LAS VEGAS — Cyberattacks against global oil and gas facilities are increasing, and the threats could have catastrophic results, according to new research.
In a report published last week titled, “Global Oil and Gas Cyber Threat Perspective,” cybersecurity vendor Dragos Inc. detailed how industrial control system (ICS) security threats are on the rise for oil and gas companies. “The ICS security risk to global oil and gas is high and increasing, led by numerous intrusions into ICS networks for reconnaissance and research purposes, and adversary use of destructive malware at oil and gas facilities,” the report said.
Dragos, which discussed the research at Black Hat 2019, also identified a new threat group capable of ICS attacks that is currently targeting oil and gas facilities. Dubbed “Hexane,” the group has been active since 2018, and is also targeting telecommunications companies in the Middle East, Central Asia, and Africa. Dragos researchers believe Hexane could be planning to use telecom providers “potentially as a stepping stone to network-focused man-in-the-middle and related attacks,” according to Dragos’ profile of the group.
The rise in ICS security threats against oil and gas companies has coincided with a spike in political conflicts between various nations across the globe. “Over the last year and half, as tensions have risen around the world, oil and gas has become a predominant target,” Sergio Caltagirone, vice president of threat intelligence at Dragos, told SearchSecurity.
One example of this, according to the report, is an Iranian threat group Dragos calls Magnallium that has launched attacks against U.S. targets. “Following recent increasing tensions between the U.S. and Iran, Dragos identified Magnallium activity targeting U.S. government and financial organizations, as well as oil and gas companies attempting to gain access to computers at target organizations,” the report stated.
Caltagirone said the potential for a cyberattack to lead to loss of life is higher at oil and gas facilities than electric utilities because the volatile refinery process involves flammable materials and could potentially lead to explosions. In fact, the report said that “Dragos assesses with moderate confidence that the first major cyber-related ICS event causing major process and equipment destruction or loss of life will occur in the oil and gas sector.”
But Caltagirone stressed that so far, there’s no indication that any of the recent ICS security threats are attempting to cause loss of life. Instead, Dragos believes hacking campaigns against oil and gas companies are designed to disrupt operations or to “further political, economic and national security goals,” according to the report. Caltagirone said that in some cases, nation-state threats groups may simply want to “send a message” to an opposing country by demonstrating that they have access to ICS networks of critical infrastructure.
Proliferation of ICS security threats
Caltagirone said the increase in attacks on oil and gas facilities shows a proliferation of ICS hacking capabilities among different nations. “What we’re seeing now is a result of investments that were made two or three years ago, and other countries will see this and want parity,” he said. “That’s why Stuxnet was such a big deal because it got the ball rolling with ICS.”
Joe Slowik, adversary hunter at Dragos, said that while nation-state groups are increasing their capabilities, most haven’t reached the point where they can successfully manipulate ICS and cause a destructive event. “It’s been 10 years since Stuxnet, and in that time we’ve only seen one incident where the attackers accomplished exactly what they wanted,” he said, referring to a cyberattack on a power grid in Ukraine.
Dragos’ report noted that only one threat group, Xenotime, has demonstrated an ability to not only penetrate ICS networks in oil and gas facilities but also potentially cause a destructive event.
On another positive note, Caltagirone said OEM manufacturers are taking such threats seriously and working with Dragos and other vendors to improve ICS security. “I’ve seen nothing but positive results from the ICS community,” he said.
Still, Caltagirone said redesigning ICS hardware will take time, and new, more secure products may not be released for another five to seven years.
Marc Light, vice president of data and research at cybersecurity vendor BitSight, said the wait could be even longer for certain types of products. Light, who previously worked at Honeywell and energy analytics firm WindLogics, also said it could be a challenge to get energy companies to invest in newer products when the lifecycle for existing ICS is quite long.
“When utility companies buy big expensive ICS things like wind turbines, they spend a lot of money and they expect to keep those things for 30 years,” Light said.
In the meantime, Dragos recommended that oil and gas companies, as well as other organizations using ICS, take several steps to defend against these attacks, such as developing incident response plans, segmenting networks to prevent lateral movement, and collecting logs in ICS environments to improve visibility.