Professional Documents
Culture Documents
FOREWORD
The US ICS-CERT recognises these trends and are listing a growing number of attacks launched on
Industrial Control systems. It further states that:
53% of cyber-attacks in the USA are aimed towards the energy sector
30% of malware gets through precautionary measures
The 2014 Verizon Data Breach report states that 40 per cent of the attacks performed in the
manufacturing and mining industry are cyber espionage based. A UK survey revealed that 81 per
cent of large companies were digitally attacked, at an average cost of 1 million per company.
Similarly, 62 per cent of small and medium-sized enterprises (SMEs) were digitally attacked in 2014
at an average cost of more than 100,000 per incident. Eventually, even your company will be a
target and the cost of unpreparedness could be crippling.
We have to realise that the reasons why people, governments and critical infrastructure are
attacked via computers is fivefold:
It is relatively easy
It is cheap
It can be catastrophically effective
It is forensically difficult to trace
It pays no heed to state jurisdictions of frontiers.
IT Security is a continuous process. And it is necessary to focus your investment not only on
solutions helping you to protect your valuable assets but also to monitor, detect and respond to
cyber threats. Simply putting more locks on your door will not make it more secure...
Maturing a companys security infrastructure is a challenge but can be made efficient by applying
a so-called Cyber Security Maturity Model. A step-by-step model that helps to achieve the desired
level of risk mitigation and cyber security resilience. So you can be prepared!
Ronald Prins
CTO &Co-founder
Fox-IT
Thus spake the former White House Chief of Staff to President Clinton,
Director of the Central Intelligence Agency and Chief Executive Officer
of the most powerful defense establishment on Earth.
And that was three years ago.
By 2020,
25 billion
connected
devices for every
living human
being on
the planet
5714
1 http://www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020.pdf
2 http://www.gartner.com/newsroom/id/2905717
3 http://www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020.pdf
A history of violence
Although digitisation has been a growing trend for the past two decades, the history of cyber attacks - both selfinflicted and of external origin - has long been a feature of the oil and gas industry. Here are some of the most
prevalent and insidious attacks to date.
The CIA placed deliberate flaws in control system software stolen by Russia,
leading to a massive pipeline explosion in June. Leaked extracts in the
Washington Post describe how the operation caused "the most
monumental non-nuclear explosion and fire ever seen from space". The
chip which caused the explosion is named "The Logic Bomb".
The Stuxnet worm attacked automation systems at Iran's Natanz nuclear facility,
halting progress on the country's uranium enrichment program. The computer worm
is considered the world's first cyber weapon, infecting up to 12 million computers in
China. Supermajor, Chevron, later reveals that it too was a victim of Stuxnet.
Stuxnet changed the playing field because it was the first malware agent to be
discovered that could hide from, spy on and subvert industrial automation systems
with its own programmable logic controller (PLC) rootkit.
Stuxnet could attack SCADA and industrial control systems (ICS) and reprogram
them to gradually self-destruct, which is exactly what it did to centrifuges at the
heart of the Iranian nuclear programme.
This Trojan Horse stole data and wiped files, in an attack that disabled 30,000
terminals at Saudi Aramco, the national oil company of Saudi Arabia and worlds
largest oil producing corporation. Shamoon takes RasGas, the second largest
producer of liquefied natural gas (LNG) in Qatar completely offline. This attack was
referred to by U.S. Defence Secretary, Leon Panetta, as the most destructive to
have ever hit any sector of business.
A hacking group based out of Russia and calling itself Energetic Bear, launched a
campaign to infect energy and industrial firms around the world with a malicious
remote access Trojan (RAT) codenamed HAVEX. This malware had the ability to
shut down major power grids, and oil and gas pipelines.
All of the major attacks that have been perpetrated since the Logic
Bomb exploded some 33 years ago fall into four categories of
assault. Some are more prevalent than others in the 21st century
cyberspace and are the province of state rather than civilian actors.
Hacktivism
Cyberwarfare
Cyber espionage
Unlike one-off cyber attacks, these are lengthy, persistent and targetexplicit incursions conducted using Trojans and spyware to procure
specific sensitive information.
Cybercrime
4 http://en.wikipedia.org/wiki/Project_Chanology
5 https://www.rsaconference.com/writable/presentations/file_upload/ht-t10-hacktivism-in-2015-_it-isnt-just-for-the-_lulz-anymore_final.pdf
6 http://www.popsci.com/article/gadgets/few-questions-peter-w-singer-about-future-cybersecurity
7 http://intercrossblog.icrc.org/blog/what-everyone-needs-know-about-cyber-warfare
8 http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
9 http://bit.ly/1aG7zoC
Threat levels
Increasing frequency
2013
NO
75%
25% 21%
YES
NO
2013
2014
2014
2015
79%
20
0
YES
40
60
80
100
NO
YES
25%
NO
2015
75%
YES
69%
31%
YES
NO
73%
27%
YES
NO
CONCERNED ABOUT?
