Cybersecurity Pro: Oil and Gas Supply Chain Can Be Weak Link
Oil and gas companies employ various measures to protect their increasingly sophisticated operational infrastructure. Nevertheless, cyber-criminals are adept at finding vulnerabilities to gain access to these critical systems – and their efforts appear to be paying off. As a 2016 white paper from Underwriters Laboratories (UL) observes, cyberattacks against critical energy infrastructure systems have been on the rise in recent years.
A key vulnerability that cyber-criminals exploit is the oil and gas supply chain, says UL Cybersecurity Lead Ken Modeste.
Organizations such as UL provide cybersecurity standards that oil and gas facilities can use to assess – and overcome – vulnerabilities in their operational equipment.
“Support of these standards and their use in procurement, as well as the testing of vendors and their equipment, helps provide oil and gas facilities with a benchmark of what they should expect from every piece of equipment, or software that may be used in the OT or connected into a system such as HVAC, cameras or building automation,” UL’s Ken Modeste told Rigzone.
“Oil and gas facilities can use these standards to vet equipment to industry best practices to ensure that systems have security designed into them and can start addressing weaknesses that are being exploited.”
“Attackers are using techniques to infiltrate oil and gas with the intent to disrupt service, and these techniques are being understood as finding a weaker link in a less secure environment to then pivot to the oil and gas infrastructure,” Modeste said. “A foundation for working on a solution is to drive the supply chain into best practices that are adopted by the organization.”
To learn more about the oil and gas supply chain’s susceptibility to cyberattacks, along with approaches to mitigate them, read on for excerpts from Rigzone’s recent conversation with Modeste.
Rigzone: What are some of the key trends you’re seeing regarding cyberattacks against energy infrastructure, particularly in oil and gas?
Modeste: Since the Ukraine power grid attacks occurred in the last two years, trends focusing on energy and oil and gas tend to be increasing. The U.S. Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recently alerted in October that “DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign.” This alert is identifying a trend where multi stage attacks are being performed. Lower-level targets like third party suppliers are being used as staging grounds for the true intended primary target. Going after a third party to get to the intended victim involves different levels of engagements as the softer, less-secure target is infiltrated and then pivoted to the real asset.
Rigzone: Which types of oil and gas facilities are most vulnerable to cyberattacks?
Modeste: At the beginning of the decade, there was more of a surveillance around oil and gas which was based on the reports of American utility companies as primary targets. Therefore, oil and gas producers and liquid distributors could be a step to focusing on utilities. National energy infrastructure organizations and oil production facilities may become primary targets when the ultimate goal is to disrupt the utility supply to the broader economy. The most vulnerable would be those that are least prepared in terms of risk assessment and management, who may have flawed supply chain partner practices and improperly trained staff. As an example, if employees can download a menu from the nearby favorite food delivery company, then all you need to attack is a small family-owned restaurant website which is based on reconnaissance of targeted employees’ eating habits.
Rigzone: How do these attacks typically occur, and what are some potential effects?
Modeste: These attacks begin with reconnaissance of regular public data. For example, knowing from which restaurants targeted company staff tend to have food delivered or picked up. This means that current employees’ public habits are easily discovered. Then either a phishing email campaign, or “watering hole attack” malware, can be utilized to infiltrate either the primary target or a less-secure target. A phishing email is one that is meant to hide its true intent and source, and a watering hole attack can consist of embedding malware in a popular website destination. A lesser (less secure) target could be a supply chain vendor, like a law firm, consulting firm, facility contracting firm or similar. Once this target is compromised, the attack can pivot to the true intended target. One of the tried and true methods also includes acquiring credentials for secondary systems by focusing on victims with some weaker security practices.
12
View Full Article
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.
- Falcon Oil Declares Commercial Flow Test Results for Shenandoah Well
- Japan Failing to Meet Corporate Demand for Clean Power: Amazon
- Macquarie Strategists Expect Brent Oil Price to Grind Higher
- UK Oil Regulator Publishes New Emissions Reduction Plan
- PetroChina Posts Higher Annual Profit on Higher Production
- Pennsylvania County Joins List of Local Govts Suing Big Oil over Climate
- McDermott Settles Reficar Dispute
- US, SKorea Launch Task Force to Stop Illicit Refined Oil Flows into NKorea
- Russian Navy Enters Warship-Crowded Red Sea Amid Houthi Attacks
- USA Commercial Crude Oil Inventories Increase
- New China Climate Chief Says Fossil Fuels Must Keep a Role
- Equinor Makes Discovery in North Sea
- Standard Chartered Reiterates $94 Brent Call
- India Halts Russia Oil Supplies From Sanctioned Tanker Giant
- DOI Announces Proposal for Second GOM Offshore Wind Auction
- Centcom, Dryad Outline Recent Moves Around Red Sea Region
- PetroChina Set to Receive Venezuelan Oil
- Czech Conglomerate to Buy Major Stake in Gasnet for $917MM
- US DOE Offers $44MM in Funding to Boost Clean Power Distribution
- Oil Settles Lower as Stronger Dollar Offsets Tighter Market
- Chinese Mega Company Makes Major Oilfield Discovery
- VIDEO: Missile Attack Kills Crew Transiting Gulf of Aden
- Norway Regulator Blasts Proposal to Halt New Oil and Gas Permits
- Chinese Mega Company Makes Another Major Oilfield Discovery
- New China Climate Chief Says Fossil Fuels Must Keep a Role
- What Is the Biggest Risk to Offshore Oil and Gas Personnel in 2024?
- Vessel Sinks in Red Sea After Missile Strike
- Exxon Rights in Stabroek Do Not Apply to Hess Merger with Chevron: Hess
- Analysts Reveal Latest Oil Price Outlook Following OPEC+ Cut Extension
- Equinor Makes Discovery in North Sea