Cybersecurity Threats Facing the Oil & Gas Sector

Cybersecurity Threats Facing the Oil & Gas Sector

14 Oct 2020

The December 2017 Triton attack is often mentioned as one of the most devastating ICS malwares that could have caused unprecedented damage and risked human lives. The Triton attack was a sophisticated and persistent attack on a petrochemical plant in Saudi Arabia, that attempted to compromise Schneider Electric Triconex SIS (safety instrumented system). The malware was able to pass through the OT network of the victim and manipulate the safety systems by reverse engineering Schneider Electric industrial protocol.

Fortunately, the Triton attack failed before it was able to execute its main (estimated) goal: releasing a high amount of Hydrogen Sulfide (H2S) which would have led to explosions.

While Triton was a highly sophisticated and targeted attack handled by what many researchers define as a state-backed Russian APT, the same effect might be achieved also with less effort. Today’s attack surfaces are getting wider due to the steep increase in remote connectivity to ICS, and attackers know how to take advantage of nearly every security malfunction to gain confidential intelligence about ICS equipment that the victims use on their production floors.

To commemorate nearly 3 years since the Triton attack first occurred, we will show you here that today an attacker can target specific ICS products with a little help from legitimate systems, and without investing much effort in reaching the target or gaining permissions to run commands on it. 

In this blog, we decided to focus our initial search on H2S alarm systems and if there are exposed components that can be used as bait for cyber criminals.

Oil and Gas Cyber Attacks: The case of the Canadian oil and gas company

Our first step was to check for systems that control or monitor H2S, and are exposed to the internet. We used some of the famous scanners like Shodan, Binary Edge, and Censys for that mission, with the banal term “H2S”.

What we found was surprising: a SCADA system and a control panel, which seems to control energy production processes. One of those processes has to do with H2S, and we assume that the CP gives indications about abnormal status of H2S in the process. This CP was exposed to the internet over port 5900, a port commonly used for VNC (Virtual Network Computing), a graphical desktop sharing system.

Combining results from Binary Edge with those from Shodan, revealed more confidential systems that belong to the same Canadian company: while searching for more exposed ICS systems, we found that the same IP serves an internal router that has communications with Rockwell Panelview 6 HMI (udp) and 1756 Controllogix PLC (tcp), both over port 44818.

Now that we’ve mapped some of the assets, we can assume that perhaps the SCADA main control page we saw above, is displayed to the engineers in the plant on a panelview 6 HMI screen.

This oil and gas company is apparently not alone. Searching for the same pattern, we found more oil and gas companies whose Rockwell Automation gear is exposed to the internet. One of the companies is an Atlanta, Georgia based oil and gas company, using a Rockwell 1769-L30ER Compactlogix controller exposed to the internet. The controller has communication over port 44818 as well, which is known for being highly vulnerable if not disabled.

To understand how common this vulnerable implementation is, we checked how many of these Rockwell Automation devices are openly exposed:

  • 150 Rockwell Automation 1756 controllogix controllers, mostly in North America
  • 191 Rockwell Automation 1769 compactlogix controllers, 162 of them in North America
  • 31 Rockwell Automation PanelView Plus_6 HMI, mostly in North America

To conclude this part, we were able to find low hanging fruit targets that even low-skilled attackers can exploit easily to cause disruption or even severe damage to people and machines.

Making sense of it: understanding the threats on the oil and gas sector

Natural gas production in Canada, as elsewhere, faced many challenges in the past few years, the most prominent of which has been the volatility of energy prices. Canada was also particularly hurt by competition from cheap U.S. shale oil when production from those sources was at its height.

Most public natural gas companies had a rough earnings year in 2016, followed by some recovery in 2017 and 2018. The largest natural gas producers managed to make mild gains during the first ten months of 2019, but it was a challenging year for most small firms.

A cyber attack will cause overpressure to the victim, who already has to deal with the challenges of the sector.

