At BlackHat Europe, Alexander Polyakov, CTO at ERPScan, and Mathieu Geli delivered a presentation detailing security issues and misconfigurations affecting the oil and gas industry. In the interview, they highlighted particular vulnerabilities in SAP and Oracle and described how they can provide a route inside a company.
In your presentation, you mentioned that oil and gas is one of the industries most plagued by cyber-attacks. What makes oil and gas an attractive target?
It’s a juicy target for Cyberattacks as oil and gas companies are responsible for a great part of some countries’ economies. Any interference in their work can stop processes and, as a result, deprive the company and the country of revenue. When media deals with the oil and gas industry, they always make something out of nothing. This may lead to reduction of the value of shares or decrease in ratings of a company or a whole state. oil and gas, as well as Energy and Utilities, are very important parts of the infrastructure. Imagine how, for instance, an attack on a pipeline can be used for political purposes. Various green activists and alternate energy companies may also be interested in the attacks on the oil and gas industry.
Deloitte has published a report lately on the growth of the IoT in the oil and gas industry. What is your view on this? Are physical systems like automated wells putting companies at risk?
Automation is always a risk. People who develop software for such devices, but often these people never learned security. While a number of initiatives and practices in web programming such as OWASP exist and similar actions are taken to secure business applications (EAS-SEC.org), there is almost nothing pertaining to the development of automated systems. Most programmers have heard about an SQL Injection, at least if he doesn’t live under a rock. But developers who write code for IoT devices are almost unaware of the security practices of these devices and control systems like SCADA that are plagued by vulnerabilities. Their understanding of security came from the 90s. The main idea is (or, I hope, used to be) that these devices are implemented in a secure network, and any external intruder does not have access to them. But the reality is far from ideal. The Stuxnet story showed that it is possible to infect computers via USB, and we have revealed that one can spread viruses via a corporate network or the Internet because the systems are highly connected.
Could you name any particular risks to the oil and gas industry? Any technical aspects?
Oil and gas cybersecurity is a small universe which is almost undeveloped, but extremely critical.
There are many important technology processes in downstream, upstream and midstream such as pump controlling, blow-out prevention, flaring and venting, separation, burner management, gas compression, peak load gas storage, fiscal metering. Any changes made in these processes may have a significant and dire impact.
Attacks on Operational Technology (OT) systems can cause production stoppages, decrease in product quality or even destruction of the whole infrastructure. Simply change some parameters that show peak load in peak load gas storage. Need I describe what will happen after that?
Oil and gas are not only about upstream and production. There is the retail part, such as petrol stations. Once we were involved in a forensic investigation of a sophisticated attack: local managers stole lots of petrol and modified the software and hardware to hide the theft.
More important is that almost all the processes listed above are highly connected with IT infrastructure that allows attacks from the corporate network or even from the Internet. Moreover, the same methods can be applied to other organizations as well such as Energy, Utilities, and Manufacturing. We decided to focus on the oil and gas area because we have practical experience in this industry and can show real cases.
If there are specific risks for oil and gas companies, how could hydrocarbon volume measurement be exploited and why?
Oil, Gas, and other natural resources are not easy to measure. There are multiple stages where measurements are taken, and in some cases, it’s possible to spoof this data in a way that no one will be able to find it out.
Let’s compare it with the retail industry. Being an entrepreneur, you know how many Nike Air boots are stored in your warehouse. Even if somebody gains access to the warehouse, steals shoes and then changes the quantity in ERP system, sooner or later some people will discover that something is wrong. If you deal with natural resources, nobody knows the real quantity. It’s basically calculated on a number of metrics such as pressure, temperature, etc. If you can change them somewhere – you win. The rest is up to you; you can use this information for sabotage or fraud. Hydrocarbon was provided just as an example to show the complexity of this measurement. The more complex this system and the more trust you give to automation, the more chances that this data can be manipulated by hackers, and you won’t be able to detect it.
You have mentioned that an oil-stock manipulation is possible, how exactly can it happen?
Attack vectors we presented at BlackHat allow cyber-attackers to manage different processes and, for example, increase pipeline pressure, change field device parameters, or leave spills undetected.
What else? Hackers can send fake information about oil quantity to managers who take their decisions based on this data. For example, every day one sends information that there is much more oil in stock that we really have. One day the company will have sold out all the oil and won’t be able to deliver it to its customers. The failure to perform the obligations could lead to a global scandal, changes in oil prices and huge losses to the extent of the company’s bankruptcy.
Imagine what would happen if a cyber-criminal uploads malware that dynamically changes oil stock information in all oil and gas companies where SAP is implemented.
According to the SAP’s statement, more that 70 million barrels per day of oil are produced by companies using SAP solutions. Oil Market Report states that oil production totals over 94 million barrels every day. So, if the attack is successful, cyber criminals will gain control over about 75% of total oil production. They can deliberately understate data about Oil in stocks of affected companies to increase Oil prices, or vice versa.
