Cybersecurity in Oil & Gas

Indian Oil Corporation Limited

Agenda
• Cyber Attacks in Oil & Gas Industry
• Cyber Threats in Oil & Gas Industry
• Cyber Risks and Threats
• Information Technology Risk Management
• Interaction of IT and OT
• Oil & Gas Information Architecture
• Risks for Oil & Gas Information Technology
• Cases
• Oil & Gas Industry Vulnerability
• Data Loss Prevention (DLP)
• Q&A
Cyber Risks and
Threats
Cyber Risks and Threats
Signs and source of cyber attacks

Subtle Signs of Cyber Attack Source of Cyber Attacks

0% 10% 20% 30% 40% 50% 60% 70%

Unexpected share price movement Criminal syndicates 59%

Employee 56%
Hacktivists 54%
Theft of IP – similar new product launched by competitor
Lone Wolf hacker 43%
External contractor working on our site 36%
Mergers & Acquisitions (M&A) activities disrupted State sponsored attacker 35%
Supplier 14%
Other business partner 13%
Unusual customer or joint venture behavior
Customer 12%
Other (please specify) 3%
Operational disruption, without a clear cause

Oddities in payment processing or ordering systems 56%

of respondents consider
employees as source of
Cyber Attack
Customer or user databases showing inconsistent information

EY’s 19th Global Information Security Survey captured the responses of 1,735 C-suite leaders and Information Security and IT executives/managers, representing many of
the world’s largest and most recognized global companies.

Page 4 24 March 2017 Cybersecurity in Oil & Gas

Cyber Risks and Threats
Results from EY’s Global Information Security Survey 2016

60% of organizations see increased risk from using social networking,

cloud computing and personal mobile devices at work.

But only 52% of organizations indicate data leakage is a top “new”

increased risk.

87% of organizations believe the damage to reputation and brand

is the most significant issue related to data loss.

Yet only 10% of respondents indicated that examining new and emerging
trends is a very important activity for the information security function.

61% are not making policy adjustments or increasing

security awareness to address these new threats.

Page 5 24 March 2017 Cybersecurity in Oil & Gas

Cyber Attacks in
Oil & Gas
Industry
Oil & Gas Industry Under Attack
Cyber attacks in the past

Page 7 24 March 2017 Cybersecurity in Oil & Gas

Causes of Cyber Attacks

Page 8 24 March 2017 Cybersecurity in Oil & Gas

Oil & Gas Industry Under Attack
Cyber attacks in the past

Cyberattacks

Name/Type of No. of records Type of record/ data Key Threats/ Consequences/

Type of attack Year of Attack
Organization stolen/breached impacted Vulnerabilities

Hackers interfered with

alarms and communications Plant Sabotage/ Shutdown
Baku-Tbilisi-Ceyhan Spilled 30,000 barrels of
Hacking , super-pressurizing crude Aug-08
pipeline - Turkey oil
oil to cause an
explosion.
Utilities Interruption

Social- Intellectual property via

Global - Night Dragon - Began Nov-2009
Engineering structured attacks Production Disruption

20% of Iran’s uranium

Proprietary process
Stuxnet Malware enrichment centrifuge Jun-10 Hydrocarbon Installation Terrorism
information
capability

Destroyed 30,000 computers Facility Terrorism

Saudi Aramco Hacking 30,000 workstations and erased a range of Aug-12
significant documents
Undetected Spills
Hit with a virus that shut
Qatar’s RasGas Malware - down its website and e-mail Aug-12
servers,

Page 9 24 March 2017 Cybersecurity in Oil & Gas

Stuxnet
Cyber Risks and Threats
Activities occurring in a typical cyber attack lifecycle

Page 11 24 March 2017 Cybersecurity in Oil & Gas

Cyber Risks and Threats
How cyber attacks unfold?

