April 8, 2019
Stuxnet, a malicious computer worm believed to have been used to disable Iran’s nuclear program in 2010, has been called “a stone thrown by people who live in a glass house” by Marcus Ranum, one of the early innovators of the computer firewall, thus illustrating a new truism that, “The nations … that are most at risk of a destructive digital attack are the ones with the greatest connectivity.”
According to Siemens, “Automation and digitalization are expected to keep oil and gas competitive in the decades ahead.” Additionally, Nabors Industries, the largest onshore driller in the world, expects to cut the number of human workers at wells from 20 to five over the next few years by deploying more automated drilling rigs. An increase in automation, with its associated decrease in human labor, can create or expose vulnerabilities in the infrastructure of an organization, which often leads to catastrophe. With the proliferation of ransomware, both in the US and overseas, it is not hard to imagine a scenario where some critical safety system, such as the computer that controls a blowout preventer on an oil rig, becomes infected and non-functional.
At the same time, fluctuating oil and gas prices and workplace turnover have caused many organizations to carefully evaluate each line of their budgets. As such, companies often consider scaling back their IT infrastructure to reduce costs. Just like automation, this business decision increases the possibility of a cyberattack. In this article, I will explore the unique cybersecurity challenges facing the oil and gas industry. Our goal is to identify and outline best practices, risk mitigation techniques, and provide statistics and case examples that can be used to help organizations justify the actions necessary to strengthen their defenses.
Technology in the Energy Sector
Investors, analysts, business leaders, and governments often use complex systems of classification to organize companies by industry group. Industry classifications rely on common characteristics, which make it easy to use these classifications when assigning levels of risk from various natural occurrences, seasonal influences, and technological changes. The retail and hospitality industries are an example of the seasonal influences that are unique to a specific sector of companies.
“Critical infrastructure” companies are parts of industries that are vital to the daily operation of a society (e.g., hospitals, schools, courts and banks). Most policymakers consider companies within the energy sector to be critical infrastructure. Without electricity, oil and gas, or water, modern society would be severely crippled.
Over the last 20 years, the GDP per unit of energy used, adjusted for currency exchange rates, rose from 3.3 percent in 1990 to 8.3 percent in 2014. According to the United States Department of Homeland Security, “The US electricity segment contains more than 6,413 power plants.” Further, “The reliance of virtually all industries on electric power and fuels means that all sectors have some dependence on the energy sector.”
In a March 2017 article in the Houston Chronicle, the Department of Homeland Security reported that there were 59 cyber incidents at energy facilities last year. This is a nearly one-third increase from the previous year. In more than a quarter of the intrusions, the attack occurred due to spear-phishing emails, (which appear to be from an individual or business that the recipients know, but are not), that tricked employees into downloading infected attachments or clicking on malicious web links. More than 10 percent of attacks came from network probing and scanning.
The article stated that the “increased number of intrusions into energy computer controls last year brings the number of such incidents in the industry to more than 400 since 2011.” That number is likely low because energy sector companies are not required to report incidents to the government. Cybersecurity researchers believe at least 3,000 attacks against computer controls at industrial facilities, including in the oil industry, occur each year.
Cyberattacks in 2015 and 2016 on Ukraine’s power system have exposed a worldwide vulnerability to hacking aimed at crippling infrastructure. In 2016, using malware capable of deleting data and causing physical damage to industrial control systems, attackers successfully blacked out a portion of the capital city of Kiev.
The exposure to the global energy sector is massive. It only takes an attack on a single part of a single system to initiate a domino effect on much larger systems and entire plants/facilities and operations. As Jason Staggs of the University of Tulsa wrote, “Hackers would only have to get access to a single turbine to implant malware that would spread across the wind farm.” Staggs noted that he had hacked into turbines at multiple wind farms with the permission of operators. “When a 250-megawatt wind farm is left idle due to a malicious hack, the downtime can cost an electric utility between $10,000 and $35,000 an hour.”, Complex mathematics is not needed to apply the same calculations to other areas of the energy sector. Further, an attack against the energy producers with larger market share would be orders of magnitude greater.
