Nuclear weapons are known to be the most dangerous weapons on Earth. Just one of these has the capability to destroy an entire city, potentially killing millions of humans and other life. Yet, while the United Nations, imposed sanctions and disarmament have done much to quell the nuclear threat, cyber attacks pose a more insidious equally disastrous force that could topple modern infrastructure.
Section 26 of the recent UK government report, E-crime, published by the Home Affairs Committee, states “The threat to national security from cyber attacks is real and growing.” It also refers to the fact that cyber crime has been made a top priority Tier 1 threat, on a par with international terrorism and military crisis, and a higher risk category than nuclear attack.
So how can cyber attacks be a threat to our human civilisation and destroy cities? The answer lies in the crucial energy utilities such as oil and gas which underpin modern civilisation by supplying energy to power industry and heat homes, fuel for transporting goods (imports and exports) and powering transport, and the raw materials used to produce everyday items.
Without oil and gas, a nation would be an arena of black-outs, minimal transportation, dwindling food and other supplies, and potential war. In such a world, how long would civilisation last?
The threat of cyber attacks has in fact been growing for this crucial industry. This was made clear when the United States’ National Security Agency (NSA) former director, John McConnell, warned Middle East oil and gas organisations of vulnerabilities against cyber attacks, saying the pursuit of technologies and increase in automation and use of I.T, it only increases vulnerability.
The industry is under constant pressure to increase productivity and reduce costs through network integration, i.e. sharing real-time data from field operations with management. Similarly, the demand for remote support is making pipeline control systems accessible through Internet-based technologies.
Single-purpose operator stations have been replaced with computers, and software, such as web browsers and PDF readers, are being installed at these stations and control centres. Whilst these technologies have allowed the oil and gas organisations to implement agile and cost-effective business practices, the cost has been a greater susceptibility to cyber attack.
The move to open standards such as Ethernet, TCP/IP and web technologies have allowed hackers and virus writers to take advantage of the industry’s lack of security awareness.
The use of automation in the oil and gas industry commonly relies upon Supervisory Control And Data Acquisition systems (SCADA) and the key requirement of these systems is accessibility and to keep supplies flowing; not security.
Recognising this, the Industrial Security Industry Database (ISID) was created in 2001, to serve as an industry wide repository for collecting, analysing, and sharing high value information regarding cyber security incidents which directly affect SCADA, manufacturing, and process control systems.
Since 2001, ISID has indicated that the number of cyber incidents against these systems have been increasing significantly. Analysis of ISID indicates that many of these systems have had poorly documented points of entry which provide secondary pathways into the system.
The discovery of the Stuxnet worm in July 2010 was a game changer, opening the eyes of the oil and gas industry and even governments to the potential for sophisticated software capable of targeting these systems. Fast forward to August of 2012 and the Shamoon virus which attacked Saudi Arabia’s state oil company, ARAMCO. Over 30,000 infected computers were rendered useless and required replacement. In the same month, a different virus infected the network of Qatar’s natural gas giant, RasGas, taking it offline.
The oil and gas industry has become a prime target for cyber attackers. The perpetrators – whether terrorists, hacktivists, organised crime, rogue states or insiders – have become aware that the havoc wrought by weapons can be inflicted upon the enemy with significantly less risk, effort and cost. Mitigating this risk will be problematic, particularly given the low priority awarded to information security in a sector primarily concerned with availability.
A sound security strategy must come in the form of Defence in Depth. Multiple security solutions must be layered, so if one is bypassed another will take action. This reduces the overreliance on any single security system.
Defence in Depth should start by surrounding the SCADA or control system with an effective electronic security perimeter, and hardening the devices within it. This security perimeter must be comprised of both managerial and technical controls, set at primary, secondary and deeper defence layers. These layers must consider the electrical, environmental and operational requirements of the SCADA and control systems, as well as remain within the boundaries of ANSI/ISA99, NERC CIP and IEC Standards.
Stuxnet and Shamoon should act as a wake up call to the energy industry and us all. With attacks becoming ever more sophisticated, it’s no longer sufficient to focus on the continuity of supply. The sector must seek to secure what is a very precious resource and one that forms the very backbone of our civilisation.