Cybersecurity Pro: Oil and Gas Supply Chain Can Be Weak Link

Cybersecurity Pro: Oil and Gas Supply Chain Can Be Weak Link
Supply chain best practices are part of the solution, says UL's Ken Modeste.

Oil and gas companies employ various measures to protect their increasingly sophisticated operational infrastructure. Nevertheless, cyber-criminals are adept at finding vulnerabilities to gain access to these critical systems – and their efforts appear to be paying off. As a 2016 white paper from Underwriters Laboratories (UL) observes, cyberattacks against critical energy infrastructure systems have been on the rise in recent years.

A key vulnerability that cyber-criminals exploit is the oil and gas supply chain, says UL Cybersecurity Lead Ken Modeste.

A Cybersecurity Benchmark

Organizations such as UL provide cybersecurity standards that oil and gas facilities can use to assess – and overcome – vulnerabilities in their operational equipment.

“Support of these standards and their use in procurement, as well as the testing of vendors and their equipment, helps provide oil and gas facilities with a benchmark of what they should expect from every piece of equipment, or software that may be used in the OT or connected into a system such as HVAC, cameras or building automation,” UL’s Ken Modeste told Rigzone.

“Oil and gas facilities can use these standards to vet equipment to industry best practices to ensure that systems have security designed into them and can start addressing weaknesses that are being exploited.”

“Attackers are using techniques to infiltrate oil and gas with the intent to disrupt service, and these techniques are being understood as finding a weaker link in a less secure environment to then pivot to the oil and gas infrastructure,” Modeste said. “A foundation for working on a solution is to drive the supply chain into best practices that are adopted by the organization.”

To learn more about the oil and gas supply chain’s susceptibility to cyberattacks, along with approaches to mitigate them, read on for excerpts from Rigzone’s recent conversation with Modeste.

Rigzone: What are some of the key trends you’re seeing regarding cyberattacks against energy infrastructure, particularly in oil and gas?

Modeste: Since the Ukraine power grid attacks occurred in the last two years, trends focusing on energy and oil and gas tend to be increasing. The U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recently alerted in October that “DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.” This alert is identifying a trend where multi stage attacks are being performed. Lower-level targets like third party suppliers are being used as staging grounds for the true intended primary target. Going after a third party to get to the intended victim involves different levels of engagements as the softer, less-secure target is infiltrated and then pivoted to the real asset.

Rigzone: Which types of oil and gas facilities are most vulnerable to cyberattacks?

Modeste: At the beginning of the decade, there was more of a surveillance around oil and gas which was based on the reports of American utility companies as primary targets. Therefore, oil and gas producers and liquid distributors could be a step to focusing on utilities. National energy infrastructure organizations and oil production facilities may become primary targets when the ultimate goal is to disrupt the utility supply to the broader economy. The most vulnerable would be those that are least prepared in terms of risk assessment and management, who may have flawed supply chain partner practices and improperly trained staff. As an example, if employees can download a menu from the nearby favorite food delivery company, then all you need to attack is a small family-owned restaurant website which is based on reconnaissance of targeted employees’ eating habits.

Rigzone: How do these attacks typically occur, and what are some potential effects?

Modeste: These attacks begin with reconnaissance of regular public data. For example, knowing from which restaurants targeted company staff tend to have food delivered or picked up. This means that current employees’ public habits are easily discovered. Then either a phishing email campaign, or “watering hole attack” malware, can be utilized to infiltrate either the primary target or a less-secure target. A phishing email is one that is meant to hide its true intent and source, and a watering hole attack can consist of embedding malware in a popular website destination. A lesser (less secure) target could be a supply chain vendor, like a law firm, consulting firm, facility contracting firm or similar. Once this target is compromised, the attack can pivot to the true intended target. One of the tried and true methods also includes acquiring credentials for secondary systems by focusing on victims with some weaker security practices.


View Full Article


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.