How Hackers Can Hack The Oil & Gas Industry Via ERP Systems

Researchers at Black Hat Europe next month will demonstrate how SAP applications can be used as a stepping-stone to sabotage oil & gas processes.

Hackers can exploit weaknesses in enterprise resource planning (ERP) systems on oil & gas firms corporate networks in order to sabotage pipeline pressure or hide oil spills, researchers have discovered.
Researchers at Black Hat Europe next month in Amsterdam
will demonstrate these and other attacks on oil & gas networks
by abusing holes in SAP ERP applications used in the industrial sector. Oil & gas industrial networks rely on ERP software to help manage and oversee the oil & gas production and delivery processes.
We want to show that not only Stuxnet-type attacks using USB are possible, says Alexander Polyakov, CTO and founder of ERPScan, who with Mathieu Geli, a researcher with ERPScan, will demonstrate several proof-of-concept attacks at Black Hat in Amsterdam. An attacker could hack the systems remotely over the Internet, he says, or from the oil & gas firms corporate network.
SAP is a key to this kingdom because it has a lot of products specifically designed to manage some processes such as operational integrity or hydrocarbon supply chain. Since SAP systems are implemented in, if I’m not mistaken, about 90% of oil and gas companies, this key can open many doors, he said. SAP is connected with some critical processes which, in their turn, are connected with other processes, and so on.
The researchers, who declined to give details on the actual SAP vulnerabilities prior to their presentation, say the bugs are software and configuration flaws in SAP xMII (Manufacturing Integration and Intelligence) and in SAP Pco software. SAPs MII supports the manufacturing side and includes real-time information for production performance, while the Pco manufacturing module software supports those production-floor operations.
For those vulnerabilities we can disclose, we will provide details in the talk, Polyakov said in an email interview.
Polyakov says theres no simple way to separate ERP applications from the industrial operations network. If you have some plant devices such as wellheads, which pump oil and collect some data from them, you should somehow transfer this data to the corporate network to show managers who want to see all the information on their tablets on nice dashboards. That’s why even if you have a firewall between IT and OT [operations technology], there are some applications which are connected, he said. What we want to show is that it’s possible to conduct such attack and pivot from IT network or even the Internet into OT network up to OPC servers, SCADA systems, field devices, meters, and dozens of other modules.
Among the processes with ties to ERP are pump control, blow-out prevention, flaring and venting, gas compression, peak-load gas storage, separators and burners, he said. He says he and Geli probably know about just 10% of the overall attack surface: The attack surface is huge.
The oil & gas industry already has been targeted by cyberattacks. One of the biggest and infamous attacks was that of oil giant Saudi Aramco,
where malware wiped or destroyed
the hard drives of some 35,000 computers.
A group called the Cutting Sword of Justice
claimed responsibility for the massive attack.
While the attack didnt directly affect Saudi Aramcos oil production and exploration systems, it
raised concerns of market fallout in the industry, as well as market manipulation
. The oil & gas industry is made up of many joint ventures, namely in the oil fields. So if one partner was attacked, another could be affected as well.
Oil and gas cybersecurity is a small universe which is almost undeveloped, but extremely critical, Polyakov said. Any changes made during the upstream, midstream, or downstream processes may have a significant impact.
The ERPScan researchers previously have uncovered flaws in SAP that attackers could use to get to those systems: Just to name a few, some issues such as
SAP Router or SAP Portal
or recent
SAP Afaria
or
SAP HANA vulnerabilities
, can be used to get access to the SAP infrastructure from the Internet, he said.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015.
Click here
for more information and to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How Hackers Can Hack The Oil & Gas Industry Via ERP Systems