The signs of a cyber breach can be very subtle, with several incidents happening at the same time

Advanced social engineering (e.g. spear phishing, watering-hole attacks)

Sophisticated six-month intelligence gathering phase
Full knowledge of enterprise weaknesses – people, process and technology

The cumulative effect on an organization can be huge

Sales Supply chain R&D Accounts payable

Strategic manipulation of sales and Supply chain and on-line ordering system Higher profit areas and growth Periodic accounts payable fraud causes
email systems result in missed sales manipulation leads to degradation of product development efforts are US$ millions in lost income per year.
of -2% to 3% just prior to quarterly and production and receivables collection, stolen, resulting in loss of sales Mass release of privacy data results
annual reporting periods results in missed revenue projections and competitive edge, in loss of public trust and additional
of -2% to 3% and royalty payment to nation-state legal cost
companies

Devaluation impact Artificial duress results in Market manipulation

Organization approached by likely benefactors of the >30% loss of book value Market value artificially driven-down for
financial gain and to enable acquisition of
cyber attack to acquire the troubled entity at “duress material shares of public companies at
value”
Social media rumours results in duress value
>50% loss of market capital

Impacts business decisions, mergers/acquisitions, and competitive position

Page 12 24 March 2017 Cybersecurity in Oil & Gas

Social
Engineering
Cyber Risks and Threats
Risk and Impact Analysis

More is at risk than many assume: Potential implications:

► Liabilities
► Access to sensitive data that can be monetized or used to perpetrate ► Regulatory enforcement actions
financial fraud, blackmail or corporate espionage ► Employee or customer lawsuits
► Shareholder lawsuits
► Intangible or goodwill impairment

► Access to sensitive data to facilitate market manipulation:

► Contract bids ► Regulatory enforcement actions
► M&A activity ► Shareholder lawsuits
► Succession plans ► Intangible or goodwill impairment
► Financial forecasts
► Business plans

► Financial losses
► Shareholder lawsuits
► Access to financial systems to execute unauthorized financial transactions
► Intangible or goodwill impairment

► Inaccurate processing or functioning of controls

► Manipulation of automated processes:
► Liabilities
► Modification of business rules utilized in processing (e.g., calculations,
► Delayed filing of financials
interfaces, detect and monitoring thresholds)
► Quality control issues
► Modification of programming to industrial control systems, robotic
► Shareholder lawsuits
systems, etc.
► Intangible or goodwill impairment

Page 14 24 March 2017 Cybersecurity in Oil & Gas

Information Technology Risk Management
Introduction

Information is a valuable asset. Without suitable protection, information can be:

1 Given away, leaked or disclosed in an unauthorized way

Information should be 2 Modified without your knowledge to become less valuable

protected and
properly managed
like any other
3 Lost without trace or hope of recovery
important business
asset of an 4 Can be rendered unavailable when needed
organization

Risk levels
IDENTIFIED TREATED MONITORED MITIGATED
should be:

Information System
Confidentiality Availability Integrity
Security

Unauthorized disclosure Accuracy & Completeness Accessible and Usable

Page 15 24 March 2017 Cybersecurity in Oil & Gas

Information Security
What you need to know about it

Page 16 24 March 2017 Cybersecurity in Oil & Gas

Interaction of IT and OT
Introduction
OT systems operate in an environment very much different from the corporate IT, where ERP or Email systems are used. However,
business requirements for real time access to data about production processes forced Control Systems to interconnect with business
networks and other external systems, which generated major security issues.

Layers of Computer Security Main Components Vendors

Page 17 24 March 2017 Cybersecurity in Oil & Gas

Interaction of IT and OT
Introduction

Approach to security is being transferred from IT world to the OT assets

► The problem organizations face is the lack of understanding of OT by IT based managers and lack of specific OT knowledge
► OT is about 10-15 years behind traditional IT in terms of transformation to centralized, virtualized environments and other types of evolutional processes that
IT went through.
► OT security was recognized as vital to functioning of critical infrastructures. The area of security of OT is being regulated and funded by governments

15 years delay in moving from isolated, closed

systems to unified interconnecded environments Isolated Connection with
systems business LAN ...
Close
OT cooperation

Closed OT Department
Problems: SECURITY
systems

UES

ISSUES
S
OT Department

E
S
UE

U
ISS

S
‘80s ‘90s

ISS
2012 2014

IS
2000
Problems:
No IT Effectiveness
SECURITY
standards
Lack of IT Closed Corporate IT Department
knowledge systems costs

IT IT Department

ERP / CRM
Isolated Unification of Centralized Virtualisation Cloud
new
systems technologies systems SSCs computing
functionalities

