Cyberthreats escalate in oil and gas: are supplies at risk?

The energy sector is of vital interest for Singapore. The city-state is seen as one of the leading global oil trading and refining hubs, employing over 20,000 people. It is also crucial for the regional natural gas supply, as Asia is on the way to account for half of the projected growth in global gas demand until 2025, according to IEA.

Around the globe, we observe a rise in cybersecurity incidents targeting critical energy infrastructure. European ports reported various incidents last year. The United States’ State Department warned in May this year that state-sponsored actors would be capable of launching cyberattacks against pipelines after researchers found that a Chinese hacking group had been spying on its networks. In 2021, a ransomware attack on the Colonial Pipeline disrupted supplies for about a week, affecting 12,000 petrol stations on the US East Coast.

Will hackers spare our shores? We think that is unlikely. Taking a deeper inspection and understanding of the adversary behaviours and the vulnerabilities exploited can help prevent possible disasters that could adversely affect crucial infrastructure and the mission-critical operations. With the right preparation, organisations can steer clear of trouble. There are a few things to keep in mind.

The geopolitical factor

Recent research for our Cyber Threats Landscape Report 2023 showed that ransomware hacks used for financial gain continue to dominate. But when it comes to the oil and gas sector, geopolitical factors come to the fore. Threat groups are taking sides in global conflicts, such as the enduring conflict in Ukraine and global tensions between superpowers that could implicate our region. Attacks on this sector can impact entire supply chains of countries and cause economic mayhem.

In Europe, the recent wave of cyberattacks saw numerous organised crime groups and hacktivists compromising key oil and gas supply chain organisations. This created systemic disruptions in the distribution of supplies to consumers. The situation in Europe was further complicated by coinciding with the winter period, when there is increased energy demand for heating, while sanctions were imposed on Russian-origin energy supplies. This led not only to fuel price spikes but also to compounded disruptions in energy supply, affecting the quality of life.

Ransomware typically targets the IT systems of its victims, with related malware collecting emails and contact lists and then disseminating malicious attachments or links. However, more recently, the focus of threat groups has shifted towards more critical operational technology (OT) – including devices, IoT, and enterprise software. Disruptions to operational technology can quickly become systemic, affecting players at the upstream, midstream, and downstream levels, providing attackers with significant leverage for extortion or ransom.

The shadow of Stuxnet looms large in the minds of cyber defenders. We have observed the creation and use of an OT exploit framework (i.e., Pipedream), which underscores the growing interest and investment by threat groups in targeting these technologies to significantly impact organisations and their consumers.

The human factor

To secure their OT, organisations must be especially careful in both the design of processes and the use of technologies, starting with the individual. Various employee groups, including engineers, supervisors, managers, external vendors, and service personnel, might access physically isolated networks. The increasing deployment of mobile devices and industrial IoT, which are configured and operated remotely, necessitates this caution.

Businesses in the oil and gas industry must therefore implement robust protective measures for their OT environments. The Purdue Model, for instance, segments control systems from the corporate enterprise network and the internet, thereby restricting administrative staff from accessing operational layers they do not require. Principles of zero-trust architecture are employed to manage authentication, segregate networks, and minimise access rights to the bare minimum.

Organisations need to carefully monitor their environment, network movements in trust areas, and privileged access, especially for remote access or when vendors are involved. Systems and equipment should be securely configured, with any exceptions carefully tracked. Functional and robust backups are essential, such as employing the 3-2-1 strategy, ensuring their availability when needed. Regular drills serve to assess preparedness for incident response.

A threat-informed approach

Adopting a threat-informed approach, organisations must address inadequate cyber hygiene, often the root cause of providing entry points for adversaries. This has been evidenced in recent breaches affecting various commercial enterprises. Moreover, our findings indicate a significant proportion of exploited vulnerabilities in Singapore are outdated. This suggests challenges for organisations in effectively managing their asset inventory and maintaining efficient vulnerability and patch management practices. As a result, these issues lead to unnecessarily prolonged exposure windows, making them more susceptible to exploitation and compromise.

In the fight against cybercrime, a proactive stance is essential. Organisations need to stay abreast of the latest hacking techniques and methods, continuously updating their knowledge and skills. They must proactively identify system vulnerabilities, staying ahead of potential attackers.