70
60
50
40
30
20
10
2014
2015
Add to the mix the fact that almost two thirds of oil and gas
companies do not have an organised framework to address
and manage the aftermath of a security breach or attack, and
you have the ideal witches brew for the inability to correctly
combat a cyber incursion.
DOES YOUR ORGANISATION HAVE AN INCIDENT RESPONSE
PLAN IN PLACE?
40%
60%
YES
NO
2015
0
2013
Hacktivism
Cyber espionage
2014
Cyber warfare
2015
Cyber crime
10 http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html
32%
28%
22%
24%
28%
25%
14%
11%
9%
7%
IP theft
2014
Negative impact
to corporate
brand
Production
cessation
Health,
Safety, and
Environmental
impact
Downtime in
production
environments
2015
Conclusion?
Cyber attacks have increased 200 fold since 2012, to the extent where now only eight per
cent of IT professionals consider their companies to be impervious to a major cyber
incident. Despite this alarming statistic, one in four oil and gas companies still lack an
in-house cyber security department, and almost two in three have no codified incident
response plan.
The principal form of cyber attack that companies are worried about is hacktivism, with just under half of all
respondents over a three year period signalling that the threat of growing and evermore pervasive individuals and
organisations in this space was their most pressing concern.
11 [THE BOARDROOM] Watch This Space.A Lower Oil Price Could Mean More Fatalities
Ronald was a scientific researcher at the Netherlands Forensic Institute (NFI), where he
gained recognition by breaking codes on cryptographic security systems encountered by
law enforcement in criminal investigations. He co-founded FOX-IT with fellow NFI
forensics specialist, Menno van der Marel, in 1999.
SPEAKER KEY
12 https://hbr.org/1985/09/scenarios-uncharted-waters-ahead
13 https://hbr.org/1985/11/scenarios-shooting-the-rapids/ar/1
14 Implementing Changes In Leadership Thinking And Behaviours To Drive Operational Excellence In Oil And Gas
10
RP Well, I always say that oil and gas is the most mature
sector when it comes to cyber security, and thats
because of geopolitical reasons. All of the big companies
have former intelligence people working for them to do
analysis on the threat side and formulate responses.
However, there is a massive difference between the
bigger multinationals and the rest of the oil and gas
world. And just because the sector might have a mature
awareness of the problems, it does not mean they have
a mature attitude of how to tackle it.
There are two things you really need to do this well:
awareness of what could happen, and experience of
having undergone a cyber crisis to see how you respond
and what can be done better. Unfortunately, you need
disasters to learn from, you cant do it all just sitting
behind your desk.
TH Are there any other areas of industry that oil and gas
sector can learn from?
In an age of mobile
computer technology,
air gap is just a myth.
11
The report into the disaster cited that the majority of those
aboard the rig could have survived had there been a codified
command structure and emergency response framework to
follow. Lack of preparation cost lives on the night, and a lack of
preparation will cost you dearly when a cyber attack occurs.
Currently, nine per cent of companies in the oil and gas realm
are segregating their IT and operational technology (OT)
networks by air gap alone17. Whilst that is better than the 19
per cent that have no separation between IT and OT at all18, air
gap is by no means a secure method of isolation from malware.
A convict has been sent back from the future to try and stop
the viruss initial introduction into the biosphere, but said timetravelling jailbird has no prior knowledge of who exactly
released the virus in the first place. To cut a long story short,
there are a number of suspects implicated in the viruss
outbreak, but the perpetrator eventually turns out to be one of
the assistants in the virology lab where the virus was created.
The moral of the story is not to give any one person the keys to
the kingdom, lest they use said influence for evil, are subverted
from a righteous path or unwittingly targeted by those who
seek to do evil.
For the past 90 years, the practice of stepping into the enemys
shoes has been a staple of military preparedness. In
cyberspace, where conventional warfare is being waged in the
digital domain, a similar practice of assuming the guise and gait
of your adversaries is an advisable tactic.
The old saying goes that two heads are better than one - in the
cyber security space, this is no different. Pooling of knowledge
to fight common actors is, ultimately, in the interest of all
concerned. As Spock once said in seminal sci-fi flick Star Trek II:
The Wrath of Khan: The needs of the many outweigh the
needs of the few or the one.21
12
Epilogue