Page 18 24 March 2017 Cybersecurity in Oil & Gas

Security Threats in Operational Technology Landscape
Key vulnerabilities

Vulnerabilities
Improper Input ►Bufferoverflow
►Insufficient
security documentation Policy/Process
Validation ►Lack of bounds checking
►Poor security documentation
►Command injection maintenance
►Use of potentially dangerous
Poor Quality Code ►No security perimeter defined Weak Network Design
function
►Lack of network segmentation
►NULL pointer dereference
►Lack of functional DMZs
Permissions, privileges ►Pooror improper access control ►Access to specific ports on host
and access controls Weak Firewall Rules
►Execution with unnecessary privileges not restricted to required IP
addresses
►Poor system
Improper Authentication ►Network devices not properly Improper configuration
identification/authentication controls
configured
►Authentication bypass issues

Insufficient verification ►Cross site request forgery ►Insufficiently

protected credentials Credentials Management
of data authenticity
►Missing support for integrity check ►Use of hard-coded credentials

►Lack of security audits/assessments

Cryptographic issues ►Missing encryption of sensitive data Audit & Accountability
►Lack of logging or poor logging
►Use of a broken or risky cryptographic
practices
algorithm
►Network architecture not well
understood

Page 19 24 March 2017 Cybersecurity in Oil & Gas

Typical Oil & Gas Information Architecture
How it connects

External Zone Geology & ERP/ Reporting

Drilling Production File Server
Geophysics

Internet
/FK>I F>K

HMIs Database/ Historian OPC Server

Target Devices

Page 20 24 March 2017 Cybersecurity in Oil & Gas

Typical Oil & Gas Information Architecture
Impacts

External Zone Geology & ERP/ Reporting

Drilling Production File Server
Geophysics

Internet Regulatory Impact

/FK>I F>K
• Deliberate modification or Loss of competitive advantage
destruction of data of interest to
govt. and regulatory bodies. • Sensitive information pertaining
E.g. actual vs. planned to oil and gas field bids or
production possible new discoveries
disclosed to competitor

Impact on Operations & HSE

HMIs Database/ Historian OPC Server
• Virus outbreaks (e.g. Stuxnet,
Duqu) affecting SCADA
systems rendering them to be
Loss of brand/ reputation unavailable for process control
• Targeted attacks on top
management retrieving sensitive
off-line data.
Target Devices

Page 21 24 March 2017 Cybersecurity in Oil & Gas

Business of Oil & Gas
Process and Disruption

People
People, Process and
Shipping Plant Technology Unavailability
Vessels Infrastructure

Possible threat scenario

• Fire
• Flood
• Network Services failure
Helicopters IT Systems

Impact of disruption
• Total IT/ communication systems
failure
Pipelines Drilling Services • Inability to control systems
remotely
Processing
Terminals

Transportation

Page 22 24 March 2017 Cybersecurity in Oil & Gas

Typical Risks for Oil & Gas Information Technology
Identified risks

Poorly designed networks that fail to segregate the control system network from the corporate network

Non-existent testing of SCADA components (i.e. PLCs, RTUs, etc.) for security flaws before deployment in production environment

Inadequate allocation of information system access privileges to contractors from multiple agencies

Lack of user awareness towards information sensitivity and handling

Use of mobile devices and applications without appropriate encryption techniques

Lack of formal capacity and performance management procedures to ensure adequate processing power and storage to support
complex computing requirements of the industry

Improper service level definitions with third parties to cover information security aspects

Inadequately managed, designed, or implemented critical support infrastructure, for e.g. UPS, HVAC systems, physical access
control, etc.

Page 23 24 March 2017 Cybersecurity in Oil & Gas

How these vulnerability can be exploited?
Potential scenario 1: How OT / SCADA can be attacked from IT Network

Attacker connects Extracts passwords of recently

to Company
Insecure Webservers
logged in domain users from
IT Network
office’s network with default
passwords system memory of these
using a physical workstations and gained
LAN cable or Wi-Fi administrative access.
network
Unpatched Data Gained privileged access to all
Backup Servers workstations and servers Exploit multiple vulnerabilities
connected to Client’s of the interface between IT and
Domain SCADA network such as
Gains IP Obsolete way of Default SNMP Creds/ easy
addresses and storing local passwords/ poor detection/
basic network administrator insecure configuration of
information passwords firewall.

