Cyber Security series: How you are helping the hackers.
02 November 2017
The internet can be a hostile environment at the best of times. As is the case across all industry sectors these days, the oil & gas (O&G) industry is exposed to an increasing level of cyber security risk. Picking up from our last blog, we look at how businesses sometimes make the hacker’s job easier – and some things they can do to try to avoid that. But first it is worth revisiting the topic of convergence and looking at the impacts an attack can have on this sector.
The convergence of Information Technology (IT) and Operational Technology (OT) is driven by a number of things: standardisation of technologies, a need for greater connectivity to support business optimisation and to support new ways of working. In turn, this often involves working with more third parties.
Convergence is not unique to the O&G industry. But what marks the O&G industry, aside from the risks associated with the handling of hazardous materials, is the scale and distribution of operations alongside a very diverse operating environment in which the impact of an attack can be far reaching.
OT systems are designed to minimise downtime and to work for decades in harsh and often remote environments. Availability and continuous operation are crucial. The risk of lost production time from attacks that deny access to systems or that directly interfere with operations are very real. Increased reliance on process automation increases the risk with upstream processes such as burner management, pump control, drill control, flaring and venting all relying on OT. Targeting transportation systems and refinery processes could also result in untold damage, environmentally, reputationally and financially.
Other potential outcomes include safety and environmental damage from the discharge of toxic chemicals and damage to hardware assets. We’ve seen proven attack mechanisms against rotating machinery, pressurized equipment and electrical switchgear and, while in-built engineering protections might be in place, equipment can still be damaged. There is also no fundamental reason why industrial accidents resulting from human-error couldn’t be replicated by deliberate mis-control of critical systems during a cyber-attack.
As well as the challenges associated with OT, O&G firms share the same basic information risk challenges as most large companies – including protecting their critical systems, safeguarding employee data and complying with IT-related regulations such as SOX and trade controls. They can also be exposed to payment channel and customer data risks through their retail operations. Concentrations of ‘crown jewel’ information like exploration and production data, business relationship information (joint ventures and acquisitions) and commodity trading strategies and positions are all attractive targets for attackers. An understanding a company’s trading strategy could let an attacker trade against or ahead of them on commodity markets.
At the start of this blog we posed the question: How are you helping the hackers? Our experience of working across sectors is that many organisations are inadvertently making attackers’ jobs easier. Often we see the same mistakes repeated:
- Flat network architectures that let attackers move unimpeded across the estate (including bridging between IT and OT environments - we’ve seen examples where it has been possible to take over offshore OT remotely through consoles that are visible to the corporate LAN) – or that aid the spread of malware.
- Poorly configured Active Directory domains with large numbers of privileged accounts.
- Critical systems that are unpatched against known (and commonly exploited vulnerabilities).
- User (and administrator) accounts with easy to guess passwords.
- Lack of two factor authentication for remote access.
- Poorly managed firewalls with overly permissive rules.
- Unmanaged third parties with access to IT and OT assets (…more on them in a later blog…).
Attackers know these are common gaps – so they will go looking for them.
But it isn’t just the technical ‘stuff’ that can make an attacker’s job easier. As part of our ethical hacking, we profile organisations using publicly available information too. Invariably we find a treasure trove of information that we could use in an attack:
- Personal information, like email addresses, on social forums provide an easy starting point for hackers who want to phish your staff.
- Company websites provide plenty of information to help in an attack too, often with confidential documents posted to the internet in error.
- Freely available tools like Shodan provide another easy jump-start for would be attackers, highlighting internet visible devices that could provide a starting point for an attack.
There is enough risk drilling and producing flammable materials on a small platform hundreds of kilometres out to sea, without making things more hazardous by leaving oneself open to cyber threat.
And while this could be said of all parts of the value stream, from upstream through to the petrol pump, the potential for an offshore catastrophe borne of a lack of preparedness and security strategy, should not be underestimated. It is more important than ever to get the basics right and to make attackers’ jobs as hard as possible. So, as well as taking a step back and looking at your technical controls to make sure you have the common ‘gotchas’ covered, it is worth reviewing your internet footprint and thinking about how attackers could use this information too.
In our next post we will look at who is targeting you and your third parties.