs can reach almost $1 billion per plant. These plants will receive natural gas via pipelines and convert same to low-cost electricity. Experts believe this is a “once-in-a-lifetime” construction cycle.

Upon completion of the construction, the pipelines will become operational. The long-term focus on the cybersecurity issues associated with these pipelines should begin long before completion dates among emergency-responders, law enforcement officials and within the intelligence community.

The Marcellus Shale region is largely rural with vast wooded areas. Although the well pads are mainly in remote areas, the pipelines and compressor stations come close to schools, neighborhoods and shopping malls. The emergency services community covers a vast area and consists mainly of small police departments, supplemented by the Pennsylvania State Police, volunteer firefighters, and emergency medical professionals who maintain employment in other industries. Consequently, there is a need to maintain a high level of pipeline cybersecurity to supplement thinly stretched emergency responders.

Cyber Threats to Pipelines

In 2013, the U.S. Department of Homeland Security’s Computer Emergency Response Team (DHS-CERT) responded to 256 industry-wide cyberattacks, with 59% of those coming in the energy sector.

The oil and gas industry loses about $8.4 million per day due to cyberattacks, and over 50% of these are directed at SCADA systems. In 2012, CERT identified more than 7,200 devices associated with energy sector control systems connected directly to the internet, with many of these devices having “weak, default or nonexistent logon credential requirements.”

In 2014, the Ponemon Institute conducted a survey of 599 security executives at utility, oil and gas, energy, and manufacturing companies. Nearly 80% of these senior security executives responded that a successful attack on their SCADA systems was at least “somewhat likely.”

Security solutions company McAfee identified China as using “spear-phishing” (email that appears to be from an individual or business the recipient knows) and other types of malware to target five major western energy companies from 2008 through 2011 in a series of attacks dubbed Night Dragon. China stole gigabytes of highly sensitive, proprietary information from these companies. McAfee reported new Night Dragon attacks are being identified every day.

The DHS in 2012 announced that the Chinese conducted an extensive spear-phishing campaign and successfully compromised 23 natural gas pipelines. Also in 2012, smart grid technology vendor Telnet, advised that APT1, a Chinese military hacker group, installed malicious software and stole project files related to OASyS SCADA. The OASyS SCADA technology helps energy firms mesh old technology with newer, “smart” technology.

More recently, cybersecurity researchers installed a SCADA honeypot and in less than two hours, it experienced automated attack bots originating from China. This attack by China occurred even before the SCADA honeypot was indexed by the Shodan search engine. In total, the cybersecurity researchers logged 4,261 attacks on the honeypot in four days with 75% of the attacks coming from China.

In 2014, People’s Liberation Army (PLA), Unit 61398, member Wang Dong, also known as Ugly Gorilla, was identified as engaging in suspect activity. Specifically, Dong was identified as hacking into pipelines and stealing schematics of the pipelines, accessing systems that regulate natural gas flow and stealing emails. Dong and other members of Unit 61398 conducted this reconnaissance over at least 14 months in 2012 and 2013.

Dong’s focus on SCADA systems is of concern. Investigators were able to determine he had a folder on his desktop marked “SCADA” in which he placed some of the pilfered files. It is suspected he and others were testing their hacking skills and collecting data, perhaps for a virtual battle that will be waged sometime in the future.

Vulnerability of SCADA

SCADA devices were originally designed to last many years in remote locations with limited physical security. SCADA systems are designed to run 24/7 and frequently lack security updates, anti-virus tools, and often paired with systems from different manufacturers, making patching and updates extremely difficult. In fact, major gas transmission companies can have up to 15 or more different computer systems on a pipeline with each system requiring a different service protocol. Consequently, SCADA systems are designed and deployed in a manner that makes them more susceptible to compromise.

One of the most alarming vulnerabilities associated with SCADA systems is the use of very weak, default passwords by manufacturers and the lax cybersecurity practices by companies that use these systems.

DHS identified thousands of SCADA and related devices used in the energy sector that have weak or default password protection, if indeed, the company actually uses access restrictions.

Use of poor password protection on SCADA systems is so well known that cyber-researchers from Russia have published online a list of SCADA systems that have default passwords – along with the actual passwords. The researchers have published this document, called the SCADAPass, in hopes that vendors will change the use of such defaults as “password” or “admin.admin.”

