The number of cyberattacks against global oil and gas industry’s industrial control systems (ICS) is expected to keep rising due to industry’s growing use of automation, Internet of Things (IoT) technologies and the increasingly unstable geopolitical environment.
Ransomware – a type of malware that infects a device and blocks access to data, then requires a ransom be paid to unlock the device – is expected to emerge as a growing threat to ICS in a number of industries, including oil and gas, industry insiders say.
Data-wiping malware and crypto-malware are not new, but a form of ransomware, crypto-ransomware, has become highly disruptive in recent years, according to a 2016 report by Forcepoint Security Labs, an Austin, Texas-based provider of cybersecurity solutions. Crypto-ransomware works by encrypting a user’s files, then offering to sell the victim the decryption key for a fee, Forcepoint said. This type of ransomware can impact local files and those hosted on network shares.
Two other common types of ransomware include scareware, a demand for payment based on threat of future action, and lockers, which promise to restore user access to their screen or system in exchange for a fee.
The growing realization by businesses of the importance of their data – and their willingness to pay to keep that data – and the creation of the Bitcoin payment system are contributing to the rise in ransomware, according to Forcepoint. Funds processed using crypto-currencies are easy to transfer and difficult to track, making it hard for law enforcement to track down criminals.
Booz Allen Hamilton, a strategy and technology consulting firm, reported seeing the use and variety of ransomware grow in 2015 and early 2016. The firm reported new samples of ransomware of less than 100,000 in the second quarter of 2014 to over 1.2 million in second quarter 2015. That number continues to rise – six million observed samples were observed in the fourth quarter of last year.
Paul Rempfer, principal with Booz Allen Hamilton, told Rigzone that the firm is seeing more malicious ransomware that not only just encrypt files, but disrupt operations or block access to an asset. Once considered just a consumer threat, both government and commercial enterprise networks can now be considered among its victims, according to Forcepoint. Today, hospitals, financial firms and universities are among the organizations recently targeted in ransomware attacks.
Cybercriminals are profiting from this activity. According to Forcepoint, the total amount paid to ransomware authors could be as much as $325 million for some variants of ransomware. Cybercriminals are targeting companies that will likely feel obligated to pay, such as hospitals or organizations where access to data is critical for safety and productivity, Carl Leonard, principal security analyst with Forcepoint, told Rigzone.
Oil and gas companies are at risk due to the perception that they have the money and resources to pay off the extortion involved in ransomware, Josh Berry, senior technology manager at AccuData Systems, told Rigzone in an interview.
Ransomware poses a major risk to any company that relies on workstations and computers for their daily operations, Idan Udi Edry, CEO at cybersecurity infrastructure solution provider Nation-E, told Rigzone. Ransomware is typically sent out through email. The design, installation and functionality of conventional information technology (IT) networks with operational technology (OT) systems allows conventional IT networks to serve as a gateway for cyberattacks to infiltrate the OT.
This allows cyberattackers to obtain access to an industrial environment through a non-ICS network. This can result in the hijacking and manipulation of crucial systems within drilling sites for malicious purposes, such as oil spills or gas leaks and the disruption of pumping units and oil production, Edry said.
A cyberattack on ICS not only can cause extended operational halts to production and physical damage, but threaten workers and customers, Booz Allen Hamilton noted.
“The attack surface for ICS is larger than just the ICS devices, equipment and networks: It extends to all parts of an organization, including the extended supply chain,” Booz Allen Hamilton stated in the report.
The oil and gas industry’s desire to adopt IoT and increasing dependency on automation, the huge volumes of data generated by these devices, and the low barrier for entry today for wannabe cybercriminals to become fully-fledged ransomware authors, have created a perfect storm for ransomware attacks, said Leonard.
“Would-be cyberattackers can even sign up for ransomware-as-a-service, in which they pay a fee to access a system that allows them to deliver ransomware,” Leonard noted. While the energy sector is not being targeted as heavily as critical manufacturing, the energy sector needs to pay close attention to what ransomware can do, Leonard commented.
Booz Allen Hamilton reported seeing a 20 percent rise in incidents involving ICS in fiscal year 2015. Of those attacks, 16 percent of those incidents took place in the energy sector. The number of reported attacks is significant, as most companies do not report most cyberattacks, meaning that the number of attacks is likely higher, Rempfer told Rigzone.
ICSs represent an increasingly diverse and extensively connected set of technologies. These technologies include computers, proprietary control devices, networks and network architectures used to control industrial processes across a broad range of industries. ICS includes SCADA (supervisory control and data acquisition), distributed control systems, and programmable logic controllers.
“ICS control and automate significant portions of our connected society, including power moving through an electrical grid, oil flowing through pipelines, travelers commuting on rail systems, and systems controlling pharmaceutical and food manufacturing,” Booz Allen Hamilton stated in the report. While these devices can boost efficiency, accountability and safety, they also open potential pathways for cyberattacks to wreak physical destruction.
Accudata Systems, an IT consulting and integration firm that provides high-impact IT infrastructure services, is focusing on educating its oil and gas customers on the importance of having good backup data to recover from a ransomware attack, said Thanh Nguyen, head of Accudata’s data center practice, told Rigzone in an interview. Another strategy Accudata recommends to its clients is classifying its data, understanding what data sensitive, what data is accessible, and who should have access to that data.
“A lot of times, we do audits for oil and gas customers around data, and find that everyone has access to a lot of different things,” Nguyen commented. “This can open up opportunities for ransomware to lock up data.” Locking down which employees have access to data tied to processing and refining will be critical to protecting against ransomware attacks. Once backups are in place and data classified, then companies can start to put monitoring controls in place.
Layered security also allow companies to analyze incoming email threats or compromised websites that might be trying to deliver ransomware, Leonard said. Sandboxing – in which malware is run in a protected environment – allows companies to understand the latest in malware trends. Leonard notes that his firm is seeing new techniques to evade security solutions. Companies also should consider building out a specific security team to understand the evolving nature of the threat landscape.
Concerns about cyberattacks remain high at oil and gas companies due to possible theft of intellectual data or disruption of operations that could lead to loss of life or an environment incident. The industry faces threats not only from cybercriminals seeking to steal data and proprietary information, but from hacktivists such as environmental groups who oppose exploration and drilling.
Rempfer said that Booz Allen Hamilton continues to see attacks and attempted attacks against pipelines, offshore rigs and installations, and refineries. In one case, cyberattackers took control of an offshore rig’s gyroscopes, causing the rig to tilt. U.S.-based companies with Gulf of Mexico operations are seeing a significant rise in malware and phishing attack attempts against their ICS and SCADA systems. The firm has seen attempted malware attacks against pipeline management systems in the past two years, particularly in central and Latin America, and attempts and successful attacks against oil and gas infrastructure in the Caspian Sea region.