While the Facebook and Cambridge Analytica saga still dominates most infosec headlines with an estimated 87 million user’s data exploited rather than the initial 50 million, those behind cyber attacks are still active. On April 4, Bloomberg reported that at least four U.S. pipeline companies have seen their electronic systems for communicating with customers shut down over the last few days. Three of those companies report that the shutdown was as a result of a cyber attack. On Tuesday, Oneok Inc., which operates natural gas pipelines in the Permian Basin in Texas and the Rocky Mountains region, said it disabled its system as a precaution after determining that a third-party provider was the “target of an apparent cyber attack.” Previously, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas reported communications breakdowns, with Eastern Shore saying its outage occurred on March 29.
Few Details Released
As to any substantive details about the attack little is known. A status update was issued by Latitude Technologies unit of Energy Services Group, which Energy Transfer and Eastern Shore both identified as their third-party provider, informed customers that the initial restoration of EDI services had been completed and the company had been working on increasing performance. Latitude also confirmed that it did not believe any customer data had been compromised and no other systems appeared to have been impacted.
The electronic system affected by the attack was designed to help pipeline customers communicate their needs with operators, using a computer-to-computer exchange of documents. Energy Transfer said the electronic data interchange system provided by Latitude was back up and working Monday night. Eastern Shore Natural Gas’s Latitude system was restored on Monday as well, the company said in a notice to customers. In addition to providing EDI services, Latitude also hosts websites used by about 50 pipelines for posting notices to customers. At least some of the websites went down on March 29 and didn’t start returning until Monday. Despite the obvious inconvenience the shutdowns were not considered “…operationally serious in the sense that it’s stopping the natural gas from moving, but it is serious because it’s causing these companies to use workarounds for communication,” said Rae McQuade, president of the North American Energy Standards Board in Houston, which is responsible for developing industry standards.
Department of Homeland Security Warning
On March 15, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a joint Technical Alert (TA18-074A) warning “network defenders” in critical sector industries that “Russian government cyber actors” have been intentionally targeting U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least March 2016. The alert interestingly identifies two targets of the ongoing attack: “staging” and “intended” targets. Staging targets are defined as peripheral organizations such as trusted third-party suppliers with less secure networks. The threat actors use the "staging" targets' networks as pivot points and malware repositories when targeting their final intended victims, that being the intended targets. Once compromised, the staging targets are used to download the source code from intended targets' websites and to remotely access infrastructures such as corporate web-based email and virtual private network (VPN) connections. The threat actors ultimately seek to gain information from the intended target on "network and organizational design and control system capabilities within organizations."
The warning also details the observed tactics used by the attackers. The attackers use a combination of spear phishing campaigns, watering-hole domain attacks, and collecting publicly available information. Once the attackers gain access to the network, the DHS and FBI warn they conduct reconnaissance operations within the network, these include identifying and browsing file servers within the intended victim's network. Perhaps most troubling, the DHS and FBI identified in multiple instances “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.” This access would allow the threat actors to control operations within the organization, including control of certain energy sectors.
US Gas and Oil Security Lacking
In a report published last year by the Ponemon Institute which was commissioned by German tech giant Siemens, found that the oil and gas industry in the United States is largely unprepared to address cybersecurity risks in operational technology (OT) environments. The study which conducted a survey 377 individuals found that two-thirds admitted having to deal with at least one incident in the past year that resulted in OT disruption or loss of confidential information. Furthermore, there are concerns that some attacks may have gone undetected. Many believe their organization is at a low to medium level when it comes to OT cybersecurity readiness, and only 35 percent believe they are properly prepared. Further, well over half the respondents believe the risk is greater in OT than in IT environments, and 67 percent believe cyber threats have had a significant impact on the risk to Industrial Control Systems (ICS). When comparing IT to OT, only one-third of respondents said cybersecurity operations covering these areas are fully aligned.
Attacks on Industrial Control Systems are a much-feared threat. At their very worst power grids and other important infrastructure systems can be shut down. Taking such attacks seriously is of the utmost importance for the infosec community. This is true not just for the US but other industries globally. This importance can best be illustrated by the same report published by Ponemon which also dealt with oil and gas companies in the Middle East. Nearly 200 respondents completed a survey for that region, in which it was discovered that due to outdated and aging control systems a serious risk is posed to both organizations and the public. The area’s most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors. It is hoped that oil and gas companies strengthen their security procedures as such attacks can have destabilization effects on nation states.