February 2014, Vol. 241 No. 2


Preventing Network Security Threats At Sub-Contractor Level: A New Approach To Pipeline Security

Stephen Coty, Director Threat Research, Alert Logic

Network security for pipeline systems is one of the top priorities noted by the Interstate Natural Gas Association of America (INGAA). That isn’t surprising when you consider that the energy industry has been a prime target of network attacks and data breaches over the last two years, both from corporate espionage “agents” interested in stealing confidential geophysical data, financial data and passcodes as well as hacktivists with political and social motivations to embarrass organizations.

However, hacking directly into a global energy company’s network – or the pipeline controls themselves – is nearly impossible due to the robust and expensive network security technology defenses that these large enterprises have in place. Instead, hackers look for and target the weakest link in network security against which to launch a brute force attack. In most cases, it is typically the smaller IT networks of sub-contractors and other vendors who have connectivity to client systems through VPNs.

In another emerging scenario, cyber attackers are gleaning business and personal information on sub-contractor employees from social media sites to craft email phishing schemes that allow them to infiltrate their clients’ networks and steal valuable data using malicious malware and Trojans. The use of employee-provided computer devices and applications – BYOD and BYOA policies – in the workplace increases this vulnerability.

Regardless of the approach or the motivation, the cyber criminals stalking the networks of energy companies have discovered a convenient and usually unlocked “back door” in industry contractor networks. However, oil and gas companies can shut and lock this back door by taking proactive steps to ensure that all network communications with their contractors are as secure as their internal enterprise systems. This article looks at several key areas of technology and best practices for preventing brute force and malware network security threats at the sub-contractor level.

A Critical Security Threat
First, let’s look at the seriousness of security threats against energy companies today. The performance of energy pipelines impacts every sector of the global economy. Loss of energy services, especially during peak temperature seasons, would have a devastating effect on both businesses and individual households. Moreover, the danger of explosion or gas leaks due to tampering with SCADA PLCs presents an enormous physical threat to both energy workers and the public at large.

Despite these significant domestic security concerns, the fact remains that the industry’s highly valuable geophysical data and critical SCADA industrial control systems make energy a tantalizing target for cyber criminals. Around 60% of Alert Logic’s customers in the energy sector have experienced brute force attacks, such as those using botnets and malware to compromise network vulnerabilities and take control of systems. SCADA, in fact is the most attractive and, unfortunately, often the most vulnerable target as proven by these three devastating malware programs expressly developed over the past three years to take down SCADA systems:

? 2010 – The Stuxnet worm had as its main target industrial control systems with the goal of modifying the code running in Programmable Logic Controllers (PLCs) in order to make them deviate from their expected behavior.

? 2012 – Shamoon was introduced into the Saudi Aramco Computer network through a disgruntled employee who had full access to the system. It took full control of internal workstations and used those computers to communicate with remote command and control servers. Once in the network, Shamoon also compromised workstations that were not connected to the Internet.

? 2012 – Flame is a carefully crafted attack toolkit built for the sole purpose of industrial and political espionage. This is not just the typical worm. It does replicate across a network like a worm, but it also creates backdoors and gives complete remote access to the infected workstation, including the web cam, microphone, storage devices, USB, WI-FI, and key logging programs.

The bad news is that these malware programs attacking SCADA are continually evolving to higher levels of sophistication that will soon exceed even the sinister remote access Trojans such as Flame. That means energy companies must implement more robust security and cyber threat defense strategies to protect their SCADA system and confidential data from prying eyes. That also requires collaboration with sub-contractors to ensure security improvements on their side as well.

The Anatomy Of A Phishing Attack
Access to critical geophysical data is the other key motivation for network attacks – and cunning hackers are making it an inside job. Nearly 51% of Alert Logic’s energy customers have been vulnerable to malware attacks that enter the network through employee emails tainted with malware. Clicking on a link in a carefully crafted phishing email can enable an employee to unknowingly launch malware that will give an espionage attacker access to confidential geophysical data – or cause corporate embarrassment as the hacktivist group Anonymous did in 2012 with its phishing campaign that made it appear that global oil executives signed up as Greenpeace supporters.

The following scenario shows how easy it is for hackers to get readily available information from sub-contractors’ websites and social media sites on a contractor’s employees to use in email phishing campaigns. By infiltrating the contractor’s network disguised as an employee, attackers can eventually find and steal the data of its primary target – the large energy company served by the contractor. Here is how they do it:

? Researching the sub-contractor – Attackers simply visit the websites of a sub-contractor, such as a small drilling contractor, and click on the page with a list of the contractor’s oil and gas clients. They pick a victim to target through the vulnerabilities of the contractor’s employee email. Next, attackers mine for corporate email addresses, areas of specialty, technology used, and other information about the contractor’s employees by simply doing a search on LinkedIn or another business media site. Then they search the same names on Facebook or another social media site to learn their personal interests. In a few simple searches, the attackers know what kind of technologies the contractor is using – and what topics would entice the employees to click on a link in a phishing email.

