Cyber risks to oil and natural gas organizations in North America, Europe, South America and the Asia-Pacific are increasing, assesses Casey Brooks, principal adversary hunter at Dragos Threat Intelligence, in a white paper titled “Oil & Natural Gas Cyber Threat Perspective,” which was written before Russia invaded Ukraine in late February.

“Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks,” warns the U.S. Cybersecurity & Infrastructure Security Agency (CISA). “Every organization–large and small–must be prepared to respond to disruptive cyberincidents.”

“Ransomware is the most significant and most prolific ongoing threat to the oil and natural gas industrial sector,” Brooks’ paper finds. “Between 2018 and 2021, the number of ransomware attacks on industrial control system (ICS) entities increased over 500%, according to Dragos data, with 5% of attacks impacting oil and gas entities.”

CISA describes ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.” To encourage victims to pay the ransom, Brooks points out that ransomware actors increasingly threaten to leak the encrypted data, which can help other groups develop more targeted attacks.

Ransomware is common partly because it has a low barrier to entry and lends itself to mass targeting campaigns, Brooks observes. While most ransomware is designed to infect information technology, not operational technology, he cautions that “ransomware adversaries are increasingly adopting industrial control system-specific process kill lists, demonstrating the ability to stop industrial processes in the OT environment. EKANS, Megacortex and Clop are examples of ransomware that contain this type of code.”

IT-focused ransomware can migrate into control system networks and disrupt operations, Brooks warns. On Feb. 18, 2020, he notes, CISA reported that ransomware had impacted a natural gas compression facility at an unidentified U.S. pipeline operator. “The ransomware event affected IT and ICS assets, causing loss of view and loss of control,” Brooks describes. “Although the ransomware did not target industrial control systems, the operational disruption lasted two days. Operational impacts were likely caused by a combination of insufficient segregation of IT and ICS environments and shared Windows operating system infrastructure.”

Ransomware was also behind the Colonial Pipeline incident in May 2021, which disrupted petroleum product delivery for much of the East Coast. “The encryption of a billing and delivery system and concern for threats to OT operations ultimately caused the operational disruption,” Brooks relates. “This incident highlights the risk of improper segmentation and shows how interconnected systems in both IT and OT networks can indirectly impact operations without direct attacks on the OT environment.”

Common Vulnerabilities

According to Brooks, the architecture assessments Dragos has conducted for oil and gas facilities have identified several security issues that can enable a ransomware attack. These include reusing or sharing passwords and other credentials, using weak credentials, or requiring no credentials to access workstations and OT systems.

“Weak OT network segmentation or lack of an ICS network demilitarized zone (DMZ) is among the most observed critical risks uncovered in these assessments,” Brooks adds. Another common concern is unmonitored remote access by vendors or other third parties.

Because of the critical role it plays in transporting production to refineries, Brooks says the midstream segment is “the most prominent emerging attack surface” in the oil and gas sector. “The most vulnerable OT network target in the midstream segment is the pipeline transportation function. A secondary focus will also involve maritime and rail, although rail threats will likely focus more on transfer processes to cause loss of containment rather than the actual railway tank cars themselves,” he assesses.

Brooks advises midstream companies to separate their IT and OT environments with a DMZ. Ideally, connections should go from higher-security zones to lower-security zones (meaning the OT network will connect to the DMZ, which then connects to the IT network). If information needs to be accessed by both OT and IT networks, it should be stored in the DMZ rather than shared through direct connections between networks.

“Force connections or data from the corporate network or ICS/OT network to terminate in the DMZ,” Brooks emphasizes. “For example, remote access from the corporate network should terminate on a (higher-security) jump-host and be required to initiate a session from there using Remote Desktop Protocol or an application.” This jump host should be “hardened, monitored (and) fully patched, and include separate log-ons/accounts with multifactor authentication methods to traverse between an IT and OT network.”

Brooks also recommends storing historian data on a server or mirror in the DMZ, which can push the data to a separate server on the corporate IT network where users can read or retrieve it. “Having a historian mirror in the DMZ offsets the risk of having historians or OT connections in the IT network, which can be at risk of disruption and impacting operations,” he explains.

The DMZ likely will contain a solution that allows patches or other files to be transferred from the IT network to the OT network, Brooks says. “Conduct regular patch maintenance and review (the file transfer system) for suspicious activity,” he advises.

Upstream Recommendations

The oil and gas industry’s upstream segment has a smaller threat environment than the midstream or downstream segments, Brooks finds. “The technology involved in exploration and production requires adversaries to develop highly specialized capabilities to operate and interact in this ICS/OT network environment,” he says.

“Dragos is not aware of any adversaries that have targeted upstream exploration and production operations,” Brooks reports. “(However, the group) XENOTIME has developed the capability to target safety instrumented systems (SIS) at an oil and gas facility in Saudi Arabia, and upstream oil and gas asset owners and operators across the industrial sector may use this same SIS equipment.”

Adversaries are most likely to gain access to well sites, drilling rigs and other upstream equipment through cellular networks, local telecommunications providers or satellite connections, Brooks mentions. He says the group HEXANE has “demonstrated the ability to utilize Internet service provider connections, making access to upstream oil and gas operations a possibility.”

Brooks advises upstream companies to protect themselves by granting network access only to people who can verify their identity in several ways, a technique called multifactor authentication (MFA). “Remote access into the OT network from Internet-exposed virtual private networks or access portals should require MFA. Additionally, some file transfer solutions require MFA,” he says.

Even with MFA, Brooks says access to remote sites should be logged and monitored. “Use a ‘trust, but verify’ approach to third-party and vendor access, as adversaries could utilize this trust relationship to access upstream systems,” he recommends.

Laptops and other devices used to access wellhead systems and upstream facilities should be managed to ensure they “have appropriate security policies and antivirus or endpoint detection and response systems installed,” Brooks continues. He also suggests verifying the integrity of configuration files imported from vendor or corporate sources to prevent tampering or manipulation.

The full white paper offers more detailed recommendations, including suggestions for improving downstream cybersecurity; an overview of the threat landscape by industry segment and region; and a breakdown of the five most likely ways adversaries may gain access to oil and gas companies’ networks. To read it, download “Oil & Natural Gas Cyber Threat Perspective.”