OT Network

Gained access to SCADA plant

engineering and control station
sitting. Gives the ability to
shutdown the plant or modify
the parameters

Page 24 24 March 2017 Cybersecurity in Oil & Gas

How these vulnerability can be exploited?
Potential scenario 2: How OT / SCADA can be attacked from within the OT network itself

OT Network
Vulnerable and obsolete
Attacker connects OS and Antivirus
to plant office’s
network using a
physical LAN cable
or Wi-Fi network
Unauthorized connection
via network / removable
media

Gains IP
addresses and
Lack of security
basic network
information incidence detection and
response mechanisms
Gained access to SCADA plant
engineering and control station
sitting. Gives the ability to
shutdown the plant or modify
the parameters
No cyber risk awareness
or training at the plants

Page 25 24 March 2017 Cybersecurity in Oil & Gas

Cases
KEEPING PACE WITH INCREASING
CYBER ATTACKS

Hackers interfered with

alarms and communications Cyber attack on Aramco Computer systems at
for Baku-Tbilisi-Ceyhan aimed to stop gas and oil RasGas Ltd.—a major
pipeline in Turkey, super- production in Saudi Arabia liquefied natural gas exporter
2008 pressurizing crude oil to 2012 and prevent resource flow to
international markets—
2012 in Doha, Qatar—was
infected by an unknown
cause an explosion that
resulted in the spilling of 30,000 computers were virus.
more than 30,000 barrels of damaged.
oil.

Spreadable malware Flame, Norwegian oil industry fell

STUXNET was used to
capable of recording audio, victim to a massive attack,
2010 hijack industrial control
systems around the globe, 2012 screenshots, and user 2014 resulting in the hacking of the
drilling, exploration and
including computers used to activity, used for targeted
cyber espionage in Middle engineering data of more
manage oil refineries, gas
Eastern countries. than 50 companies
pipelines, and power plants.

PREVIOUS INSTANCES OF CYBER ATTACKS IN OIL AND GAS SECTOR

SELECT FEW INCIDENTS MALWARE WIPES OFF
DATA OF 30,000 PCs
RESTORES INTERNAL NETWORK
SERVICES AFTER 2 WEEKS

SAUDI ARAMCO CYBER ATTACK ON

SAUDI ARAMCO
ARAMCO SHUTSDOWN IT’S
INTERNAL NETWORK

WHAT HAPPENED
On 15 August 2012 at 11:08am Saudi-Arabian time, Saudi Aramco, world’s Because of the highly destructive functionality of the “Shamoon” Wiper
largest oil producer with annual sales of over $200 billion annually was struck module, an organization infected with the malware could experience
by a self replicating computer virus “Shamoon” that spread across 30,000 operational impacts including loss of intellectual property (IP) and disruptions
Windows based personal computers operating on the company’s network. of critical systems. Saudi Aramco was able to restore all its main internal
The malicious software’s main function was indiscriminate deletion of data network services by 26 August 2012. But, for more than two months, the
from computer hard drives. Although, there was no apparent oil spill, employees could not access their corporate emails and company’s internal
explosion or other major fault in Aramco operations, the incident impacted the network. It is also likely that most of the infected computers were rendered
production and business processes of the company as at least some of the temporarily unusable due to an element in malware designed to overwrite the
drilling and production data were likely lost and it reportedly took two weeks Master Boot Record. However, the production operations were not affected
for the oil producing giant to fully restore its network and recover from a as the malware did not reach the industrial control system (ICS) computers
disruption of its daily business operations caused by data loss and disabled that were involved in drilling or refining operations at Aramco due to
workstations. segmentation between computer systems responsible for general business
The malware “Shamoon” has the the capability to over-write data on infected operations and those employed in monitoring and controlling upstream and
machines and to destroy Master Boot Record files, thus making infected downstream operations.
Windows machines impossible to boot. Further, the malware can also extract Further, “Shamoon” was also found to have propagated to the networks of
information from compromised machines before uploading it to the internet. other oil and gas firms, including that of RasGas, a joint venture of Qatar
The virus consisted of several components. The Dropper refers to the main Petroleum and US-based ExxonMobil.
component and source of the original infection and a number of other Attacks of such nature are lethal for the global economy because if the
modules dropped or copied into the infected computers. The Wiper modules operations of such a large player in the oil and gas sector gets disrupted, it is
was responsible for the destructive functionality of the threat and the likely to affect the fuel prices throughout the world.
Reporter module was accountable for reporting infection information back to
the attacker. AREAS OF IMPROVEMENT IDENTIFIED
After having been released from one of the workstations on the company’s ► Physical and logical security
internal network, “Shamoon”, overwrote files with a fraction of an image of a
burning American flag, then instructed the compromised computers to report ► Periodic backups
their infection back to an IP address. ► Training and awareness of employees
SELECT FEW INCIDENTS EMPLOYEE DOWNLOADS THE
ATTACHMENT PRESENT IN THE MAIL