A 2016 survey administered by the IT security firm Tripwire, of 150 IT professionals employed by companies in the energy sector, found that more than 75 percent of energy companies had suffered at least one attack in the previous 12 months. In each case, the cyberattackers breached a minimum of one firewall, antivirus software, or another safeguard.
Attack Life Cycle
To fully address the topic of preventing cyberattacks in the energy sector, it is important to understand the typical life cycle of an attack.
Initial Reconnaissance — The first stage in any cyberattack involves compiling as much information about the intended target. This includes obtaining personnel lists, understanding the likely network structure, and identifying any known or easily discoverable vulnerabilities that can be exploited. During this first step, the attacker will decide the best method to compromise the target, known as the attack vector.
Initial Compromise — Once the attack vector has been decided, it is “showtime” for the attacker. During the initial compromise, the attacker will obtain access to the most vulnerable system or the one that can be most easily accessed. The attack will almost certainly involve compromising the credentials of one of the system users.
A July 2017 article in The Washington Post revealed that “the FBI and the Department of Homeland Security sent a joint alert to the energy sector stating that ‘advanced, persistent threat actors,’ a euphemism for sophisticated foreign hackers, were stealing network login and password information to gain a foothold in company networks.”
Establish Foothold — Once the initial compromise is successful, the attacker will take steps to ensure continued access to the network. This can be accomplished using malicious software (malware), creating phantom administrator accounts, or opening uncommon ports. This phase would be the equivalent of a thief unlocking the back door so that they can move into, out of, and around the environment without needing to break in again. It is at this point the attacker is “behind the wall” of the company.
Escalate Privileges — A key aspect of achieving the goal of any cyberattack is ensuring that the attacker has the rights necessary to access the areas of the network where the target data resides. To achieve this mission, after ensuring continued access to the environment, an attacker will take steps to escalate access rights to the levels required. This begins the process of entering the inner sanctums of the systems where the primary data resides. This phase is the equivalent of obtaining the “keys to the kingdom.”
Internal Reconnaissance — Having the keys to the kingdom is pointless if an attacker must open every door to find the target. Instead, the attacker will spend time conducting internal reconnaissance through network scans and other internal system mapping. Using these maps, the attacker can find the shortest or easiest path to the target.
Lateral Movement — Once the attacker has a clear plan for moving through the system, they will begin a process of lateral movement, accessing one internal machine from another, until reaching the intended target. Logically, the attacker will attempt to accomplish this task in the fewest number of moves to prevent detection.
Maintain Presences — Like in the establish foothold phase, now the attacker will take steps to ensure forward and backward movement through the environment as needed, while also moving laterally. This is analogous to leaving a specific combination of doors open to ensure the exit from and re-entry into the system.
Target Attainment — Often, an attacker will need to complete multiple iterations of the escalate privileges, internal reconnaissance, and lateral movement steps before completing the mission. After obtaining the desired data, the attacker can exit the system.
Complete Mission — The final stage of the attack is the most dangerous to an organization. At this point, the attacker has obtained the target data and is starting an elaborate exit. Unlike a bank robbery, where the identity or physical features of an attacker may be known, the intruder may still be invisible to the affected company. During this final stage, the attacker may take steps such as deleting logs, encrypting or destroying data, and/or exfiltrating the target data for later use. Identifying an attacker at this point is critical, even if the damage has already been done, because once the tracks are destroyed, the ability to identify the attacker is extremely limited or impossible.
RISK MITIGATION TECHNIQUES
To properly mitigate cyberattacks, organizations must take steps to insert detection and prevention measures in as many places as possible along the attack life cycle. Redundancy is key.
To create a robust cyber defense program, an organization can turn to standards and frameworks created by the National Institute of Standards and Technology, the Information Systems Audit and Control Association, or the Center for Internet Security.