Fortunately, the Russian researchers did not publish a readily available list of devices that have hard-coded passwords, which are identified as passwords that cannot be changed by the user.

The SCADA system manufacturers’ use of weak default passwords is a questionable security practice that is further exacerbated by an industry-wide hands-off approach to SCADA cybersecurity preparedness. Technology journalist Kelly Jackson Higgins noted natural gas operators have an “if it works, don’t touch it principle.” Consequently, operators do not enable built-in security features, which are available at no additional cost on the SCADA units.

Further, operators will typically allow various employees, vendors and consultants to have access to their SCADA systems. In addition, some employees who require access to the SCADA are sometimes given excess permissions. Consequently, operators experience an enhanced vulnerability to spear-phishing attacks that can result in a loss of log-in credentials.

Higgins also observed most operators will patch their SCADA systems on an extremely limited basis due to the industry emphasis on uptime and operations.

In addition, SCADA systems are typically implemented in “wide open” networks that allow the spread of problems rather quickly. Furthermore, there is an industry trend to have the SCADA systems connected to the business system with vulnerabilities in one system leading to an intrusion into the other system.

Cyberattack Vectors

Steven Bjarnason, Cybersecurity and Risk Management manager at Columbia Pipeline Group,  characterized advanced persistent threats (APT), facilitated by an element of social engineering, as the most significant threat to cybersecurity in the pipeline arena. Bjarnason further noted hackers have knowledge of SCADA system vulnerabilities and have done pre-operation surveillance of these systems.

Cyber attackers using the Shodan search engine can facilitate the delivery of malware to SCADA systems quite easily. Shodan, unlike traditional search engines, indexes header information. Shodan runs constantly and will collect, on average, information from about 500 million devices connected to the internet every month.

Shodan will identify servers, webcams, printers and other types of devices, such as SCADA, which are connected to the internet. Shodan can identify SCADA devices hooked up directly to the internet and can even harvest results for devices that either require no access credentials or use weak passwords such as “1234.”

The ability of Shodan to identify SCADA devices, which historically have weak passwords, sets the stage for a computer network that can be adversely affected with limited effort.

Attackers are able to gain access to sensitive operating and business networks via simplistic spear-phishing and social engineering techniques, often exploiting the failure to change default passwords or update patching. Shodan enhances the external hacker’s abilities on an exponential basis in the arena of SCADA systems. The potential consequences for these shortcomings can be devastating.

Potential Consequences

According to security experts, pipelines are the perfect target for a terrorist because the lines are already at capacity, and there are limited options once the pipeline is breached. Preliminarily, a substantial disruption to the pipeline’s safe operation will have a tremendous environmental effect, including exfoliation of the area, discharge of natural gas into the surrounding atmosphere and disruption of wildlife. In addition, a successful cyberattack on a natural gas pipeline would cause a significant financial loss to the private sector and some governmental entities.

Further, the private companies operating the natural gas pipelines will have a loss of business data as metering stations in the affected area would most likely be destroyed. In addition, pipeline companies would suffer tremendous reputational harm.

Certain cyberattacks may not result in a catastrophe since the hacker may be interested in things other than sabotage. For example, when the Chinese hacked into the natural gas pipelines a few years ago, it may have been for mapping purposes, and could result in potential future damage in the event a kinetic war between the United States and China breaks out.

Conversely, the attacks could have been to enter the company’s business network via the SCADA system. Once in the company’s business network, the attacker could obtain valuable, proprietary information, including vendor and customer lists or key technologies and gain an unfair competitive advantage.

Conclusion

The United States and other nations are becoming increasingly dependent on natural gas for a variety of reasons. Because of this, there will be an ever-expanding need to transport the natural gas via pipelines that rely on SCADA systems. Private industry security personnel are encouraged to develop current, ongoing relationships with law enforcement officers in order to disrupt potential cyberattacks and cultivate valuable intelligence.

A good first step in the development of these valuable, professional relationships is to join your local Infragard Chapter and attend the periodic meetings. A joint effort will help ensure a safer and more productive future. Membership in Infragard can be initiated by applying online at www.infragard.org.

The opinions expressed in this article are that of the writer and do not necessarily reflect the opinions of the Federal Bureau of Investigation or the United States government.

