Cybersecurity Snapshots #18 - Oil And Gas Companies Need to Take Cybersecurity More Seriously

Cybersecurity Snapshots #18 -

Oil And Gas Companies Need to Take Cybersecurity More Seriously

At present, oil and gas companies rely on Industrial Control Systems (ICS) to maintain safe and reliable operations, and that’s unlikely to change. The future increasingly appears to be one in which oil and gas companies will rapidly integrate robotics, analytics, and the Internet of Things (IoT) into the operational environment. Increasing connectivity can drive value creation by deploying data and analytics to find new markets, improve operational performance, and streamline the supply chain. A more connected oilfield, pipeline, or refinery is, however, potentially a more vulnerable one.

Researchers stated that attackers might try to target oil refineries more frequently in the future, leading to tank overflow, vessel rupturing, or even an explosion. A cyberattack that affects an oil refinery can be very costly. For example, a loss of a single day of operations for a 100,000 barrel-per-day refinery could reduce revenue by over $5.5 million and profit by $1.4 million. The United States has more than 140 oil refineries, with a total daily capacity exceeding 18 million barrels, all of which could be potentially vulnerable. If a cyberattack spread from one facility to another or down the value chain affecting the distribution and retail networks, it could potentially lead to tens of millions of dollars of lost revenue. In addition, any physical damage could possibly inflict millions (if not billions) of dollars of repair and construction costs. In a more connected world with connected sensors, higher-level automation, and less direct human control, broader impact becomes increasingly more likely and more consequential, the researchers stated.

New research published by researchers at Kaspersky examines a rise in the number of cyberattacks on ICS computers used by the oil and gas industry. Over the first six months of 2020, the percentage of systems attacked in the oil and gas industry increased compared to the same period the prior year. The researchers found that the percentage of ICS computers on which malicious objects were blocked grew from 36.3% to 37.8% in the oil and gas industry. Growth in the number of attacks on the oil and gas industry occurred as the percentage of industrial control system computers attacked in other sectors declined.

Just recently, a ransomware attack knocked offline the country's largest fuel pipeline. Colonial Pipeline confirmed that it had suffered a severe cyberattack. The attack was launched by the Russian-speaking DarkSide group, who claim to have also stolen 100GB of data in a classic "double extortion" play. The East Coast pipeline is estimated to carry 2.5 million barrels a day, representing nearly half of the East Coast's supply of diesel, gasoline, and jet fuel. The fuel pipeline was offline for five days after the attack. However, contrary to initial reports that it refused to engage with the DarkSide threat group, the company actually paid the ransom within hours of the attack. Colonial Pipeline paid the adversaries over $4M. Researchers stated that the most significant factor at play here is the feedback loop of malicious activity created by surrendering and paying the ransom. Paying the ransom allows the groups to achieve a greater level of sophistication during their next attacks, whether via training, new tooling, purchasing credentials, or recruitment. Researchers also stated that feeding this industry only ensures that they become collectively more of a threat, and, in the long run, facilitating more breaches and more payments. Thus, the cycle continues.

After the ransomware attack on the Colonial Pipeline, President Biden has issued a long-awaited Executive Order (EO) designed to improve supply chain security, incident detection, response, and overall resilience to threats. Among the key measures is a requirement for all federal government software suppliers to meet strict rules on cybersecurity. Eventually, the plan is to create an "energy star" label so both government and public buyers can quickly and easily see whether software was developed securely. Other measures included in the EO are an "aircrash investigation-style" Cybersecurity Safety Review Board, which will make recommendations for improvements after any significant incident, and a standardized playbook for government incident response. The EO will also mandate a drive to secure cloud services and zero trust, including multi-factor authentication and data encryption at rest and in transit, by default. Security experts have welcomed the EO.

Also, after the attack on the Colonial Pipeline, more than a dozen members of the House Committee on Homeland Security reintroduced legislation geared toward codifying federal agencies' roles in securing the nation's oil and gas pipelines. The Pipeline Security Act would explicitly codify the roles of the Transportation Security Administration (TSA) and Cybersecurity and Infrastructure Security Agency (CISA) in securing critical infrastructure pipelines. The new legislation also requires TSA to develop a personnel strategy for security staffing, as well as improve mechanisms for stakeholder engagement and congressional oversight of TSA's efforts. The bill was once introduced in 2020 and has received new life following the ransomware attack carried out on the IT systems of the Colonial Pipeline. The attack on the Colonial Pipeline has made it clear that cyberattacks on critical infrastructure are national security and economic threats to the homeland. It is essential in the future that cybersecurity is taken seriously by oil and gas companies because of the overall effect it can have on society. The new Pipeline Security Act and the EO are a step in the right direction. They should help make oil and gas companies' infrastructures more resilient to cyberattacks in the future.