Each framework lays the foundation for a strong defensive posture. Each framework is also built on the same basic tenets:
- Establish least-privilege controls
- Ensure that accounts for network administration do not have email accounts or internet access
- Establish a password policy that requires complex passwords for all users
- Implement appropriate logging and activity tracking
- Use two-factor authentication (g., use security tokens for remote access, privileged access, and access to any sensitive data repositories)
- Implement a change-control process for all privilege escalations and role changes on user accounts
- Conduct regular vulnerability assessments
- Encrypt all sensitive data in transit and at rest
- Establish measures to detect an insider threat
- Complete independent security risk review
- Identify the location (physical and network) of sensitive or mission-critical data, software, and hardware
- Participate in energy sector information-sharing programs
Establish least-privilege controls
One of the easiest and often most overlooked steps in mitigating risk is related to access given to “trusted” insiders. The employees of an organization are more likely to feel ownership of specific data or intellectual property, be more knowledgeable about security measures, and know where the “crown jewels” are kept. The concept of “least-privileged” access states that users should be assigned the least amount of access needed to complete their job. Giving an employee access to ALL data and systems should be avoided, including in the IT department. Access rights to the most sensitive files or areas of the network need to be kept to a bare minimum.
Ensure that accounts for network administration do not have email accounts or internet access
A common method used by attackers to infiltrate a network is through the administrative accounts. These accounts typically have weak passwords, are not often changed, and have access to the most amount of data or systems. Preventing these accounts from having email addresses and access to the internet limits the exposure of those accounts to attack.
Establish a password policy to require complex passwords for all users
Humans are creatures of habit, especially when establishing passwords. People choose letters, numbers, special characters, words, and phrases that are easy to remember. More importantly, people use the same passwords across multiple resources. A 2015 study published in Entrepreneur found that 21 percent of people use passwords that are over 10 years old, 47 percent of people use a password that is over five years old, and 73 percent of online accounts are guarded by duplicated passwords.
A complex password will contain a mix of numbers, upper and lowercase alphabetic characters, and special characters. The recommended length for a complex password is 12 or more characters. Additionally, the policy should require passwords to be changed regularly, and prevent reuse of old passwords.
Implement appropriate logging and activity tracking
It is impossible to catch improper activity if it cannot be identified. To detect malicious activity, firewall, routers, and other entry points must have logging activated. The logs generated by these tools are the first artifacts requested by forensic investigators when a suspected attack has occurred. Without these logs, attackers can move freely though a system with minimal detection.
Use two-factor authentication (e.g., use security tokens for remote access, privileged access, and access to any sensitive data repositories)
A strong defense against many attack vectors is to utilize strong access-based authentication methods, to prevent unauthorized access of private and sensitive information. According to the 2017 Data Breach Investigations Report published by Verizon, 63 percent of data breaches involved weak, default, or stolen passwords. To this end, there are three main categories of authentication factors:
Utilizing any one of these factors, in traditional terms, is a basic concept of security. Utilizing any two of these factors together adds more security. Using three or more of these factors adds exponentially increased security.
Per Symantec’s 2017 Internet Security Threat Report, 80 percent of breaches could be prevented by using multifactor authentication. Eighty percent is not an insignificant number — with basic, two-factor authentication an organization could immediately reduce its threat profile.
Implement a change-control process for all privilege escalations and role changes on user accounts
As previously discussed, one of the steps in the attack life cycle is the “escalation of privileges.” By implementing a system where escalation of privileges or role changes are tracked, an organization can easily determine which user accounts have been compromised. If a change ticket or request is not documented, it can be assumed to be malicious, or at least require further investigation by the IT security team.
Conduct regular vulnerability assessments
The need for a risk assessment related to cybersecurity cannot be overstated. It is impossible to develop a cohesive, forward-focused plan without knowing the organization’s current state of risk. Simply undertaking a one-and-done methodology will prove to be insufficient, in nearly every instance. Cyber threats are changing constantly, and the methods and tools necessary to detect and defend against attacks are being updated just as rapidly. Therefore, a regular reassessment must occur to ensure that new and emerging threats are mitigated or identified before they cause irreparable harm.
With consumers and regulators looking at cybersecurity with more scrutiny than ever before, the global regulatory landscape should position organizations to demonstrate that information security is a priority. By establishing the right leadership, plus strong policies and procedures, organizations can demonstrate to all interested parties that they are serious about protecting personal and confidential information.
Encrypt all sensitive data in transit and at rest
A key method and tenet of information security is the use of encryption. Encryption creates a coded version of data that can be transmitted securely from one point to the other, or prevent exposure while being at rest on a specific computer system. The availability of free tools such as VeraCrypt, and over the-counter tools such as Pretty Good Privacy, make data encryption a free or low-cost method of securing data. As such, encryption must be a minimum acceptable standard for all organizations.