? Start phishing – The attackers craft and send out phishing emails that appear to be from someone the employee knows, such as his boss, with an offer he can’t resist – such as free tickets to a major league sports game. The email instructs the recipient to click on the link to download the tickets, but instead, the action launches a credential-stealing Trojan or other malware that gives the attacker control of the employee’s workstation.

? Find the valuable data – With full control of the workstation and knowledge of the technologies the contractor is using, attackers can begin to gain access to the contractor’s network and check for weak links. They may make a list of user names and passwords and search for those with administrator status. Next, they observe the employee’s user profile to determine when the employee uses his or her network access – when the employee is likely to be away from the workstation. During those times, the attackers can log on through the VPN and start searching for access to the valuable geophysical data or SCADA systems belonging to the energy company – the main target.

? Breach the data – Finally, when the attackers find the valuable data, they make a note of where they found it. They don’t move it so as not to set off any network alarms. All the while, attackers are taking over the workstations of users with more admin privileges until they can at last stealthily move the data to an offsite storage site. Mission accomplished – the data is breached and the attackers get away without a trace.

Build A Strong Network Security Defense Strategy
Regardless of size or global standing, all energy companies are vulnerable to network security threats. Nearly all of the largest global brands have been breached at some point over the last three years by the hacktivist group Anonymous and some of the splinter cells that have split from Anonymous. Other cyber criminals breached a leading software developer and stole data related to their SCADA software project for a major energy client. Even the U.S. Department of Energy experienced the breach of personal data twice in 2013 – including Social Security numbers – of 53,000 employees and contractors. With that significant breach, hackers proved to the energy sector that relying on the government to provide pipeline security is no longer feasible.

Oil and gas companies then must be proactive in establishing a new paradigm of network security that takes the vulnerabilities of contractor networks into account and remedies them with a comprehensive network defense strategy:

Practice Good Network Management
SCADA systems are easy targets for hackers because of the vulnerabilities of the older operating systems that many of them still run on today. Be vigilant about configuration management and patch management to reduce this risk. Stay current with new developments in malware sophistication and continually upgrade your network monitoring and detection devices and/or services to alert on new attack signatures.

Leverage Log Data Analysis With Network Monitoring And Defense Technologies
Consistently track data flow and monitor for any anomalies. In addition to deploying traditional network security tools – intrusion detection systems (IDS), Security Information and Event Management (SIEM) software, and application security monitoring – leverage your log management system to monitor and analyze the health of your network. Log forensics can serve as an early warning system and can tell you if the SCADA system or data servers may have been tainted with malware or if the confidentiality, integrity, and availability of geophysical data have been compromised.

Configure log management to alert on any anomalies involving network access control servers, IDS systems, firewalls, operating systems, VPNs, web proxies, and other inroads to your network. Regular log analysis using today’s advanced automated log management systems – combined with the expertise of live security analysis in a Security-as-a-Service environment – can provide valuable network information to support a strong network security defense strategy.

Eliminate BYOD Or Create Tighter Access Controls
In addition, energy companies may not want to allow their employees or contractors to bring and use their own mobile devices to the workplace. By eliminating a BYOD policy, they essentially block another path to potential email phishing. If companies still want to allow BYOD, they may want to incorporate network access controls on the VPN to ensure that all users have a valid user name and password, and up-to-date virus protection and cache before they can access the main network.

Involve Contractors In Your Security Practices And Training
Making simple technology changes can go a long way in preventing hackers from taking advantage of weak links in sub-contractor networks. To add another layer of security to their networks, energy companies should supply contractors with dedicated laptops with VPN connectivity that “call home” to access anti-virus updates and ensure proper caching every time they come online. Contractors can provide separate laptops to their employees for the purpose of their own specific business needs, such as email. This approach would significantly lessen the risk of email phishing at the contractor level and essentially lock the back door to clients’ networks.

In the end, cyber crime and data breaches will continue to be a serious threat to the energy sector and pipeline security – and hackers will continue to seek the easiest and most vulnerable paths to geophysical data and SCADA systems. Therefore, energy companies must take more responsibility for ensuring robust security practices of their sub-contractors. By working together, the energy sector and its vendors can most effectively overcome network security threats and raise the level of protection for the world’s pipelines.

Author: Stephen Coty is the director of Threat Research at Alert Logic in Houston and a member of ISSA, Infragard and the HTCIA. Before coming to Alert Logic he was the manager of Cyber Security for Rackspace Hosting. Prior to Rackspace he worked at several companies including Wells Fargo Bank, Applied Materials, Stanford Medical Center and The Netigy Corporation. He has been in the information technology field since 1992 with a focus on security as of 1999 when he started as a penetration tester and auditor. Research has been his primary focus and passion since 2007.

Related Articles


{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}