NORWEGIAN OIL INDUSTRY PHISHING MAILS SENT BY

THE ATTACKER
MALWARE INSTALLED IN THE PC
OF THE EMPLOYEE

WHAT HAPPENED
Norway has Europe’s largest oil and natural gas reserves and is the EU’s top energy supplier after Russia.
In August 2014, Norway’s National Security Authority (NSM) announced threat actors had compromised as many as 50 Norwegian oil companies, including its
largest, state-owned oil firm Statoil. The NSM advised 250 other energy companies to check their networks for evidence of malicious activity.
This activity affected several companies in the energy industry. In one case, threat actors sent a phishing email with a malicious attachment to a high-ranking
employee in the procurement division at a Nordic energy company. The email purported to be from the company’s human resources team and threatened the
employee with dismissal. Threat actors also sent phishing emails to several other company employees, including two in the legal and procurement departments.
These phishing emails appeared to be from human resources representatives and contained malicious PDF attachments. If the targeted employees open the
attachments, a destructive program is unleashed that checks the target's system for various holes in its security system. If a hole is found, the program will open a
communications channel with the hackers allowing the hacker to download the damaging code remotely.
Attacker’s goal was to install a keylogger which would allow passwords to be stolen. This could ultimately be used to siphon intellectual property out of the target
organisation.
MALWARES TARGETING ICS
STUXNET AND FLAME
STUXNET FLAME
Stuxnet is the first malicious threat targeting industrial control system such as Flame is the most sophisticated computer malware ever seen by the industry.
gas pipeline, power plant etc. It has mainly four features: command and Flame, also known as w32.Flame.skywiper and is designed to steal different
control, multiple propagation methods, stolen VeriSign driver certificate, and databases. A distinct functionality is used by flame malware is “Audio Spying”
a root kit. Stuxnet is primarily designed to corrupt Siemens (S7-315 and S7- that can record audio, screenshots and can monitor keyboard activities and
417) and predicted that in future it might also corrupt the hard-coded network traffic. For example flame has capabilities of keeping the records of
passwords of the Siemens step 7 software. According to Information Skype conversation by detecting and recognizing a microphone on the
Technology Council of Iran’s Industry and Mines Ministry, Iran had identified infected computer.
that IP addresses of 30000 industrial computer system were infected Like stuxnet, flame also uses local area network (LAN) or intranet or USB
since September 25th, 2010. stick to spread in different systems. Although stuxnet and flame use different
The stuxnet malware can be spread via CD, flash memory (USB) in the PLC programming languages and application architectures, their features are
of industrial control system(ICS). There are very rare chances that industrial common in terms of spreading, using similar securities, vulnerabilities,
control system are connected directly to the internet and each PLC is affecting system and also the use of hacking techniques/algorithms that are
configured with the unique properties. The attacker can gain the knowledge not used anywhere else.
about the design documents of ICS with the help of Employee’s (insider) of
the company or they can gain the knowledge from the earlier version of
Stuxnet. Once stuxnet enters into intranet, it updates its definition with the
use of download server. If there is any previous version of stuxnet presence
in intranet, new stuxnet stimulates it and spreads in PLC of ICS. For the
installation purpose, stuxnet verifies administrative privileges on the system.
If it does not have already, it tries to attain privileges by using one of the two
zero vulnerabilities. It verifies the detail configuration of the ICS for an
appropriate target. Once stuxnet installs, it will gather information about
negotiation, system etc. and sends these details to the attacker/hacker via
http.
Thank You.

Any Questions?