May 2017, Vol. 244, No. 5
Features
Understanding the Scope: Brief History of Energy Industry Cyberattacks
For years, cybersecurity has been an afterthought relegated to digital bits and bytes with little interest beyond the data center. With high-profile hacks now permeating the headlines, those times are gone forever, but there is hope of turning the tide despite the alarming trends in play.
A different mentality needs to be embraced by corporate decision-makers in order to prepare for this new era in cybersecurity. This is especially true in energy-related industries where the threat is particularly disconcerting.
The nature, scale and severity of cyberattacks against oil- and gas-related concerns have dramatically increased and evolved over the past year. Due to the increase in volume, and the dynamic nature and increased sophistication, the attacks continue to be successful. Veterans in both the energy and cyber-space can attest that oil and gas companies are struggling to keep up with defending their organizations against the more advanced attack methods and next generation malware.
Source: ICS-CERT
Reasons for the cyberattacks are primarily related to profit, espionage, market manipulation or political agendas. The “bad guys” are hunting data that includes business trade secrets and strategic plans, customer lists, bid information, C-level email communications related to acquisitions, and geological data.
A study by Symantec showed that 43% of international energy companies were successfully hacked in 2015. Another study conducted by Trend Micro revealed 47% of energy firms reported attacks. These numbers highlight attack volumes higher than any other industry, with the second-largest group being government agencies. The Department of Homeland Security reports that the energy sector faces more cyberattacks than any other industry with no downturn in sight.
In fact, the Ponemon Institute interviewed 257 energy companies that disclosed alarming financial loss information. The findings showed that cyber-crimes cost energy and utility companies an average of $13.2 million annually due to lost business and damaged assets. This is an amount larger than in any other industry.
Operational technology (OT) is a category of hardware and software that monitors and controls how physical devices work within supervisory control and data acquisition (SCADA) infrastructure. OT is pervasive in the oil and gas industry and completely different than a traditional corporate network that delivers internet, email, cloud applications, etc.
An interesting aspect of OT is that it requires an uncommon approach for defense varying significantly from protecting a traditional corporate network. It requires a specialized skill set and knowledge base to execute security tactics. OT is critical for data protection as it poses a high-value target associated to SCADA systems, programmable logic controllers (PLC), power plant industrial software and controls, and transmission and distribution grids.
Successful attacks on OT infrastructure have the potential to cause massive damage to equipment or more concerning, loss of life, by exploiting oil and gas processes that could trigger an explosion or an offshore oil spill, among other catastrophes. It is always devastating when an energy company is hacked, but if the attack happens to be within its critical SCADA systems, it could become much worse. Both SCADA and corporate environments should be assessed frequently to identify and mitigate risks. Corporate and OT infrastructures should also be segregated as much as possible to reduce the risk of lateral movement from one system to the other.
Attack Examples
Corporate Espionage: One of the most successful known cyberattacks against a U.S. energy firm was the “Night Dragon” cyber-campaign that spanned 2008 to 2011. McAfee confirmed the attack objective was to steal “confidential data from five major Western energy companies which included ExxonMobil, BP PLC and Chevron as well as other large oil companies.” Chevron eventually commented that it was unaware of any successful compromises into the company’s data systems by Night Dragon, but attempts were made.
According to a Council on Foreign Relations (CFR) report, “Night Dragon was able to steal gigabytes of highly sensitive material, including proprietary information about oil- and gas-field operations, financial transactions, and bidding data.”
The campaign took advantage of vulnerabilities discovered by hackers on the firm’s internet facing websites and applications with SQL injection as one of the main exploits.
Power outage: A primary example of energy sector compromises includes a targeted attack on a Ukrainian power grid – believed to be the first example of a power outage deliberately caused by a hack. According to reports, malware was introduced by an infected Excel spreadsheet distributed via a phishing email.
A state-sponsored Russian hacker group took credit for the blackout that caused a large outage in western Ukraine. This incident is noteworthy because of the implications to the United States’ power grid. It is not a stretch to believe that U.S. intelligence and law enforcement agencies are concerned about this exact form of attack. If a bad actor disrupted U.S. power distribution, it could force the stock exchange to shut down, curtail mass transit and cause other widespread, impactful failures. The costs and psychological effects would be significant.
Other high-profile, energy-related attacks include:
- Iran’s Natanz nuclear facility: In 2010, the facility was hit with the now infamous “Stuxnet” worm, which is labeled as the world’s first cyber-weapon. The attack suspended the country’s uranium enrichment program, setting it back for years. After the discovery, several other large energy companies were also targeted. Stuxnet variants such as the “Duqu Trojan” were introduced after it was made public and identified as attacking industrial control facilities to steal highly confidential data.
- The Poison Ivy campaign: In 2011, there was a targeted campaign known as the “Nitro” cyber-espionage that was directed at 48 companies involved in the research, development and manufacture of chemicals and advanced materials. A Trojan horse named “Poison Ivy” was used to search for privileged user accounts with administrator access and offload stolen content to hacker command-and-control systems. Most successful exploits were achieved through email phishing employees.
- Aramco: In August 2012, hackers linked to the Iranian government launched an attack using the “Shamoon” malware that was introduced by an insider via a USB drive that destroyed data, disabled about 30,000 computers and caused millions of dollars in damage.
- Qatar’s Rasgas: The attack in August 2012 took down the company’s internal IT infrastructure including computer systems, email and web applications. It did not affect LNG operations. The type of malware or exploitation that took place was never determined, but due to the close timing of attacks on both Aramco and RasGas, it was highly suspicious. Both were exploited by the same or similar hacker groups and malware, or its corresponding variants.
- Iran’s Oil Ministry and the Middle East: At the time of this attack, the malware used to infiltrate Iran’s Oil Ministry network and a large population of Middle Eastern computers was seen as the most sophisticated, complex and largest – at about 20 megabytes (MB) – to date. The malware called “Flame” then renamed by the Laboratory of Cryptography and System Security (CrySyS) to “SkyWiper” caused data loss within the Ministry and stole data. So far, its main use is spying on Iran’s oil sector. According to cyber-firm Kaspersky, it has also been used to attack specific individuals, specific state-related organizations, other oil and gas interests, and educational institutions.
Current research and recent history reinforce that the energy sector has been, and most likely will continue to be, one of the largest and most frequent targets for cyberattacks. As a result, corporate reputations remain in the balance through data theft or disabling of websites, as well as physical destruction of assets and even worse, casualties.
Cybersecurity must be a top priority for the energy sector to protect personnel and corporate interests from fast-expanding, advanced state-sponsored attacks, as well as attacks from experienced, isolated hacker groups. Prioritization to prevent these instances must start at the executive level and descend to all business units and partners.
Unfortunately, there are no silver bullets offering complete protection against cyber assault, but vigilance, education and investment are essential to improve the odds that can preserve the safety of people and the sanctity of business.
Authors: David Deering is founder and Glenn Sweeney is the director of cybersecurity for LEO Cyber Security. For further information, visit www.leocybersecurity.com.
Comments