According to an end-2017 study by BNC Network, the number of oil and gas projects in the GCC is 361 active plants, valued at an estimated $331.4bn. This makes the oil industry an undoubtedly critical regional industry and national asset, which further makes it a lucrative target for cyber criminals.
New research conducted by Kaspersky Lab shows that nearly 40% of all industrial control systems (ICS) at customers in the energy sector were attacked by malware at least once during the last six months of 2017.
Companies now have much more to worry about than just the fluctuating prices of oil and gas – cyber-attacks leading to computer-related incidents are now another main concern. Whether through malware, industrial fraud, or ransomware, the outcome can be catastrophic, resulting in significant losses to the organisation.
Internet of Things
The situation is constantly evolving, however, especially in light of emerging technologies such as the Internet of Things (IoT) gaining momentum across the oil and gas industry. Manufacturing and refining facilities, their machinery, and processes are now integrated and online, providing those with malicious intent various potential entry-points into the system, possibly leading to impacted operations, or diverted resources.
The alignment of IT and operational technology (OT) is helping improve the efficiency and security of industrial processes. However, these trends bring growing risks and break points, leading industrial organisations to feel unsafe. According to the same Kaspersky Lab study mentioned earlier, over three quarters of companies believe that their organisation is most vulnerable through their ICS.
By leaving a gap in the way they are approaching cybersecurity in their IT and OT/ICS networks, they face the primary risk associated with the increased digitalisation – not putting the right cybersecurity practices in place to protect their operational networks.
For those affected by at least one ICS cybersecurity incident over the past year, a little under a quarter (20%) say their business suffered financial damage, giving further incentive to invest in better cybersecurity. According to our estimates, the cost of daily downtime at an oil refinery in case of a cyber-attack, can be more than $1mn.
It could very well be inspired by the threat of this level of financial impact on the bottom line, but cyber threats now rank as a major concern for regional management. A research conducted by Kaspersky Lab shows that 77% of companies now rank cybersecurity as a major priority.
However, and worryingly for guardians of a key national asset, 48% of organisations admit to having no measures in place to detect, or even monitor if they have suffered an attack concerning their industrial control networks, according to the research.
We should not see this as a simple organisational issue. Attacks on such organisations could possibly lead to catastrophic and far-reaching situations, beyond damage to products, loss of customer confidence and business opportunities, to environmental damage and real impact on a national economy.
Key threat sources
Identifying the common routes, or causes for cyber-attacks gives organisations and professionals the insight and ammunition to take steps towards prevention. Based on research and our findings from work with the oil and gas sector, the key threat sources are listed below.
First, and especially relevant to the oil and gas sector, is industrial fraud. A multitude of scenarios could play out here. For instance, a group of people, possibly even from within the company, who are adept in technological processes, realise that they can make certain alterations to data around shipment quantity, resulting in a surplus shipment of product that they could later utilise for their own financial gain.
In second place are incidents caused by human error. A study by Kaspersky Lab – ‘Human Factor in IT security: How employees are making businesses vulnerable from within’ – proved that 55% of cybersecurity incidents in 2017 were the result of some form of personnel recklessness.
An example could be launching the wrong version of a software, which results in a chain reaction of changes to the data formats and other serious repercussions for controllers handling physical processes. However, with adequate security measures in place, the situation would be detected in time and significant damage can be avoided.
Third is to do with targeted computer attacks that occur without any physical interference. These are cases in which cyber-attackers are able to control vital equipment within the organisations’ infrastructure, and the most disconcerting fact about such attacks is that they can affect ordinary controllers within the ICS network.
Our research has concluded that nearly 40% of all ICS in energy organisations were attacked by malware at least once during the first half of 2017. An example is Triton, a malware that gained notoriety for its attack on a Saudi oil and gas refinery in August 2017. This malware directly targeted the critical facility’s safety instrumented system (SIS), resulting in the halting of all operations by triggering a safety procedure shutdown.
Lastly, but in no way the least, is Ransomware, which happens to be a trend in modern cyber-crime and is especially distressing to the industrial sector. In 2016, SHAPESHIFT wiper malware targeted as many as half a dozen Saudi Arabian organisations, including a petrochemical company.
Saudi Arabia also had to contend with SHAMOON virus, which attempted to wipe computers at Saudi Aramco and RasGas in 2012, 2016 and 2017. There was also the WannaCry ransomware, which affected Microsoft Windows operating systems in May. Among the many victims was PetroChina, the gas station payment systems of which were effectively forced offline.
Protecting against cyber threats
The question here is: what can be done to protect against cyber threats? It may be impossible to ensure the safety of industrial facilities utilising traditional corporate security solutions, but, after thoroughly investigating various cases, the results have enabled us at Kaspersky Lab to develop our own approach to prevent similar incidents. This approach consists of several measures, presented as parallel priorities since it cannot be a step-by-step approach.
A key priority is to ensure that the monitoring of activity in production processes and equipment is up to par, especially around uncovering abnormalities and escalating the information. As there are no isolated ICS, any connection, or end-point can be an entry point that attackers use to infiltrate a network, and each one of these needs constant monitoring, and a structured mechanism to act on the insights.
A parallel priority is ensuring that employees are well trained in assessing, identifying, and correctly escalating cybersecurity threats. A study by Kaspersky Lab shows that only 18% of employees in the META region are fully aware of their organisations’ IT security policies. Engineers may be familiar with the nuances of production automation, but often discount cybersecurity.
Many developers may not know the basic technical terms that the industry uses, opening their environment up to threats. This might be a contributing factor in Kaspersky Lab detecting over 80 zero-day vulnerabilities in the past, all within industrial equipment. These vulnerabilities are absolutely critical to monitor and overcome as they could be a reason for the complete loss of control of industrial equipment. If something like this were to occur, the management and head of ICS would definitely be in a tight spot!
Addressing cyber threats
To address cyber threats successfully, the individual efforts of the organisation alone is certainly not sufficient; precautionary measures are needed at both regulatory and industry levels. Regulatory authorities around the globe understand the significance of the potential threats expected by the industrial sector, which is the reason in the emergence of laws regarding the security of critical information framework.
In our region, we are witnessing the launch of projects such as Dubai Cybersecurity Strategy, which brings together entities from government, industrial and technological sectors to implement the necessary frameworks and solutions.
Several efforts by state agencies and organisations concerned about the same thing have been noticeable. Initiating structures which solely focus on analysing computer incidents – computer emergency response teams (CERT) – is one of them. For example, at Kaspersky Lab, our CERT not only investigates computer incidents, but also analyse activities, in turn helping to evaluate and track changes and new trends within the cyber threat space.
The increase of attacks on industrial enterprises is certainly alarming, and should serve as an indicator that we are entering a new phase in cyber warfare. The only way to effectively address this is to band together with a clear regulatory and operational vision, which will ensure proper education and constant monitoring, in order to be prepared for the ever-evolving threats around us.