The Long Shadow Of Saudi Aramco

  /     /     /  
Publicated : 22/11/2024   Category : security


The Long Shadow Of Saudi Aramco


New threats, realities of targeted attacks forcing oil and gas companies to rethink and drill down on security



Second installment in a series on cyberthreats to the oil and gas industry
A mind-set shift is slowly permeating the oil and gas industry that its no longer immune to hackers.
Before, we had insecure systems, and it didnt really matter because we didnt think of ourselves as a target. No one really knew about it, says an engineer for a U.S. oil and gas company, who spoke on the condition of anonymity. Now that we are a hot spot, it necessitates a closer look.
Big changes in the threat landscape for the energy industry -- think Stuxnet and Saudi Aramco -- have changed the game, especially for the oil and gas industry, which increasingly is finding itself a target by nation-state threats as well as plain-old malware attacks.
The data-destruction attack last year on Saudi Aramcos internal corporate network that left the oil and natural gas giant having to replace hard drives on some 30,000 or so Windows machines continues to haunt the industry, which witnessed a major player getting hit in a big way.
If it can happen to Saudi Aramco, it can happen to everyone, says Nate Kube, CTO of Wurldtech.
[Cyberattacks on oil and gas companies could have real-world economic consequences, even at the pump. See
Destructive Attacks On Oil And Gas Industry A Wake-Up Call
.]
The Stuxnet and Saudi Aramco incidents, the attack on Qatars RasGas, and other lower-profile attacks have forced some of these firms to face how to balance their signature productivity and availability priorities with security. Taking an oil production plant system offline to better lock it down means lost productivity and possibly lost revenue, so security typically gets back-burnered. But oil and gas companies are receiving some pushback from their techies, who are getting security religion. You have to identify the risk and explain this to people who dont always see the threat; they see it as very remote, and, in a lot of cases, it is very remote, the U.S. oil company engineer says.
A lot of times, I wait for a [planned] shutdown ... when the [system] is out of service, I can put passwords or [other types of security] protection [on it], he says.
He says so far he has seen mostly nontargeted worms or ransomware malware spreading to plants in the oil and gas industry and resulting in temporary shutdowns for cleanup. They are mostly ancillary, accidental attacks, he says.
Although the enterprise IT network of an oil and gas company is technically separate from the plants and oil rig production systems, for example, there is always the risk of an infected laptop getting plugged into the plant, or a malware-ridden USB stick polluting the control systems.
Meanwhile, a gap exists between the control systems group and IT security thats like the corporate rift between IT security and IT proper -- on steroids. Control systems engineers in the oil and gas industry arent trained in IT security. A lot of the control systems guys I know wholeheartedly understand the threat of cyberwarfare. It scares them because of the potential impact ... But their training and everyday job is not cyberwarfare, says Jim Butterworth, CSO at HBGary.
The control systems engineering process includes very little on cybersecurity, he says. Even if you look at the controls systems engineering process, 15 percent of the course material is security. All the rest is how to control a valve, fix an HMI [human machine interface]. Its just [a] part of their job, Butterworth says. Theyre just not looking at malware every day.
The reverse, of course, is that oil and gas industry IT security teams are not conversant in programmable logic controllers (PLCs) and HMIs. Largely, the problem is there is a different language, he says. That leaves a dangerous air gap in security strategy and controls.
Physical safety, such as production system availability, traditionally trumps cybersecurity as well. Andrew Ginter, vice president of technology at Waterfall Security, says his recent visit to an oil firm site illustrates just where these firms priorities are. Ginter says he had to scan in and out with his badge, which was also manually inspected by security. There were three layers of security. They werent worried whether we were going to damage or steal [information]. They need to be airtight on who is where in the facility if theres an innocent physical emergency, Ginter says.
Security looks the same as a government building or military installation, but its focused on safety, he says.
Partner Problems
The Saudi Aramco attack also raised another concern for the industry: partners as the weak link in the security chain. Oil and gas relies heavily on joint ventures and supply-chain arrangements for oil fields, for instance. While these organizations struggle to catch up with their own security weaknesses, they have little control over their partners.
Saudi Aramcos breach was a reality check of the vulnerability of the global and interconnected industry. There are significant number of joint ventures in oil and gas; most oil fields are [joint ventures], Wurldtechs Kube says. One of the key concerns with Saudi Aramco was, will these infections make their way into other oil and gas companies through the connection of other joint ventures? Thats definitely top-of-mind.
There were no reports of collateral damage to other oil and gas companies as a result of the Saudi Aramco attacks, but the risk of such a ripple effect in such cases is very real, experts say. Thats definitely a possibility, says Giovanni Vigna, co-founder of Lastline. One thing I know for sure is there is a lot of cross-pollination across those companies in [the Middle East]. I was especially surprised how much ... they talk to each other and even exchange IT resources with each other. This, of course, creates a vulnerable ecosystem.
Experts say oil and gas companies in the Middle East are even more vulnerable than their counterparts in the U.S. Most have not employed basic security measures, such as system patching or least-privilege controls, says Marc Maiffret, CTO at BeyondTrust.
I think what is different is about the application of security technology [in the oil and gas industry in the Middle East] is some organizations are going from not having much of a basis in security to trying to jump immediately to advanced threat protection without even having a fundamental, such as system patching or least privilege in place, Maiffret says. And that makes things difficult ... without the basics, the amount of noise you will deal with is enormous and makes it harder to find the targeted attacks.
Maiffret says its not that advanced threat protection tools wont work for oil and gas firms. Its just that without basic security measures as well, companies could be wasting time and energy chasing fake AV attacks rather than nation-state attacks, for instance.
If you do not have something as basic as a patching process, then youre going to be exploited [with] 2-year-old Java or Adobe bugs by any random hacker, and it will be harder to find that person leveraging a zero-day or something more advanced, [who] is really targeting you versus the run-of-the-mill hacker.
But the worst nightmare scenario would be a combination physical and cyberattack, which would wreak the most devastation, experts say. If a coordinated physical and cyberattack took out computers and [oil] terminals at the same time ... then it [would be] absolutely chaos. This really is a big danger, says Eyal Aronoff, co-founder of the Fuel Freedom Foundation.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The Long Shadow Of Saudi Aramco