Report finds oil & gas ICS security threats on the rise

Whether it’s Joe Weiss’ Unfettered blog or one of Jim Montague’s many cover stories, we talk a lot about cybersecurity. With that, and in line with the release of our annual Oil & Gas eBook, a recent report by cybersecurity company Dragos caught my attention.

In the report, titled “Global oil and gas cyber threat perspective: Assessing the threats, risks, and activity groups affecting the global oil and gas industry,” Dragos states that attacks targeting the global oil and gas industry are increasing along with the number of attackers. 

“As the number of attacks against industrial control systems (ICS) overall is increasing, adversaries with specific interest in oil and gas companies remain active and are evolving their behaviors,” the report states. “Dragos recently discovered a new activity group targeting this space, Hexane, bringing the total number of ICS-targeting activity groups Dragos tracks to nine, five of which directly target oil and gas.”

Here are some of the key findings from the Dragos report.

• ICS risk to global oil and gas is rising, led by reconnaissance and research intrusions as well as use of malware.
• Oil and gas is at risk of loss-of-life cyber attacks. “Dragos assesses that state-associated actors will increasingly target oil and gas and related industries to further political, economic and national security goals,” the report states.
• Oil and gas faces threats from groups targeting OEMs, third-party vendors and telecommunications providers.
• The industry needs to understand the groups targeting electric utilities, as they may shift to include other energy sectors.
• Cybersecurity visibility in the industry is lacking.
• Groups are targeting the full “energy infrastructure” (oil and gas, electric, etc.) of countries around the globe.

As I read through this report, it brought to mind the saying, “know your enemy.” As previously noted, Dragos tracks nine active ICS-targeting groups. The report notes that its important to understand these groups and how they behave and evolve.

These are the five groups directly targeting oil and gas, as identified by the Dragos report. Note that “Dragos does not speculate on the identity of Activity Groups and none should be implied.” 

1. Xenotime: In August 2017, the group used TRISIS framework tailored to interact with Triconex safety controllers to cause disruption at a facility in Saudi Arabia. From 2018 forward, the group has expanded its efforts to oil and gas companies in Europe, the United States, Australia and the Middle East; electric utilities in North America and the APAC region; and additional devices.
2. Magnallium: Active since 2013, this group is focused on initial IT intrusions targeted at companies in the petrochemical and aerospace industries in Saudi Arabia, Europe and North America.
3. Chrysene: After a destructive Shamoon attack at Saudi Aramco in 2012, this group has grown to target petrochemical, oil and gas, and electric generation sectors in the Gulf Region and others.
4. Hexane: Identified by Dragos this year, this group targets oil and gas, and telecommunications in Africa, the Middle East and Southwest Asia.
5. Dymalloy: Dragos describes this group as a “highly aggressive and capable activity group that has the ability to achieve long-term and persistent access to IT and operational environments for intelligence collection and possible future disruption events.” The group is active in Turkey, Europe and North America.

As evidenced by Xenotime’s evolution from oil and gas into electric utilities, the adversaries change. As such, Dragos suggests: “Oil and gas entities should realize that a threat to one ICS entity is a threat to all energy infrastructure. No longer are individual threats exclusive to oil and gas, electric, nuclear, or natural gas.” 

Although not yet active in oil and gas, these four groups should be on the radar for their activity in other verticals, according to the Dragos report.

1. Electrum: Known for the Crashoverride event in 2016, this group generally targets electric utilities in Ukraine.
2. Raspite: Not identified as active since mid-2018, this group targets electric utilities in the United States and government entities in the Middle East.
3. Allanite: Active in the United States and United Kingdom, this group focuses its efforts on businesses and ICS networks in the electricity sector.
4. Covellite: Primarily active in Europe, East Asia and North America, this group has compromised electric energy networks, but shows no evidence of ICS targeting.

The report goes on to explore the potential threats to upstream, midstream and downstream operations, as well as threats by region. It also provides the Top 5 attack scenarios in oil and gas, and offers a series of defensive recommendations.

With the growth of IIoT, it’s important to look beyond the benefits and understand the associated cyber risks. Reports like this, that dive into the actions of the enemy, are essential for gaining a solid comprehension of the dangers in order to effectively protect operations.