Oil and Gas Cyber Security: Understanding Risks, Consequences, and Proactive Measures

The oil and gas sector is susceptible to security vulnerabilities as it adopts digital communication methods that help power energy production and distribution. For context, there exist approximately 1,793 natural gas-powered electricity plants in the U.S. and they generated 34 percent of the nation’s electricity last year. Much of how we live and work is dependent upon the energy produced from oil and gas production, including everyday cooking, heating/cooling, communication, and use of electronic devices and appliances. Therefore, even the smallest cyber attack on one of the thousands of interconnected and digital systems can yield devasting effects.

A company that goes through an attack can experience a plant shutdown, equipment damage, utilities interruptions, production shutdown, inappropriate product quality, undetected spills, and safety measure violations—to name a few. Recently, 87% of surveyed oil and gas senior executives have reported being affected by cyber incidents in the past 12 months. Further, 46% of attacks in Operational Technology go undetected.

Oil and Gas Cyber Security Breaches throughout History

  • In 2010, Stuxnet, a malicious computer worm, was used to hijack industrial control systems around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, a person with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computers and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel. Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated by hacktivist groups.
  • In December 2018, Saipem fell victim to a cyber attack that hit servers based in the Middle East, India, Aberdeen and Italy.

These examples show other oil and gas companies the consequences that arise from insecure cyber environments, vulnerable systems, and cyber teams that lack the latest skills to stay ahead of attackers.

How Circadence Can Help

To lessen the attack surface and protect critical infrastructure against cyber threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own oil and gas networks to be most effective. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in the oil and gas industry. Further, targeted training can be achieved from the library of mission scenarios to work on specific skill sets.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kind of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close skills gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem-solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cybersecurity teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Users are the last line of defense against threat actors so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cybersecurity in oil and gas sectors.

This solution coupled with proper collaboration between IT and OT divisions to share real-time threat intelligence information will do wonders for companies looking to stay out of the negative news headlines and stay safe against an attack.

Download our Infographic “oil and gas cybersecurity” for more details on cyber readiness and training.

oil_gas_infographic

DOWNLOAD INFOGRAPHIC

Penetration Testing Challenges and Solutions

It’s one of the most direct and proactive cyber security activities organizations can do to protect themselves from an attack, penetration testing.

Also known as ethical hacking, it involves legally breaking into computers to test an organization’s defenses. Companies make it a part of their overall security process to know if their systems are strong or not. It’s kind of like preventative maintenance. If a hired penetration tester can get into their system, it’s relatively reassuring because penetration testing teams can take steps to resolve weaknesses in their computer systems before a malicious hacker does.

So how does penetration testing work? What roadblocks are professionals in this field facing? How are companies using penetration testing today? What innovations in penetration testing are available today? All these questions will be answered in this article. And if you have questions about any of it, please contact us for more information.

What is Penetration Testing?

Now that we understand why penetration testers exist and how critical they are to companies security posture, let’s review how they work. The ethical hacking process usually involves working with the client to establish goals and define what systems can be tested, when and how often without service interruptions. In addition, penetration testers will need to gather a lot of information about your organization including IP addresses, applications, number of users who access the systems, and patch levels. These things are considered “targets” and are typically vulnerable areas.

Next, the pen tester will perform the “attack” and exploit a vulnerability (or denial of service if that’s the case). They use tools like Kali Linux, Metasploit, Nmap, and Wireshark (plus many others) to help paid professionals work like hackers. They will move “horizontally or vertically,” depending on whether the attacker moves within the same class of system or outward to non-related systems, CSO Online notes.

Penetration Testing Career and Company Challenges

As you can imagine, being an ethical hacker naturally requires continuous learning of the latest attack methods and breaches to stay ahead of the “black hatters” and other unauthorized users. That alone can be a challenge because it requires a huge time commitment and lots of continual research. In addition, the following penetration testing challenges are keeping organizations up at night:

  • There were more than 9,800 unfilled penetration testing jobs in the U.S. alone. With all these jobs open, businesses are challenged to find these professionals for hire, leaving them without resources to harden their potential security vulnerabilities.
  • High costs prohibit hiring dedicated and skilled CPTs. Not all CPTs are created equal, while some third parties only perform vulnerability analysis as opposed to thorough pen tests.
  • Most tests are conducted via downloaded tools or as one-off engagements focused on known threats and vulnerabilities.
  • Many third-party engagements have to be scheduled well in advance and run sporadically throughout the year.

A New Penetration Testing Training Solution

Recent reports note that 31% of pen testers test anywhere from 24-66% of their client’s apps and operating systems, leaving many untouched by professionals and open to vulnerability. In the face of these penetration testing challenges, government, enterprise, and academic institutions are turning to technology and persistent training methods for current staff to help. Automated penetration testing tools can augment the security testing process from asset discovery to scanning to exploitation, much like today’s malicious hacker would.

Circadence is proud to have developed a solution (available soon) that automates and augments penetration testing security professionals with a platform called StrikeSetTM. StrikeSet is designed to increase the efficiency and thoroughness by which pen testing is performed. Specifically, the platform can help professionals perform hacks and simulated attacks on systems while machine learning capabilities provide session analysis and create unique threat playbooks for operators. It also monitors and tracks tool behavior for classification.

In addition, data is gathered from distributed operators who can remotely collaborate on how to gain access to a system and exploit development, perform SQL injections, forensics analysis, phishing campaign orchestration, and much more. That data analyzes Red Team’s TTPs with the aim of mimicking approaches to save on resources and time.

With cyber attacks becoming the norm for enterprises and governments, regular scans and pen testing of application security is key to protecting sensitive data in the real world. Coupled with holistic cyber training for offense, defense, and governing professionals and enterprise-wide cyber hygiene education, enterprises and governments will be better prepared to handle the latest and greatest threats. It’s time for organizations to leverage tools that automate and augment the cyber workforce in the wake of an ever-evolving and complex threat landscape.