Combating Cyber Threats in Oil & Gas Sector
Published on : Wednesday 07-12-2022
Successful cyber-attacks threaten the competitiveness of the Oil & Gas sector, and the cost of the breaches will also be higher, cautions Titli Chatterjee.
With the rising interest in the offshore oil & gas sector to utilise digital technologies, Industrial Internet of Things (IIoT) and Industrial Cyber-Physical Systems (ICPS), there has always been a simultaneous concern of cyber attacks targeted at oil & gas enterprises. Digitalisation in oil & gas involves the adoption of digital technologies, paving for Industry 4.0 in the sector that causes all the more reasons for significant threats which can cause plant shutdowns impacted by sabotage and interruption of utilities.
Before we speculate on the attacks mostly impacted by the digitalisation of the sector, we sure want to delve into the nuances of the various technologies deployed along with all other protocols that could potentially compromise process safety. Since, there is a pressing need among the enterprises to reduce cost and maximise equipment availability, the major concern of the businesses still revolves around the increasing dependence on technology and web-based communication that has paved to such vulnerabilities that could cause significant losses to the company and compromise process safety. In the wake of technological advancements in this sector with the oil & gas relying heavily on the Programmable Logic Controllers (PLC), Distributed Control Systems (DCS), Human Machine Interfaces (HMI), industrial technologies like IIoT and Cyber-Physical Systems, what needs to be protected is the immediate concern of the industry.
Threat implications in Oil & Gas sector
The offshore oil production plants require remote access to and control of large and complex hardware resources that can be achieved by integrating Supervisory, Control and Data Acquisition (SCADA) systems and IIoT technologies; at the same time a cyber attack against the sector could have a major impact on the environment and the safety of personnel. This scenario makes it even more important to protect the industry from increasing cyber threats. It has been quite a while that companies are striving to address the cyber threats and develop a proactive approach to prevent business disruptions. At the same time, the oil & gas sector is increasingly becoming more vulnerable with the hackers targeting the operational domain. The underlying reason being the Operational Technology (OT) and the Industrial Control Systems (ICS) working in silos in a legacy environment and physically isolated from outside networks, with many ICS components not connected to Information Technology (IT) networks. Though this ensured less exposure to other attack prone surfaces and was restricted to their scope of their operations locally, due to the need to make faster business decisions equipment are now being integrated with multiple digital technologies synced with the Industry 4.0 vision and mostly referred to as “Oil & Gas 4.0”. Although the IT/OT convergence and the rapid development of embedded systems, sensors and networks have led to significant efficiency gains and maximise equipment availabilities, this also exposes ICS communication protocols to vulnerabilities/attacks like:
1. Denial of Service (DoS) – The DoS attacker identifies the network traffic to understand the rate of communication in the Modbus protocol and crafts out malicious packets similar to legitimate Modbus protocols with the aim of rupturing the network and disabling the Emergency Shut Down (ESD) systems, which is typically used to prevent unsafe operating conditions.
2. Oil Tank Spoofing Attack–The processed oil that has been stored in tanks, ready for export are usually fitted with level control sensors to transmit information and prevent tank overfills. Such assets are prone to Man-in-the-Middle attacks falsifying sensor readings leading to tank explosions indicating that the tank level is actually lower than it actually is.
3. Production Data Exfiltration – An attacker could easily be privy to sensitive information and exploit readily available information by discretely deploying malicious software on compromised workstations
4. Command Injection– The attacker can tamper the set point limits of PLCs (Programmable Logic Controller) which usually are programmed to control the process and operate within safe operational parameters. These could lead to unsafe operational states and cause explosions due to presence of volatile hydrocarbons in oil & gas, and
5. Data Tampering– Processed data can be tampered by muddling the details of a wider attack by altering operational log and system control-related data, especially for offshore control stations where these log files can be a perfect target by the attackers.
Interestingly, the shift of the attackers varies in the offshore and onshore production. Due to the remote locations and the dire need for real-time monitoring and control, offshore oil & gas companies face a frequent challenge of security disruptions impacted by a larger attack surface as compared to other sub-sectors. This is crucial because offshore production almost bears the weightage of almost 30 percent of global oil & gas production. A classic scenario is how International Oil Companies (IOC) in Nigeria is divesting their onshore producing assets to focus more on offshore production. On the other hand, Equinor, a Norway based petroleum refining company already having a large portfolio of assets in the US Gulf of Mexico, is planning to divest its onshore assets in the Bakken Field. Perhaps, this indicates that enterprises dealing with the offshore oil & gas production are to retain their share of global oil production and more likely to grapple with the cyber exposures. Unfortunately, there is no single adversary and individual threat to the information technology (IT) and operational technology (OT) infrastructures of the industry. Attackers run the gamut each with their advanced skill sets and deployment of technologies to hack their best.
Successful cyber-attacks threaten the competitiveness of this sector, and the cost of the breaches will also be higher. The enterprises will then have to react to the lost production, safety and environmental risk, breach of insurance conditions and loss of licence to operate. Therefore, the onus is on the CIO and CISO of the company responsible for ensuring the security of the enterprise. There is an adequate need to map out the budget for IT and OT network security as well as data security. There is no getting around the fact that managing and protecting both the physical and cyber assets at the same time will always be a challenging proposition for both the security service providers as well as the enterprises.
Titli Chatterjee is Senior Lead, SME – Smart Manufacturing Practice, ISG (Information Services Group). She is closely working with the industry thought leaders, advisors, consultants and other stakeholders in formulating research practices for smart manufacturing, also focusing on other industry challenges/trends and highlighting how technology can be a game changer at the industrial front.
(The views expressed in interviews are personal, not necessarily of the organisations represented)