Establish measures to detect an insider threat
One of the most dangerous vulnerabilities that all companies face is the “trusted insider.” Employees of a company have gone through rigorous background checks, vetting, interviews, and screenings. Once they are hired, they are then given access to sensitive information or systems as part of their jobs. It is this same access that can be exploited knowingly and unknowingly as part of a cyberattack.
The biggest challenge in detecting an insider threat is identifying the legitimate activities of the employee from activities that would be indicative of wrongdoing. Copying a file to a USB drive and taking it home to work on it further may be a perfectly legitimate activity for an employee. However, if that person is contemplating resignation, accesses files they don’t normally interact with, or the activity occurs at abnormal hours, this may be an indicator that something is amiss.
Proper training of employees, an appropriate level of audit logging, and management of access rights are the three easiest steps an organization can take to limit exposure of sensitive data. Finally, a system for reporting suspected incidents must exist to ensure that a “see something, say something” culture exists.
Complete independent security risk review
Internal risk and security assessments are a first step in identifying vulnerabilities. However, all internal reviews have some level of inherent bias. The IT team may be reluctant to call out issues they contributed to, users may be hesitant to acknowledge or ignorant of their own security flaws, and the pressures of normal business responsibilities may cause the risk assessment to be prioritized at the wrong level.
An external, independent security review serves many purposes. First, the inherent bias of the organization is removed. Second, organizations can benefit from engaging with service providers that have seen may different types and scales of attack, which can be used as intelligence for conducting a thorough review. Lastly, an independent third party does not face the same prioritization challenges that internal employees would face.
Identify the location (physical and network) of sensitive or mission-critical data software and hardware
Knowing the location of sensitive and mission-critical data is paramount. It is impossible to defend against internal or external cyber incidents if the organization does not know what devices are connecting to the network, where the key data is stored (both physically and virtually), and who has access to that data. In the world of ever-increasing connectivity, where personal devices are increasingly permitted on workplace networks, it is easy to lose track of the inventory of devices. Having an accurate inventory of all devices that can access the network is extremely important.
Participate in energy sector information-sharing programs
A proverb states, “There is nothing new under the sun.” This is no truer than as it relates to information security. With the rate of attacks increasing daily, and the sophistication of the attacks growing exponentially, it is vital for any organization to join forces with other organizations to share information that can be used to prevent or mitigate damage from a cyberattack. A well-rounded information security program will include interaction and membership in key information-sharing programs such as the FBI’s InfraGard, professional organizations, and other governmental information-sharing programs.
With the global proliferation of ransomware and emerging cyberattack strategies, organizations remain vulnerable. A successful cyberattack in the energy sector could have far-reaching implications, beyond those of just the facility or the organization, due to the critical nature of their services to those other organizations that rely on energy to function. However, by acknowledging the threats, performing a comprehensive and recurring risk assessment, and implementing a mitigation strategy, organizations can be in position to mitigate or prevent cyberattacks.
 Marcus Ranum, “Parsing Cyberwar — Part 4: The Best Defense is a Good Defense,” Fabius Maximus blog, Aug. 20, 2012.
 Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, (Crown Publishers, 2014)..
 Andreas Kleinschmidt, “Why We Will Still Need Oil and Gas in the Future,” Siemens, Feb. 22, 2016.
 David Wethe, “Robots Are Taking Over Oil Rigs,” Bloomberg, Jan. 23, 2017.
 “Energy Sector.” Energy Sector | Homeland Security, www.dhs.gov/energy-sector. September 7, 2017.
 Tim Johnson, “Don’t just fear the power-grid hack: Fear how little the US knows about it,” McClatchy, July 27, 2017.
 Andy Greenberg, “Researchers Found They Could Hack Entire Wind Farms,” Wired, June 28, 2017.
 Ellen Nakashima, “US faults Russian government in nuclear plant, energy firm hackings,” The Washington Post, July 8, 2017.
 “How long since you took a hard look at your cybersecurity?” 2017 Data Breach Investigations Report. Verizon.
 2017 Internet Security Threat Report, Symantec, April 2017.