The Oil and Gas sector, specifically, continues to be very attractive for cyber criminals in the past year. Some recent cases show that attackers choose those specific companies as “top targets”:

  • Enel Group, an Italian electricity and natural gas provider, was hit by Snake ransomware. 
  • A highly targeted campaign was targeting several oil and gas companies in April, trying to deploy Agent Tesla spyware on victims.
  • A while earlier (Q4, 2019), another 2 attacks have been successfully deployed: Pemex, the Mexican state-owned petroleum company was hit with Dopplepaymer ransomware and Ryuk ransomware caused severe damage to a gas compression facility in the US, crippling the IT network and destroying HMIs and historian systems on the victim site.

Conclusions

At the beginning of this blog, we mentioned the sophisticated Triton attack, which required, allegedly, nation-state efforts to execute. This case, however, shows that attacking OT doesn’t have to be so “expensive”. As we saw, in some circumstances, automation engineers can unwittingly leave useful tools for criminals that can easily be used as dangerous entry points to the OT network. 

One may think this issue is no big news. In an alert (AA20-205A), dated July 2020, CISA and the FBI recommend “immediate actions to reduce exposure across operational technologies and control systems”. The agencies basically warned from exposed ICS systems like the ones we found in our case of the Canadian oil and gas company. So, how is it possible that we still see such bold cases of exposure?

The alert even mentioned Shodan as one of  tools that can afford unauthorized access to unsecured assets.

We mentioned only 2 exposed firms in this blog while we recently found many more, from other critical sectors like upstream oil and gas, and water exploration. To protect its assets, every company should conduct security checks or hire a cyber security company to help monitor all the assets, fix security gaps, and bring a comprehensive risks report with prioritization modeling, with insights that help mitigate the risks step by step.

We hope the information discussed here will afford companies to decrease the risk of being attacked and raise awareness for today's threats while emphasizes the relevance of breach mitigation services. Let's keep in mind that today’s attack surface is getting wider and just as we are monitoring the internet, searching for exposed ICS products, so are cyber criminals and malicious activists.

Vulnerabilities overview

By using OTORIO’s RAM²'s proprietary & analyst-curated industrial vulnerability database, we could find several vulnerabilities that match the Rockwell Automation products that we found exposed:

Product

cve_id

CVSS

Type

Impact

Known Public Exploit?

PanelView Plus 6

CVE-2017-7914

8.6 

Design Error

Authentication Bypass

NO

Allen Bradley ControlLogix 1756 ENBT 

CVE-2012-6436

7.8 

Crafted Packet

Denial Of Service

YES

Allen Bradley ControlLogix 1756 ENBT 

CVE-2012-6437

10

Design Error

Denial Of Service

YES

Allen Bradley ControlLogix 1756 ENBT 

CVE-2012-6439

8.5

Crafted Packet

Denial Of Service

YES

Allen Bradley ControlLogix 1756 ENBT 

CVE-2012-6441

5.0

Crafted Packet

Denial Of Service

YES

Allen Bradley ControlLogix 1756 ENBT 

CVE-2012-6442

7.8

Crafted Packet

Denial Of Service

YES

Allen Bradley ControlLogix 1756 ENBT  

CVE-2012-6438

7.8

Crafted Packet

Denial Of Service

YES

Allen Bradley ControlLogix 1756 ENBT 

CVE-2012-6440

9.3

Man IN The Middle

Data Manipulation

YES

Allen Bradley ControlLogix 1756 ENBT  

CVE-2012-6435

7.8

Crafted Packet

Denial Of Service

YES

Allen Bradley CompactLogix 1769- L30ER

CVE-2016-9343

10

Buffer Overflow

Denial Of Service

NO

Allen Bradley CompactLogix 1769- L30ER

CVE-2016-2279

6.1

Cross Site Scripting

Remote Code Execution

YES

Do you work in the oil & gas industry? Click here to read how OTORIO can help you to mitigate cybersecurity risks.

Ran Finkelstein
Threat Intelligence Researcher

04 May 2020 Industrial Cyber-Security During COVID-19: From a Hackers’ Paradise to Resilient Remote Operations more...
26 Mar 2020 Coronavirus: Time for Remote Connection Solutions for ICS more...
18 Mar 2020 COVID-19 is a Wake-up Call for Manufacturing SMBs more...
loader
×

OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.

Continue