Doug Wylie, director, Industrials & Infrastructure Practice Area, SANS Institute, provides an overview of the current cyber security threats to industrial control systems.
Cyber security breaches have rarely been out of the news in recent years and organisations of all sizes, across all industries and sectors, are falling victim to it. The threat is nowhere more apparent, however, than in sectors such as oil and gas, and critical infrastructure that are reliant on industrial control systems (ICS) to maintain the smooth running of their operations.
A recent SANS Institute report found that four out of ten ICS practitioners lack adequate visibility into their networks to monitor assets and operations and to identify potential threats. This leaves them at risk of being unable to recognise and defend against cyber-attacks, putting critical infrastructure at risk.
Cyber security is a critical area for concern within the oil and gas industry, where the range of potential threats is far wider and carries far more severe consequences than in other key industries. Disruption, damage and destruction from digital attacks have all emerged as real-world consequences the industry must now combat.
While not necessarily seen as a ‘cool high-tech’ industry, oil and gas remain absolutely pivotal to the functioning of the world we live in. This industry enables and supports the very infrastructure of society and worldwide economy. So, we have to ask the question, why are they so difficult to protect and therefore vulnerable to attack from cyber criminals?
According to the Repository of Industrial Security Incidents (RISI), cyber-attacks against oil and gas organisations in the Middle East make up more than half of the recorded instances, in comparison to under 30% in the US and other Western countries. And the Ponemon Institute reports that almost 68% of oil and gas companies worldwide were affected by at least one significant cyber incident in 2016, with many attacks assumed to be undetected, miscategorised or unpublished.
There is, therefore, no doubt that the oil and gas sector is a target. High-profile attacks in the Middle East include the massive cyber-attack in 2012 against Saudi Aramco, which either partially wiped out or totally destroyed data on 35,000 computers. This was followed three years later by an attack on Sadara Chemical Company.
As recently as June 2017, companies across the industry and around the world, including Russian oil and gas giant Rosneft, were combatting a ransomware outbreak that physically and financially impacted operations – Rosneft’s public statement said the company “avoided ‘serious consequences’ by switching to a backup system”, but others were not as fortunate.
While global spend in the oil and gas industry is expected to continue to decline, Middle East producers are looking to maintain spending in order to meet production targets. Saudi Aramco for example, plans to spend $334bn across the oil and gas chain by 2025, while Kuwait is expected to spend $115bn on energy projects over the next five years to help boost crude production capacity to four million barrels per day by 2020.
The various control systems that will enable this efficiency and productivity are digital, networked, interconnected and in most cases, remotely accessible for monitoring, maintenance and even control. It is clear that the sector must therefore keep a close eye on the future to effectively protect itself from cyber-attacks.
Pros and cons of progress
Developments in technology and connectivity have been instrumental in driving greater productivity, efficiency and revenues within industries such as oil and gas. Today, an ICS that uses specialised industrial-grade hardware and software to monitor and control devices and machinery, sits at the heart of operations and may be a nearly immutable single point of failure (SPOF) in the complex upstream, midstream and downstream operations.
But such advances have also increased the risk and introduced a myriad of new scenarios that can disrupt production and processes, impact safety and bring financial consequences. The adoption of cloud-based IT solutions, the widespread introduction of insecure connected devices into networks, and the increasing reliance on digital technology for operations and expanded connectivity mean that many systems are far more vulnerable to attack than they once were.
In an ordinary business environment, a cyber breach of business IT systems can compromise data and revenues may be affected as a result. However, the potential damage can be far more severe when an attacker targets an organisation reliant on industrial control systems, such as oil and gas where digital and physical processes must necessarily converge.
Cyber risks and threats
SANS Institute’s Securing Industrial Control Systems 2017 report explored how hundreds of ICS security practitioners worldwide are combatting cyber security risks and threats.
These are the people responsible for identifying risks, protecting control systems and networks from malicious and accidental activity and recovering systems if and when things go wrong.
The report shed light on the concerns of ICS practitioners, as well as their views regarding the most prevalent cyber security threats today.
The SANS report showed that many of the professionals responsible for today’s industrial control systems do at least recognise current cyber security risks. However, they are not always in a position to overcome them since governance is often seen as a lower priority when it comes into conflict with the objectives of the business around efficiency and productivity. Many ICS practitioners are not interested in becoming cyber security experts themselves, but they do realise that their organisation needs to plan to manage the threats.
It is also important to recognise that ICS environments pose unique challenges that do not exist in an ordinary business enterprise system. Automation and control systems frequently run continuously, ceasing only in the event of a loss of power, mechanical failure or an issue with the raw materials.
Decisions to stop systems are not taken lightly, and a patch upgrade for example – a not-infrequent occurrence that every network administrator must factor in – will disrupt the operation of most ICS designed to run round-the-clock. A plant manager must weigh up the cost of downtime to patch a system as a preventative measure against the impact on system safety, uptime, efficiency and productivity.