The VICE Channels

    A man works at a control station at Mexican state-owned petroleum company PEMEX refinery in Tula, Hidalgo state, Mexico on March 8, 2011. Image: AFP/Omar Torres

    The Internet of Things Is Making Oil Production Vulnerable to Hacking

    Written by Jonathan Keane

    The world’s oil and gas industry is caught in a slump, with oil prices going up and down and profits in decline. But the industry faces another major problem that's gotten less attention: cyber threats that could threaten the industry’s stability and even worker safety.

    Oil and gas is one of the industries “most plagued” by cyberattacks, according to Alexander Polyakov, founder of ERPscan, a security firm specializing in enterprise software security. “It’s a juicy target for cyberattacks as oil and gas companies are responsible for a great part of some countries’ economy,” he told Motherboard.

    Polyakov and his colleague Mathieu Geli presented a talk at Black Hat Europe last week that examines vulnerabilities in enterprise business systems in oil and gas, namely SAP and Oracle, and how they can provide a route inside a company to alter its processes. ERPscan’s talk also looked at potentially infiltrating operational technology (OT) networks, which are the control systems that run physical processes like pumps, if they are connected with enterprise systems.

    The actors behind potential threats like this are varied, said Polyakov, whether it’s competitors within the industry, nation states, or even environmental activists.

    "What we’re seeing is a real revolution taking place inside all manufacturing types, especially oil and gas."

    Most infamously, Saudi Arabian oil giant Saudi Aramco was attacked in 2012. An intrusion, for which a group called Cutting Sword of Justice took credit, infected 35,000 computers with malware called Shamoon that either partially or fully wiped files. The group cited Saudi Aramco’s links to the Al Saud royal family as a motive and intended to halt the company’s oil production. As a result of the attack, every computer at Saudi Aramco was unplugged and operations were stalled, said Chris Kubecka, one of the security professionals brought in to clean up the mess caused by a spear-phishing email.

    Automated drilling and pumping remained in action, said Kubecka, and according to reports over the following weeks, no oil was lost, but supply and shipping management and customer communications (including with governments) ground to a halt.

    The growing deployment of IoT tech to the oil production process has made systems more efficient, but also more vulnerable.

    Last year, dozens of oil companies in Norway were targeted by cyberattacks, including multinational Statoil. It remains unclear what exactly the attackers' motives were, and what companies have done since to safeguard their systems. The attackers have never been identified, but they did their research and knew who to target inside the companies with malicious emails. A spokesperson for Statoil told Motherboard that it does not comment on single incidents but is “well aware” of cyber threats in the industry.

    The oil and gas industry is becoming more aware of vulnerabilities, added Jasper Graham from Darktrace in a phone interview. He referred to companies across manufacturing beginning to realise that their industrial control systems need to be managed with the same security principles as the intellectual property and data side of their business.

    There appears to be a mixed view on how oil and gas companies are dealing with these cyber threats. In some cases, companies are bolstering their industrial control systems but the IT side of things remains in danger, as was the case in the Aramco hack. On the other hand, growing automation and the Internet of Things can make production more efficient but they can open up new attack vectors. Traditionally, industrial control systems were air-gapped—not connected directly to the internet—but growing integration of control systems with the IT side of things can create a new route inside a company.

    “What we’re seeing is a real revolution taking place inside all manufacturing types, especially oil and gas, where they say, look, you have to protect this type of network, the industrial control system side, the same way they would control the IP side. You have to really lock it down,” said Graham.

    Even something as seemingly simple as checking tank levels is a potential security risk. Tank inventory systems make checking inventory status at massive oil tank farms far easier, but as Polyakov and Geli write, some management consoles also control software and hardware, giving potential attackers the opportunity to change alarm settings or set emergency locks. Image: Polyakov and Geli

    “Oil and gas cybersecurity is a small universe which is almost undeveloped, but extremely critical,” added Polyakov, who believes there is still a lack of awareness. The industry has a lot of different moving parts and processes, including pump control, blow-out prevention, and managing gas storage. Unexpected changes to these processes or the operations technology systems that run them can have a major impact like production stoppages or even damage to the infrastructure.

    “Maybe the hackers’ intentions may not be to destroy something, but by not understanding the full picture of the system or what component of it they are messing with, they can have a real catastrophic effect,” said Graham. This could be anything from bringing productivity to a standstill to disabling alarm systems or communications between workers on the field, which could put their safety at risk.

    Finding internet facing control systems is too easy, added Wade Williamson, director of product marketing at Vectra Networks, referencing the IoT search engine Shodan. “The problem is, that makes it easy for an attacker to scour the world looking for any of these control systems that are facing the internet,” he said. A lot of these systems are older, weren’t built originally with the internet in mind, and can lack necessary patches.

    In one instance earlier this year, hackers allegedly from Anonymous targeted gas stations via internet-connected gas gauges found on Shodan. In another case, the industrial control system at a power plant in Germany was taken over, causing damage to a furnace. A similar fate could befall control systems in the wider energy sector, claimed Williamson.

    “You really shouldn’t have these types of control systems directly connected to the internet. We need to make it much more difficult for attackers to find these systems,” he said. After that, there needs to be rigorous monitoring of the internal network for signs that someone might be inside.

    Both Williamson and Graham stress the need for some kind of common framework of cybersecurity guidelines. This would include regular cyber inspections and pen-tests among the various other traditional inspections carried out.

    Much work will be needed, added Polyakov, but his Black Hat talk is hoped to encourage further discussion. “Our goal was not to provide a comprehensive encyclopedia on oil and gas cybersecurity but to prepare the ground for further research which hopefully will be continued by the community.”