Cyber Risk to the Oil and Gas Industry

The NJCCIC assesses with high confidence the cyber risk to the oil and gas industry is high and the energy sector at large is a priority target for state-sponsored threat actors, cybercriminals, and hacktivists. Each type of threat actor has a defined motivation and purpose for conducting cyberattacks. State-sponsored groups often carry out cyberattacks to achieve geopolitical goals by disrupting critical energy supplies and stealing intellectual property and trade secrets, cybercriminals are financially motivated and attempt to extort millions in ransomware payments, and hacktivists seek to publicize their agendas or opposition.

Russia’s invasion of Ukraine has increased concerns of retaliatory cyberattacks that may target key energy supplies in response to sanctions against Russia, and monetary and weapons support provided to Ukraine. While state-sponsored groups have demonstrated the capability and intent to launch cyberattacks that cause physical damage to energy infrastructure, New Jersey’s energy sector is most likely to face reconnaissance and intelligence collection activities aimed at exfiltrating data and establishing persistence on high-value networks for potential use in future sabotage operations. New Jersey’s high-risk level is largely due to its significance as a major distribution center for petroleum products throughout the Northeast. New Jersey is home to three operating oil refineries and five key interstate natural gas carrier pipelines. Cybersecurity challenges have emerged as a major threat to commodities industries and markets over the last decade, as threat actors seek to steal data and paralyze the flow of resources.

Additionally, the consequences of a destructive cyberattack on oil and gas resources range from significant financial losses for the private sector to potential physical and economic impacts on the affected municipalities by triggering gasoline and diesel price spikes, panic buying, and supply shortages across the Southeast and East Coast. The oil and gas supply process depends on IT and operational technology (OT) systems - cyberattacks could cause these systems to fail and disrupt critical operations.

Oil assets and infrastructure emerged as the biggest targets for hackers and cyberattacks since 2017, accounting for a third of all incidents over that period. Trend Micro states the average financial damage to industrial control systems and operational technology (ICS/OT) industry is approximately $2.8 million, with oil and gas impacted the most. In addition, almost three-quarters (72 percent) of respondents admitted they experienced cyber disruption to their ICS/OT environments at least six times during the previous 12 months.

 

Recent Incidents

• In January 2021, threat actors targeted oil loading facilities in the Amsterdam-Rotterdam-Antwerp refining hub, Oiltanking in Germany, SEA-Invest in Belgium, and Evos in the Netherlands. The cyberattack impacted the flow of oil products, such as heating oil, diesel, jet fuel, gasoline, and fuel oil, in Antwerp, Hamburg, Amsterdam, Ghent, and Terneuzen, causing many cargos and barges to be diverted to other terminals in the region. The cyberattack caused many issues in Antwerp, where loading operations were affected across all products, as the majority of its operations use automated processes. A spokeswoman for SEA-Invest stated that every port it runs in Europe and Africa was affected. The impacted companies have not publicly attributed the attacks to a particular criminal group or country, and Russia has consistently denied that it launched cyberattacks. The timing of the attacks, however, suggests that supporters of Russia’s invasion of Ukraine may have conducted the operations.
• In May 2021, Colonial Pipeline was the victim of a ransomware attack. The pipeline, which begins in Texas and terminates in Linden, New Jersey, is one of the largest and most vital oil pipelines in the United States, as it moves oil from refineries to industry markets and supplies about 45 percent of fuel to the East Coast. Attackers gained access to the Colonial Pipeline network through an exposed password for a virtual private network (VPN) account found on the dark web. The ransomware infected some of the pipeline’s IT systems, shutting it down for several days. The company decided to also shut down the pipeline’s OT network to prevent the infection from spreading. The shutdown affected consumers and airlines along the East Coast. The incident was deemed a national security threat, and resulted in President Joe Biden declaring a state of emergency. DarkSide was able to extort approximately $5 million from Colonial Pipeline, though $2.3 million was successfully recovered with the help of the US Department of Justice. The servers and bitcoin associated with DarkSide were also seized shortly after the incident, causing the group to shut down operations.
• Last year, a ransomware attack on Saudi Aramco, the world's largest single exporter of crude oil, resulted in exposed sensitive data. The company told the Associated Press that third-party contractors held the data and that Saudi Aramco's systems were not breached. Nevertheless, someone from the unidentified contractor firm reportedly stole 1 terabyte of data dating back to 1993. This data included company information; customer invoices; more than 14,000 of 66,000 employee profiles that contained personally identifiable information (PII), such as passport scans and customer lists; and maps of the network, including Internet of Things (IoT) device addresses, supervisory control and data acquisition (SCADA) points, IP cameras, Wi-Fi access points, and IP addresses with their precise GPS coordinates. Saudi Aramco acknowledged the incident on July 21, 2021. The data was stolen by a threat group known as ZeroX, which claimed it exploited a zero-day vulnerability to obtain the data. Both ZeroX and Saudi Aramco denied the incident was ransomware as no encryption of data occurred. ZeroX threatened to sell the information for a starting price of $5 million on the dark web.

 

Recommendation for IT and OT Environments

• Tamper-resistant controls on field devices: Field devices must implement hardware security controls to prevent physical tampering.
• Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing certified devices that follow strict security standards.
• Patching and updating: Support staff must install critical updates as soon as they are available after appropriate testing, both for operating systems and ICS software. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Encryption: Devices must implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices and this includes protection from side channel attacks that can compromise encryption keys. 
• Authentication and access control procedures: Facilities should implement strict authentication and authorization procedures for their employees and for all software entities. Develop access control measures to prevent unauthorized access to critical cyber systems.
• Penetration testing and internal audit: All facilities must implement rigorous vulnerability assessment and penetration testing audits on a regular basis to ensure continuous analysis of operational systems.
• Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
• Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, ICS should not share the same network with internet-accessible devices.
• Use of different technologies: Implemented ICS should use devices and systems from different vendors to reduce the number of compromised assets per vulnerability. Although this measure introduces management complexity, it is a vital control for increasing resilience of critical systems.
• Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job description and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
• Catalog and reduce system dependencies: Critical systems must identify and minimize dependencies on other systems and services, such as third-party processes.
• Minimize unified closed loop: Although closed-loop systems facilitate monitoring and control and manual control exacerbates workload, operators should minimize the use of automatic controls over critical machinery or at least implement heavy monitoring and break closed-loop systems down to individual procedures.
• Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Recovery plan: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update incident response (IR) plans and continuity of operations plans (COOPs).
• Ensure password security: Use multi-factor authentication (MFA) where possible. Use strong passwords and regularly change passwords for network systems and accounts, implementing the shortest acceptable time frame for password changes. Avoid reusing passwords for multiple accounts.
• Use secure networks only: Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a VPN.
• Email security: Consider adding an email banner to messages originating outside your organization and disable hyperlinks in received emails.