Hacking oil and gas control systems: Understanding the cyber risk
In a "60 Minutes" interview that aired on Feb. 8, 2015, Dan Kaufman, a former video game developer, who now works for the U.S. Dept. of Defense to secure the Internet, demonstrated how to take control of an automobile’s computer system to the point that he gained complete control of acceleration, braking—even the horn—via the built-in emergency communication system. This and other recent revelations have made it abundantly clear that modern computer security is about more than protecting your bank account. The current cyber security discussion must address how we can protect everything connected to the Internet, including control systems—those systems that control everything from how almost every single product is manufactured to the Hoover Dam to both commercial and home-based climate control systems.
Understanding the risks
Successful hacks against financial institutions and various commercial entities have been well documented in the press for some time, and, as such, most people are well aware of them. Consequently, even the most technically savvy of us who use the Internet for banking and shopping do so with at least a little trepidation.
Conversely, most of us are only vaguely aware of hacking activity against control systems—those systems that control almost every process in manufacturing and operations today. Control systems such as these are used in the oil and gas industry to monitor and control processes associated with the processing, storage, and movement of oil and gas products. It may surprise you to learn that attacks against control systems have been plentiful in recent years—sometimes with devastating consequences. A recent report released by the German Government: Federal Office of Information Security stated that, "A German steel factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report."
The fact that hackers were able to successfully gain control of a blast furnace in a manufacturing plant may surprise some of you. I have spoken to quite a few people in the industry over the years who have explained to me that cyber security in control system environments is simply an enormous waste of time and resources. Furthermore, I am often told that cyber security is potentially damaging to control systems because it can negatively affect operational reliability.
This type of thinking rests largely on the fundamentally flawed belief that cyber security is unnecessary in a particular control system environment because the system is "standalone. In other words, the system has no outside connectivity and therefore is not susceptible to outside attack. This mode of thinking is flawed for two reasons:
- Most control systems are connected in some way to the Internet-often indirectly through a business network.
- Even those systems that truly have no outside network connectivity are susceptible to compromise. Stuxnet is an excellent example.
If you have been living under a rock for the past few years, you may not be aware of the attack against Iranian nuclear enrichment plants that first came to light in 2010. This attack caused centrifuges to spin at speeds beyond their tolerances while informing operators that they were spinning at the correct speed. It is commonly believed that Stuxnet set the Iranian nuclear enrichment program back by several years. It is important to note that Stuxnet was introduced into an environment that had no direct connection to any outside network. How then were the perpetrators of Stuxnet able to introduce their malicious code into their target environment? A trusted employee introduced Stuxnet via removable media (a USB drive) brought in from the outside and plugged into internal computing systems.
A particular attack campaign against control systems known as Energetic Bear (aka Crouching Yeti) is relevant because it demonstrates some of the attack mechanisms in common use as well how ubiquitous such attacks have become. Russian security software vendor Kaspersky Lab published an in depth report that claims that Energetic Bear attacks have successfully compromised more than 2,800 victims including some 100 organizations in the U.S., Spain, Japan, Germany, France, Italy, Turkey, Ireland, Portland, and China. While Energetic Bear is broad in scope, researchers at security firm Symantec discovered that as early as March 2014, the group shifted "its focus onto energy firms, with half of the targets in energy and 30 percent in energy control systems."
Symantec went on to say that Energetic Bear attacks against control systems were successful to the extent that they, "…could have caused damage or disruption to energy supplies in affected countries" and that targets included "energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial control system equipment manufacturers."
You may wonder how cyber attackers like those associated with the Energetic Bear campaign manage to successfully take control of computers belonging to so many companies—especially with respect to control systems. Surely, the hackers must be using some very sophisticated techniques that are only manageable by a very elite group of computer geniuses. Alarmingly, nothing could be further from the truth.
Evidence indicates that Energetic Bear attacks were conducted using commonly known and easily executable attack methods against system vulnerabilities that were common knowledge. In many cases, the attackers used variants of the Havex Trojan—a well-known piece of malicious software. Metasploit—a free tool that requires almost no programming skill to operate was in frequent use as well.
Malicious code associated with the Energetic Bear attack campaign was distributed using several primary methodologies including spear-phishing and waterholing attacks as well as compromised SCADA software updates.
Spear-phishing is simply the process of sending an email with a malicious link or attachment to a targeted list of users. At first glance, this may sound synonymous to the spam that you receive every day in your inbox. The important difference to note is that these emails are sent to a very specific set of individuals that the attackers typically know a good deal about. Consequently, they can be constructed in a manner that makes them seem much more legitimate than random spam. For example, if I know that you are going to attend a conference next week I can send a spear-phishing email to you that appears to be about the conference but in fact contains a malicious link. Once you click on the link, you may be directed to a malicious site where software that is designed to infect your computer will be downloaded.
Waterholing attacks involve successfully hacking web sites that you know your intended targets are bound to visit and then placing malicious code on those sites. In the case of Energetic Bear, attackers simply compromised the web sites of control system manufacturers where system updates are maintained. By replacing legitimate updates on these sites with copies that contained malicious software code, hackers were able to ensure that their targets would infect their own systems. Note that this technique can work even if the target control system is standalone—not connected to any external network.
These attack methodologies are in line with the recently published Cisco Annual Security Report that reveals that hackers have increasingly shifted their focus from seeking to compromise servers and operating systems to seeking to exploit computer users at the browser and email level.
Protecting your control system
The rampant success of cyber attacks against control systems is certainly alarming. Something must change if we are to adequately protect control systems in the oil and gas sector. It was once said that "a journey of a thousand miles begins with a single step." The good news is that there are several important steps that organizations can take to begin to properly secure their control systems from cyber attacks like Energetic Bear.
