APTs represent a serious risk to the oil and gas industry.
by Siv Hilde Houmb
October 19, 2015

The rate of cybersecurity attacks is increasing, and perpetrators keep getting more sophisticated and organized. Cyberattacks represent a significant financial and environmental risk for oil and gas operations. An attack could disrupt or shut down operations, steal information, affect production schedules, increase operational costs, or cause legal liability and company reputation issues.

Cyberattacks have evolved over the last decade from being mostly harmless to sophisticated and devastating advanced persistent threats (APT). APTs have the capabilities to stop business operations and cause physical damage to drilling rigs or production platforms, either by targeting specific equipment or by a more wide spread attack targeting multiple equipment and machinery.

Cyberattacks are increasingly targeting the energy sector, although most of these attacks are against utility sites. In the year 2013, 53 percent of all attacks on critical infrastructure in the United States targeted the energy industry, and 30 percent of the cyberattacks succeeded in getting through the security system in place according to the U.S. government´s Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS CERT). This number was reduced to 32 percent for the year 2014. However, of the reported cyber incidents in 2014, 55 percent were APTs. This means that although there were less attack attempts in 2014, they were more advanced and sophisticated than in 2013.

The challenge is that most control systems used on oil rigs and platforms rely on outdated security models and invalid assumptions, namely the air gap. At the same time, the frequency and sophistication of cyber attacks against ICS are increasing. These sophisticated attacks are difficult to detect and they operate covertly. They typically start with seemingly benign activities that do not trigger any warning, such as with the Stuxnet and Aurora attacks.

Only recently has it been disclosed that in 2008 hackers blew up a Turkish oil pipeline. In the control room, the operator’s console showed that everything was running as planned before a phone call from the field triggered the alarm. The attackers also manipulated the surveillance system. Additionally, in 2014, there was a successful malicious cyber attack on a steelworks in Germany affecting the facility’s operations.

This is similar to what was done in the Stuxnet attack in 2010, which targeted programmable logic controllers (PLCs) commonly used in ICSs on drilling rigs and production platforms. The operator consoles showed normal operations for the centrifuges of the Iranian Natanz nuclear facility, but they were running at such high speeds they were destroyed. Furthermore, Stuxnet resided in the attacked control system for a number of years before the cyber attack took effect.

Stuxnet was a carefully crafted and successful APT attack. These types of attacks have a specific target in mind and include a high level of coordinated human involvement for monitoring. Attackers use one or more command-and-control centers to run the attack.

The “persistent” part of an APT refers to the capability of the attack to remain invisible to the target for a long period of time so the attackers can complete their mission and get out of the attacked system undetected. APTs use deep system, attack and attacker knowledge to ensure they operate covertly. An APT will be removed if it is discovered, and it might also be programmed to destroy itself upon detection. This means that the cyber attack leaves little to no footprint on the attacked system.

The APT process includes three dominant phases that may take place over a period of several months or even years. In the first phase, the attacker performs reconnaissance, identifies vulnerabilities, launches the attack and infects target hosts. In the second phase, the attacker controls infected hosts, updates the malware, spreads the malware to other hosts (computers) and collects data. In the third phase, the attacker has taken control of one or more hosts within the target network. The perpetrator may establish access credentials to expand the reach of the attack. In cases of exfiltration, the attacker sends the data out of the attacked host or network through a command-and-control server. At this point, the consequences of the attack start to become visible. Depending on the attack’s goal, intelligent property (IP) and sensitive information could be publicly disclosed or equipment could be sabotaged.

APTs are methodical, adaptive and efficient in covering their tracks while carefully penetrating the network. They sometimes cease the attack or stay “under the radar” for days to avoid raising suspicion. They work hard to gain knowledge of the system and often take advantage of zero-day vulnerabilities in the underlying operating system that cannot be defined through patterns or signatures. This adaptive behavior is what makes APTs hard to detect.

Standard antivirus systems cannot detect these attacks, and perimeter defenses such as firewalls—even the most sophisticated ones—can only protect the entry points into the control systems. This does not mean that firewalls don’t have a role in cybersecurity protection of ICSs, just that they are not able to protect the control system itself once the cyberattack is inside or in cases where the attack is executed from the inside, such as with most APTs. What is needed is targeted monitoring of both the network and hosts of a control system. Monitoring and detection systems that use a meticulous surveillance strategy focused on tracking the footprints of cyberattacks based on system, attacker and attack intelligence are the most effective protection. Such systems should also be non-intrusive to avoid putting additional stress on the ICS and should not require frequent updates to work efficiently. Antivirus software requires frequent updates to remain effective. In any case, antivirus software will only be able to detect known attacks at the time of the last update. An ICS relies on determinism and should not be changed or updated unless necessary for the operation of the ICS.

A non-intrusive host- and network-based anomaly detection system for ICS would need the following capabilities:

  • Non-intrusive monitoring of both the controls network and each or sufficient number of hosts in the ICS
  • Detection technology based on system, attacker and attack intelligence
  • Risk severity evaluation of cyber attacks based on drilling or production process intelligence and situation awareness
  • Controlled response and recovery strategies

For example, to detect Stuxnet, the system needs to be able to recognize and understand the activities occurring in each of the various phases of the attack and respond appropriately. The first ability to detect an APT is to identify its point of entry into the ICS. This could be either from an USB, from an engineering laptop or remote connection. The APT will always have to enter the ICS. A firewall will help prevent the APT from entering the ICS, but once the APTs is inside, firewalls are no longer effective. A sophisticated attack will hide itself in permitted traffic through the firewall.

Once the APT in inside the ICS, it will search for vulnerable machines and zero-day vulnerabilities, which are vulnerabilities that are not known at the point of the attack. Once the APT finds a suitable vulnerability, it might communicate back to a command-and-control center to request updates so that it can launch an effective covert attacks. This traffic is hard to detect, but by correlating analysis traffic data from the controls network with analysis of activities and behavior of the hosts in the ICS combined with system, attacker and attack intelligence, it is possible to detect the movement of the APT.

Once an APT has been detected, it is important to identify the goal of the APT to start working on the defense strategy, including whether to remove, respond or leave the APT alone for the moment. The defense strategy will depend on the situation on the rig or platform and the state of the associated processes. This evaluation will need to take health, safety and environmental (HSE) consequences into consideration, as well as cybersecurity and financial considerations. Another defense strategy is to isolate the APT and by that disarm it. Doing a control shutdown might also be an alternative, depending on the goal of the APT.

APTs represent a serious threat to drilling rigs and production platforms and should be taken seriously. These cyberattacks might lead to consequences that go beyond delays, annoyance and costs. It is therefore essential to develop a robust protection regime against APTs. Since every APT is different, traditional cyber protection solutions are not sufficient. Users need to deploy protection solutions based on both network and host monitoring inside of the ICS, combined with detection algorithms that are as adaptive as APTs and that are based on system, attacker and attack intelligence. This is in addition to traditional end-point protection and perimeter protection such as firewalls.