While the oil and gas industry has suffered fewer major cybersecurity breaches than other industries to date, many minor incidents have occurred and it’s only a matter of time before a major oil and gas company will appear in the headlines along with companies such as Target.
Global consultancy DNV GL released a survey of 1,100 business executives on Nov. 30, which lists the top 10 cybersecurity vulnerabilities. These include:
- Lack of cybersecurity awareness and training among employees
- Remote work on pipelines and infrastructure during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cybersecurity culture among pipeline and other vendors, suppliers and contractors
- Insufficient separation of data networks
- The use of mobile devices and storage solutions, including smartphones
- Data networks between on- and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable software
- Outdated and ageing control systems in facilities.
“Headline cybersecurity incidents are rare, but many lesser attacks go undetected or unreported as many organizations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems,” said Petter Myrvang, head of the Security and Information Risk Section, DNV GL-Oil & Gas.
The implementation of a comprehensive cybersecurity plan to protect critical oil and gas automation and control systems, including supervisory control and data acquisition (SCADA) systems, is a cornerstone of ensuring the availability of infrastructure assets and company information, complying with federal, state and local laws and regulations, and maintaining safe and reliable operations.
A defense-in-depth approach to cybersecurity reduces risk with each effective layer of protection and combines a mix of defensive and offensive measures for maximum protection against a breach. A new frontier in defense in depth is implementation of dynamic deception solutions that takes a favorite hacker strategy – deception – and uses it again them.
Dynamic deception provides the real-time visibility into threats that have bypassed firewalls, intrusion detection and other prevention solutions, and provides the detailed forensics required to block, quarantine and remediate the infected device or network.
The Stuxnet attacks on an air-gapped (not connected to the Internet) uranium enrichment facility was an eye-opener for security decision makers in the broader energy industry. A hacker introduced the Stuxnet virus, a zero-day exploit, via a USB device. The virus went unnoticed until its sabotage was already complete.
Cyberattacks are often sophisticated in behavior and are becoming more difficult to detect and stop with standard firewalls and other perimeter defenses.
The realization that U.S. critical infrastructure, such as oil and gas pipelines and facilities, needs better protection from imminent cyberattacks has resulted in heightened awareness, and in many cases, accelerated development and implementation of additional safeguards. Attacks on oil and gas infrastructure have the potential to be not only an inconvenience but also could result in major destruction with ripple effects that could be long lasting.
Securing oil and gas industry automation and control systems presents unique challenges. The myriad of devices such as sensors, wireless transmitters, remote terminal units (RTUs), programmable logic controllers (PLCs) and operator interface terminals (OITs) that are deployed generally have a long life cycle.
There are often thousands of these devices within a given oil and gas company. Hardening these devices can be a challenge since design for function was the primary mind set of component manufacturers, not security. As a result, these older IACS devices are often less resistant to denial-of-service attacks.
While newer devices reflect the changed security landscape, there will be a lag time and high cost associated with replacing the large number of industrial automation and control systems (IACS) the typical oil and gas company has deployed. Consequently, many older devices will remain in place for some time.
Because oil and gas automation and control systems often operate 24/7, the time between maintenance projects is generally longer than in other industries, leaving devices without required patches or updates for longer periods of time.
The original developers of SCADA systems had focused on monitoring critical production processes without considering security consequences. Today, however, IT teams are connecting SCADA systems to the corporate IT infrastructure and the Internet, increasing vulnerability to cyberattacks.
Strategies for Oil and Gas
There is no silver bullet solution that is going to protect IACS. The most effective strategy is to apply prevention and detection solutions together for multiple layers of security solutions to protect and detect infections when prevention solutions fail. The risk of having a security breach is reduced with each layer of security that is added to protect the asset.
A complete defense-in-depth approach will include administrative controls – such as policies and procedures – physical controls, such as cabinet locks and badge door access, as well as technical controls, including firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS), and deception for inside-the-network threat detection.
Deception is the newest “layer” in the defense-in-depth approach. It is a different and highly effective solution for protecting SCADA environments since it does not rely on knowing attack signatures or patterns and it does not need to monitor all traffic to look for suspicious behavior.
Deception also does not require software to be loaded or maintained on the SCADA device. Instead, a deception solution confuses, delays and redirects a cyberattack by incorporating ambiguity and misdirecting its operation.
Drawn to the deception engagement server, attackers are tricked into engaging and assuming they have succeeded in their attack. The deception server contains a “sinkhole” so that once engaged, IT and security teams can study the attack without risk of additional harm.
Once attackers engage, there is no way of hiding. The IT and security team can see the attacker IP addresses and the deception engagement server will collect and analyze attack forensics so that an actionable, substantiated alert can be sent, enabling the prompt blocking, quarantining and remediation of the infected device.