Step 1: Start with the right team
No business endeavor can succeed without the support of senior management. Articles like this one can be used to make your management team aware of cyber risks and to garner the appropriate funding and resources to begin to develop a good cyber defense for your control systems.
Unfortunately, I have been in quite a few meetings where some well-meaning person rambled on about bits and bytes in an attempt to explain cyber security initiatives to senior decision makers. I have noticed that the most successful cyber security programs are spearheaded or at least supported by a knowledgeable business advocate—someone who knows how to explain the benefits of a cyber security program from a business point of view. This individual serves as the liaison between business-focused decision makers and technical personnel.
As a consultant for many years, I have achieved the greatest success gaining support for cyber security initiatives when I observed the following golden rule-always explain cyber security projects in terms of how they enable or protect some critical business function. This vital role is often filled by either a CIO or CISO.
Furthermore, with respect to personnel, do not discount the importance of very knowledgeable and technically-skilled cyber security people. Yes, they are difficult to find and retain. Perhaps that very fact is proof of their importance with respect to protecting your business.
Too often companies place too much importance on a plethora of expensive cyber security equipment—firewalls, intrusion detection/prevention systems and the like—and discount the importance of knowledgeable, experienced technical personnel. I have found that organizations that commit to maintaining a knowledgeable technical cyber security staff are able to provide consistently better protection than those organizations who have expended funding and resources on expensive tools but neglected to maintain knowledgeable staff. Some small businesses may not be able to acquire and retain sufficient cyber security technical staff. In these cases, consider outsourcing some cyber security tasks to augment your existing staff.
Step 2: Use a proven methodology
In July 2014, the Ponemon Institute and Unisys released a report titled, "Critical Infrastructure: Security Preparedness and Maturity," which summarizes responses from 599 IT security executives in 13 countries from the utility, oil and gas, alternative energy, and manufacturing industries. Of those surveyed, 67 percent said they "have had at least one security compromise that led to the loss of confidential information or disruption to operations" in the past year. In startling contrast, cyber security was listed as a top five priority for only 28% of those surveyed.
How can this be? If senior executives are aware of the risk to their intellectual property and even their operational capability, then why is cyber security not higher on the priority list? Based on my many conversations with senior IT business leaders, I believe that the answer is simple. Most senior executives have already committed a great deal of funding and resources to cyber security and often feel that they have not realized a corresponding benefit. Consequently, while they recognize the need for better cyber security they do not see a clear path to success nor are they certain one exists.
Fortunately, there is a wonderful guide to cyber security for control systems that is relevant no matter the maturity level of your current program. The National Institute of Standards and Technology (NIST) provides the "Framework for Improving Critical Infrastructure Cybersecurity" for free. This document provides straightforward practical guidance for organizations that wish to improve their critical infrastructure cyber security programs and can be located at http://nist.gov/cyberframework/upload/roadmap-021214.pdf.
A corresponding voluntary program known as the Critical Infrastructure Cyber Community (or "C Cubed") has also been formed at the U.S. federal government level to "support industry in increasing its cyber resilience."
Step 3: Use a balanced approach
While most organizations in the oil and gas industry have some sort of cyber security capability in place, many have yet to develop a mature program that has senior management capability and operates using a recognized framework like the aforementioned one provided by NIST.
However, even those that do have a mature program often make a serious mistake. They focus almost all of their time, effort, and energies on preventing a successful cyber attack. While at first, this seems like the obvious goal of any cyber security program, the fact that most successful cyber security breaches go undetected for more than 180 days causes us to change our perspective.
The hard fact is that repeated ongoing cyber attacks against the oil and gas industry are here to stay. In such an environment, we must accept that—despite our best efforts—companies will be hacked-again and again. But with respect to hacking, what constitutes success? Surely, hackers will occasionally gain access to some of your computing systems. However, if your cyber security program is built to quickly detect those attacks and remediate them, then damage will most likely be minimal. Therefore, a balanced approach to cyber security means that we must dedicate as much time and effort to detection and response of successful breaches as we do to prevention.
Unfortunately, this is currently not the case. Most companies spend almost all of their cyber budget on prevention (preparation/defense) and very little on detection and response. Consequently, when a cyber attack is successful, it is likely to remain in place long enough to cause significant data loss and perhaps compromise your intellectual property. As successful cyber compromises (hacks) remain in your environment for an extended period of time they often attempt to spread to control system networks. Consequently, your operational capability is typically at greater risk the longer hackers are able to remain undetected within your environment.
In a future article, I will talk more about specific measures that can be used to more quickly and effectively detect and eradicate successful cyber breaches before they can do significant harm.
For now, consider these tips:
- Cyber security program balance is important.
- Accept the fact that, to some extent, your computer systems will be breached—repeatedly.
- Work hard to make that difficult to do.
- Ensure that your cyber security program provides sufficient detection and response capability for when the inevitable occurs.
Call to action
The oil and gas industry is vital to the U.S. economy. Unfortunately, that makes companies working within it targets for cyber security attacks. In many cases, we have been woefully unprepared, have suffered a significant loss of intellectual property, and in some cases, have even lost operational capability.
It is time to fight back. The great basketball coach, Bobby Knight, once said, "The key is not the will to win. Everybody has that. It is the will to prepare to win that is important."
Together we can work to develop, implement, and sustain robust and mature cyber security programs that can adequately defend against, detect, and respond to cyber attacks now, and in the future.
– Chris Shipp is a columnist, speaker, and consultant with more than two decades of experience in the field of information security. He has provided cyber security training and support for many commercial and government entities including the FBI, the U.S. military. Currently, He is working within the cyber security community to develop and implement better information security within industrial control system environments. Edited by Eric R. Eissler, editor-in-chief, Oil & Gas Engineering, firstname.lastname@example.org