Described attacks can be conducted by exploiting SAP xMII and SAP Plant Connectivity, solutions that transfer data from Tank Management Systems to SAP Systems such as SAP IS-Oil. By this multi-stage attack, cyber criminals can modify parameters regarding oil quantity in stocks.
What’s more important, SAP systems are connected with Tank Information Management solutions. Some of them, for example, Emerson Rosemount TankMaster, allow commands to PLC devices to change values like the maximum filling limit of tanks. In that case, by gaining access to Tank Management Systems hackers can send these commands and perform a successful attack that can lead to oil explosion.
Which threat actors can be behind these types of threats?
Espionage may be conducted by competitors or foreign agencies. Sabotage may come from hacktivists such as the #oppetrol operation in 2013. However, our aim was not to point out some particular threats or malicious people. We want to show that not only Stuxnet-type attacks using USB are possible. One can conduct an attack on those systems remotely from the Internet or from the corporate network. We are a technology company and love to solve technology issues, so, for us, it doesn’t matter who can be behind the attack. I think it’s enough to know that to leave such systems insecure is unadvised. Who can do harm? Isn’t this the thing we should care about first?
Do you know of any real-world attacks on oil and gas companies? Could you give some details?
I think the best-known example is the attack against Aramco, Saudi Arabian Oil Company. It aimed to stop gas and oil production in Saudi Arabia and prevent resource flow to international markets. 30,000 computers were damaged. The target of this attack was not the OT network. It was a typical virus, but it infected many computers.
Another example is Telvent, a company that supplies remote administration and monitoring tools to the energy sector. The Canadian branch discovered on September 10, 2012, that its internal firewall and security systems had been breached. Telvent disconnected the clients and affected portions of its internal networks as a precautionary measure. After breaching the network and installing malware, the attackers stole project files related to the OASyS SCADA product, a remote administration tool.
Here is another example relating to the retail sector. It was the first time I was aware of such attacks vectors when in 2007 we conducted a detailed security assessment of one product which was used by a large oil company in its petrol stations. They hired a consultancy company where I worked to investigate the incident. They identified a sophisticated attack on petrol stations, which included the use of specific hardware installed on petrol stations together with backdoors in software. It was used to steal petrol little by little day by day and sell it to a 3rd party.
Your talk was focused on the vulnerability of SAP and Oracle systems. How do these systems provide a route into a company?
The idea is simple. Key enterprise business applications are often connected between each other via different types of integration technologies. More importantly, enterprise applications which are located in the corporate network are usually connected with devices in the OT network and there is no easy way to separate them.
If you have some plant devices such as wellheads which pump oil and collect some data from them, you should somehow transfer this data to the corporate network to show managers (who want to see all the information on their tablets) on nice dashboards. That’s why even if you have a firewall between IT and OT, there are some applications which are still connected. What we want to show is that it’s possible to conduct such attack and pivot from IT network (or even the Internet) into OT network up to OPC servers, SCADA systems, field devices, meters, and dozens of other modules.
Where do the SAP ERP systems sit in these operations?
SAP is a key to the kingdom of oil and gas cybersecurity because it has a lot of products specifically designed to manage some processes like operational integrity or hydrocarbon supply chain. As SAP systems are implemented, if I’m not mistaken, in about 90% of oil and gas companies, this key can open many doors. We know SAP security quite well, as we have been engaging in SAP Security research since 2007 and helped SAP to identify and fix 200+ vulnerabilities in their products including ones that are used in oil and gas industry. 3500+ vulnerabilities were found in SAP Products in total, and you can find more details in our research. We are focused on Oracle Security as well and identified 40+ vulnerabilities, you can find a description of all of them on our website.
SAP is connected with some of the critical processes by the means of SAP xMII and SAP Plant Connectivity solutions which in their turn are connected with ICS systems and OPC servers which finally have direct access to PLC devices and meters. This is what makes SAP a critical part of oil and gas organization security.
However, there are more ways to get access to OT network, other applications such as LIMS systems are also in the corporate network and they collect information from some measurement systems, but SAP seems a universal key.
We are well-aware of vulnerabilities in SAP. How can bad guys get to those systems in these organizations?
Security of typical SAP system is industry-agnostic and very weak everywhere, some issues such as SAPRouter vulnerability or SAP Portal authentication bypass or recent SAP Afaria or SAP HANA vulnerabilities may be used to get access to SAP infrastructure remotely.
Broadly speaking, is the industry keeping up and is there an awareness of the threat of cyber-attacks? Is it being taken seriously?
In my opinion, there is still a lack of awareness. I think, our Oil and Gas Cyber Security presentation at BlackHat is one of the first that describes general risks associated with this area, and, most importantly, what critical processes are there, what systems are used there and who develops them. Here are still more questions than answers, and more detailed research requires unique equipment. However, there are many software and hardware devices which are relatively easy to find if you really want it. This is just a beginning. Our goal was not to provide a comprehensive encyclopedia on oil and gas cybersecurity but to clear the way for further research that hopefully will be continued by the community.
The main idea we want to convey is that all issues in technology networks which will be found by researchers can be exploited from a corporate network using different connections, and this is the most important thing.