By design, deception will detect both reconnaissance and stolen credential attacks, and will reduce attack detection time by accurately identifying infected clients, including sleeper and time-triggered agents. Regardless of whether the virus is old or new, the deception engagement server can quickly and accurate detect the attack.
Deception can also be used to detect and analyze ransomware attacks including phishing and CryptoLocker attacks. For example, deception would have been an effective solution to detect the Black Energy KillDisk malware prior to the impact it caused to the Ukrainian power grid.
First, the deception engagement server plays a key role in attacker deception and must appear authentic so that it deceives the attacker into believing the network information it provides is real. Ideally, the oil and gas company’s IT team will install its own open platform communications (OPC) software, be able to run popular protocols and use real operating systems for the highest level of authenticity.
Popular protocols include Siemen’s S7 PLC, Modbus, Bacnet, IPMI, SNMP MIB, Veedor-Root Tank software emulation, Common Industrial Protocol (CIP) and CNP3.
Substantiated alerts are another critical part of the solution. Many oil and gas company devices run 24/7 and taking them offline could have operational and financial consequences. Alerts must provide irrefutable evidence of an infected device and the detail required to remediate the infection.
Additionally, reporting should be available in PCAP, IOC, STIX syslog and other formats, so prevention systems can be updated to block against future attack attempts. More advanced systems will also provide integrations for automated remediation with popular SE and other firewall prevention solutions.
The dynamic deception layer bridges the security gap that occurs when an attacker bypasses prevention solutions and mounts an attack inside the network. Deception also provides increased visibility into the potential unknown intrusions on IACS devices that can occur from both internal and external threats. Comprehensive deception solutions can also detect the use of stolen credentials in addition to the reconnaissance and lateral movement of an attacker.
While every oil and gas SCADA facility and SCADA system is different, there are several core features that oil and gas facility IT teams should seek out when exploring dynamic deception solutions as part of their defense-in-depth strategy. Among these:
- Dynamic deception should provide upstream and downstream threat detection for business, process controls and field sensors.
- The solution should detect threats from reconnaissance, stolen credentials, phishing and ransomware attacks, while providing visibility to external, inside and third-party threats as they move laterally through the network.
- It should set traps and provide the visibility required to quickly detect and stop an attack, regardless of whether the malware originates from a USB device, from clicking on a phishing email or other point of access.
- Ideally, the solution should detect zero-day attacks and not depend on signatures or attack pattern look up.
- The deception solution should run real operating systems, extensive protocol emulations and have the ability to load an oil and gas company’s OPC software, which makes the deception engagement server indistinguishable from production SCADA devices. This is critical as the solution uses server and application deceptions as “bait” to lure attackers to its engagement servers.
- IT and security teams should be able to insert the deception solution’s endpoint credentials on each SCADA device so attackers are deceived into thinking they have stolen valuable user credentials, which in fact, led them to the “sinkhole.”
- Deployment should be simple and straightforward. It should be frictionless and take less than an hour to deploy.
- The engagement server should be self-healing, which provides automatic rebuilding of engagement servers after an attack, eliminating the need for manual rebuilds or maintenance.
- All alerts should occur in real time based on the detection of an attacker and include forensics with the substantiated, actionable detail required to identify the infected device, identify the attacker IP and be able to communicate with the “command” and “control” to capture attacker methods and tools. Because alerts are based on actual attacks and provide attack detail, IT and security teams can quickly and confidently quarantine a device and remediate the attack.
- The deception solution should include a threat intelligence dashboard that provides the ability to customize settings and gives a centralized view of all alerts. The dashboard should drill down deeply into attack detail and have the option to create multiple report formats, such as IOC, PCAP, STIX and CSV to share attack information detail. It should also integrate with third-party SIEM solutions, such as Splunk, ArcSight, QRadar and Nitro.
Perimeters of networks continue to disappear, and business and process control networks continue to become increasingly more connected. Dynamic deception provides a new and powerful approach for the prompt detection of threats that have bypassed prevention solutions and are inside the network.
It also provides real-time visibility into internal and external threat of inside-the-network activity, empowering an organization to go on the offensive to proactively protect automation and control systems from the risk of malicious attacks. Deception systems are not all created equal, though they all offer the benefit of deceiving and detecting an attacker, giving organizations the much-needed time and visibility to derail an attack.
Author: Carolyn Crandall has over 25 years of experience in high-tech marketing and sales management. At Attivo Networks, she is chief marketing officer responsible for overall strategy, company awareness, and creation of customer demand through education programs and technology partnerships.