Cyberattacks against companies in every industry are growing more frequent and costly. The oil industry is no exception to that rule. In a recent example, oil-drilling specialist Gyrodata reported suffering a ransomware attack that may have exploited sensitive information – including Social Security numbers, passport numbers, driver’s license numbers and W-2 tax forms – of current and former employees. It’s highly likely such data on staff members could be used to initiate additional attacks on the company.
Attacks on the energy sector tend to involve multiple steps. This process begins with a software vulnerability being exploited by hackers. The breach the hackers leverage lets them access highly confidential information on the energy company, from emails and financials to drilling sites, ore content and extraction strategies.
In this article, OILMAN examines why cyberattacks against energy sector companies are more dangerous. It also explores the insidious ways many attacks are undertaken and how the energy sector can proactively avoid victimization by today’s cyber attackers.
How Energy Differs
In the last several months, it’s become increasingly evident that cyberattacks on the energy sector affect society much more broadly than do attacks on other industries, says Damon Small, Houston, Texas-based technical director of security consulting at NCC Group North America, one of world’s largest security consultancies. “Our standard of living is dependent on the availability of electricity, so disruptions will have a much broader impact on people,” he says. “We’ve learned there’s not a lot of extra capacity. When Colonial Pipeline went down due to a cyberattack, there wasn’t another pipeline hanging around. So, the refineries feeding that pipeline didn’t have anywhere else for that gasoline to go. Attacks in the energy sector affect a much broader swath.”
According to Small, certain cyberattack techniques are more effective than others. Phishing attacks get results, because they depend on humans to make bad decisions, such as clicking on the wrong link. Another common technique involves hackers scrutinizing a network for vulnerable systems within that network. Hackers identify an out-of-date piece of software, exploit its vulnerability to gain unauthorized access and then begin to exploit other systems deeper within the victim network, Small says.
A similar ploy was used in the Colonial Pipeline attack by an affiliate of the Dark Side, says Om Moolchandani, co-founder, chief technology officer and chief information security officer with Naperville, Illinois-based Accurics. The company helps organizations secure their cloud native infrastructure. “It’s interesting to notice the attacks follow the same kind of kill chain we see in the enterprise world,” he says.
“The first stage is compromise, the second is establishing a foothold, the third is maintaining access, the fourth moves laterally within your victim’s infrastructure and the fifth completes the attack. [For the most part], the first phase of initial compromise is used with non-sophisticated, simple methods.”
“The Dark Side used password attacks and also attempted to penetrate using phishing attacks through emails. The interesting difference in this case is the attackers used tools generally used by security testing companies in providing security assessments.”
It’s worth noting that attacks are not becoming more sophisticated. As Moolchandani says, “The attackers do not have to work so hard.” Attacks are being pulled off through simple means, such as cybersecurity loopholes and vulnerabilities easily mitigated.
What’s at stake? Nothing less than the future of the company being targeted, Small asserts. A cyberattack can result in huge cash outlays and loss of reputation. In many cases, malware has locked up systems and forced companies to pay cybercriminals exorbitant sums to free their systems and allow them to again operate normally. But, in the case of Colonial Pipeline and others, criminals were purported to have stolen all of the sensitive data on the systems and threatened to release that information.
“It wasn’t just a matter of holding the data hostage,” Small says. “It was the threat to release sensitive emails, financial information and seismic information about where the company believes the oil is located.”
Given the speed with which technology evolves, software continually needs to be created and upgraded. However, those creating and upgrading the software are human beings who are fallible and, because of that, there will be defects. The criminals are highly motivated to discover those defects, and that’s why organizations are more and more frequently offering “bug bounties,” or cash rewards, to software researchers.
The bounties incentivize researchers to identify bugs so they can be fixed before hackers get to them. “Criminals are in it for the money,” Small says. “It’s organized crime. Bug bounties are one way the open market has responded. It’s worth it for organizations to pay money before the bad guys find
Heading Off Attacks
Moolchandani urges companies to conduct tabletop exercises in which weaknesses are identified and threat modeling exercises are conducted. In this way, companies understand what kind of weaknesses may exist within their infrastructure and are able to work to remedy those weaknesses.
“The threat modeling exercise can tell you what kind of actors will be targeting your company, so you can defend [yourself] accordingly,” he says.
In April of this year, The Dark Side group issued a press release reporting it would target organizations that trade on the NASDAQ Composite Index, Moolchandani says.
“If you are an energy company, and you have similar infrastructure and trade on NASDAQ, you would swing into action, but only if you have done a modeling exercise,” he says. “That will tell you who the potential actors are who will attack you, allowing you to understand their tools and tactics and create your defense accordingly.”
Another approach is enlisting well-trained consultancies, Small says. “A company like NCC Group, and all companies like ours that provide consulting services, can help organizations answer the question of what they can do. Regardless of the industry, you have to be aware of two things: What your critical information assets are, and where they are. I’m not talking about servers, routers and switches. I’m talking about the actual data you consume as a business. Those are the information assets.”
NCC Group works with clients to identify what and where their information assets are. Once those questions have been answered, the organization can use that insight to defend against attack.
“We will use some of the same tools to identify the vulnerabilities the bad guys do, and apply patches where possible,” Small says, “but it’s not always possible with industrial control systems. And not all software vulnerabilities are fixed with patches. It may be an issue of a system not being configured properly and solving that problem.”
As we look ahead, a legitimate question is whether cyberattacks will inevitably grow in frequency and danger, or if they can be mitigated.
Small predicts they’ll grow for two reasons. The first is industrial control systems will become more interconnected with every passing year. The second is that, as consumer systems become increasingly more sophisticated and complex, the opportunity for exploitable defects to creep in will increase as well.
The ability to mitigate the threat will rest on energy firms becoming increasingly aware that information technology is just as important to their organization as is accounting.
“It’s becoming more apparent that companies must have their own staff to support IT, and those staffs have to be sophisticated,” Small says. “At the same time, they will need to engage with third parties like NCC Group.”
Jeff Steele has been an independent writer in Chicago since December 1989. He has more than 1,500 bylined Chicago Tribune articles that have examined a wide array of topics, including real estate, communities, consumer issues, health care, employment, investing and finance, education, transportation and history. Steel has written print and radio advertising, direct mail, brochures and promotional material for such well-known companies and brands as Insignia ESG, Rand-McNally, Sears, Florsheim, the John Hancock Observatory, Dannon Yogurt, Fleer Gum and Hidden Valley Ranch, among others. Prior to becoming an independent writer, Steele worked for six years in the advertising industry as a copywriter with three Chicago advertising agencies.
Oil and gas operations are commonly found in remote locations far from company headquarters. Now, it's possible to monitor pump operations, collate and analyze seismic data, and track employees around the world from almost anywhere. Whether employees are in the office or in the field, the internet and related applications enable a greater multidirectional flow of information – and control – than ever before.