With high profile breaches in the financial, healthcare and retail sectors making news almost daily, it’s no secret that those industries are in the adversary’s crosshairs. However, while it may get less press, another sector is also very much a target for hackers and the consequences of breaches could be even more disastrous than stolen personal data. That industry is the oil and gas sector.
The vulnerability of industrial control systems across the energy sector was the topic of a recent event in Washington, DC. Rod Turk, Associate CIO for Cybersecurity & CISO, Dept. of Energy (DOE), shared that DOE has seen a dramatic increase in malware, vulnerabilities and exploits specifically targeted at the energy sector. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) coordinates control systems-related security incidents and information sharing with Federal, State, and local agencies and organizations, the intelligence community, and private sector constituents. The most recent ICS-CERT incident response report shows that In FY14, the energy sector had the highest number of incidents, with almost 40 different attacks making up 42% of all industrial attacks.
In recent years, there have been a number of high-profile, advanced malware threats that targeted or attacked the energy sector such as Dragonfly, Stuxnet, Flame and Shamoon. Oil and gas networks, in particular, can be more susceptible to internal incidents because many devices on the network run 24 hours a day, seven days a week, and often lack the security updates and antivirus tools needed to protect against vulnerabilities. Adversaries are definitely taking advantage of these vulnerabilities: 2013 saw a 179% rise in the number of reported cyber-attacks on oil and gas companies, which reported more than 6,500 breaches. Attacks on the oil and gas sector are increasingly characterized by subtle and persistent attempts to steal valuable information.
Compounding the issue that the oil and gas sector is an attractive target for hackers is the fact that industrial control systems (ICS) across the sector are woefully unprepared to protect themselves against attackers. Another panelist at the event we mention above shared that over the course of conducting inspections at more than 500 industrial control plants across the energy sector, he asked each time whether there was any connectivity between the industrial control environment (OT) and the enterprise architecture (IT). In every instance the answer was no….and in every one of those instances, that answer proved to be incorrect. Even something as innocuous as a shared printer between IT and OT represents a security vulnerability that can be exploited by hackers. Vulnerabilities like this pose a huge threat to the energy sector—particularly the oil and gas sector.
Anyone working with ICS in the oil and gas industry is aware of the pressure to increase productivity and reduce costs through network integration. For example, sharing real-time data from field operations with management is standard practice for most companies. The demand for remote support has made many pipeline control systems accessible via Internet-based technologies. These new technologies are enabling companies to implement agile, cost-effective business practices. However, these efficiencies come with a price: pipeline control systems are now exposed to cyber-security threats they were never designed for. This increased connectivity of ICS presents a huge vulnerability, and there is an increasing body of information available to adversaries about what to look for in terms of vulnerabilities in the oil and gas sector.
ICS security for the oil and gas sector starts with visibility—you can’t protect what you can’t see. Knowing what devices are connected and what’s happening on them is vitally important, as is the ability to isolate each device in the event of a breach. In order to map the connectivity of devices across both IT and OT, cultural issues must first be resolved so that both the IT and OT teams are working together to protect the enterprise and assets. This starts with understanding where all connections are then maintaining real-time visibility across the entire system, as well as understanding who is coming after you. CrowdStrike identified Energetic Bear in 2012, an adversary group out of the Russian Federation that has been conducting broad intelligence collection operations against the energy sector and demonstrated the ability to interact with OPC (Object Linking and Embedding for Process Control). As looming energy crises and market fluctuation continue to impact international discourse, the oil and gas industry will continue to be in the cross hairs of numerous state sponsored computer network operations programs. The Chinese 383 “trinity” program for domesticating energy, Russian international diplomacy, and Iranian nuclear research and development are routinely reflected in the most important news stories of the day.
The CrowdStrike Falcon Intelligence subscription provides organizations with the decisive information needed to protect both the enterprise, and more importantly translate threat intelligence into sound business decisions. Request a sample report today to gain insight into the tools, tactics, and procedures of the adversary groups targeting the oil and gas industry. Actionable threat intelligence allows you to plan for events in the future, diagnose incidents more efficiently, and monitor changes to your environment to prevent damage from advanced malware and targeted attacks.