 Author: William Ebersole is a special agent with the Federal Bureau of Investigation and is assigned as coordinator for both the Weapons of Mass Destruction Program and Infragrad, a cybersecurity outreach program facilitated by the FBI. He graduated summa cum laude from Marywood University and cum laude from the Pennsylvania State University – Dickinson School of Law. Ebersole recently graduated from LaSalle University in the cybersecurity certificate program and is also a licensed attorney, certified public accountant and certified fraud examiner. This article was submitted in partial fulfillment for the course Cybercrime, Cyber Warfare, and Cyber Espionage.  Ebersole is an adjunct instructor of Forensic Accounting at the Pennsylvania College of Technology. 

Sources

Aydell, Glenn. “The perfect ICS storm.” (Master’s Thesis). Sans Institute, 2015. Retrieved from: www.sans.org/reading-room/whitepapers/internet/perfect-ics-storm.

 Bjarnasann, Steven. “Achieving vital security with cloud services.” Pipeline & Gas Journal, February: 49 -51.

CNN Money. “Shodan: the scariest search engine on the Internet.” CNN. Last updated April 8, 2013. http://money.cnn.com/2013/04/08/technology/security/shodan/.

Cohn, Mark. “Infographic: 70 Percent of world’s critical utilities breached.” Dark Reading. Last updated Aug. 15, 2014.http://www.darkreading.com/attacks-breaches/infographic-70-percent-of-worlds-critical-utilities-breached/a/d-id/1298006.

Harp, Derek, and Gregory-Brown, Bengt. “The state of security in control systems today.” Sans Institute. Last updated June 2015. https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042

Helllman, Hillary. “Acknowledging the threat: securing United States pipeline SCADA systems.” Energy Law Journal 36: 157 -178.

Higgins, Kelly. “Researchers out default passwords packaged with ICS/SCADA wares.” InformationWeek. Last updated Jan. 4, 2016. http://http://www.darkreading.com/endpoint/researchers-out-default-passwords-packaged-with-ics-scada-wares/d/d-id/1323755.

Howard, S., and Wallaert, T. “Improving Cybersecurity Defenses in Oil and Gas Applications.” Pipeline & Gas Journal, Feb. 2015: 46-48.

King, Hobart. “Marcellus Shale – Appalachian Basin Natural Gas Play.” Geoscience News and Information, Last updated April 3, 2015.

http://geology.com/articles/marcellus-shale.shtml.

Kopan, Tal. “Buzzing: FBI talks JPM, China hacking.” Politico. Last updated Oct. 21, 2014. http://www.politico.com/tipsheets/morning-cybersecurity/2014/10/buzzing-fbi-talks-jpm-china-hacking-another-day-another-breach-staples-scada-honeypot-catches-chinese-flies-212543.

Natgas. “The Transportation of Natural Gas.” NaturalGas.org. Last updated Sept. 20, 2013. http://naturalgas.org/naturalgas/transport/.

NJ Cybersecurity and Communications Integration Cell. “Oil and Gas: Industry Among Sectors with highest cyber-risk.” Last updated Sept. 2, 2015. http://http://www.cyber.nj.gov/threat-analysis/oil-and-gas-industry-among-sectors-with-highest-cyber-risk

Reitenbach, Gail. “Chinese hackers blamed for beach of Telvent’s SCADA-related network.” Powermag. Last updated Sept. 27, 2012.

http://www.powermag.com/chinese-hackeers-blamed-for-breach-of-elvents-scada-related-network.

Riley, Michael and Robertson, Jordan. “UglyGorilla hack of U.S. Utility exposes cyberwar threat.” Bloomberg Business. Last updated June 13, 2014. http://www.bloomberg.com/news/articles/2014-06-13/uglygorilla-hack-of-u-s-utility-exposes-cyberwar-threat.

Ritenbaugh, Stephanie. “Marcellus shale region to see wave of large pipeline projects.” Post Gazette, Last updated June 23, 2015. doi:http:/powersourcce.post-gazette.com/powersource/companies/2015/06/23/Marcellus-Shale.

STI Group. “Compressor stations: What they do, how they work, and why they are important.” Last updated Jan. 21, 2014. http://setxind.com.

Treat, Russell. “SCADA and telemetry in gas transmission systems.” Pipeline & Gas Journal, Feb. 2015, 61-63.