Highly shaken by the recent attack Colonial Pipeline was hit by, as well as accelerated digitisation and new internet of things developments, the stakes for cyber security in the oil and gas industry have never been higher.
As the ransomware attack shut down Colonial Pipeline’s computer systems on 7 May, prompting fuel shortages and a spike in gasoline prices, such threats were shown to pose risks not only to energy, with its disruption possibilities, but to all critical national infrastructure.
Despite the move towards sustainable energies, oil and gas still underpin the normal function of numerous sectors across the world, making economies heavily reliant on fossil fuels.
“As the West, and obviously China, are taking up more of the supply of those fuels, which means that we have to provide our own, any time a provider of energy is taken down, or even just held up in their ability to supply somewhat, that puts us at big risk,” says Jamie Moles, senior security engineer at ExtraHop, a network detection and response provider headquartered in Seattle, US.
With the UK Government having stated that the country has about three days’ worth of oil and gas reserves in case of emergency, this does not give a lot of leeway before society stalls in case of serious disruptions. For this reason, it is vitally important that the industry is well secured against cyber-attacks, in particular as they relate to critical assets.
The Colonial Pipeline case
As the Colonial pipeline provides roughly 45% of the US East Coast’s fuel, the ransomware attack resulted in unprecedented disruption in numerous regions. In response to the situation, the White House urged businesses to strengthen their security measures and prevent ransomware incidents on such scale happening again in key sectors.
But the Colonial Pipeline case is interesting in its nature not only because it had a big impact but because it is believed that the ransomware that got into the company’s systems and started shutting down parts of the network was purely money-orientated, rather than designed to block the pipeline. The incident also stands out for the fact that Colonial paid the ransom requested by the DarkSide hackers.
Moles says: “We know that the decoding tool that they were provided with by the bad guys to get their data back was really slow decrypting, which meant that they were actually in the position of getting back to operations faster just by restoring from backups.”
While in many cases companies targeted by attackers are advised against paying the ransom, it is not surprising that Colonial took this step. The chance of rapid restoration of key operations, while under such pressure, often seems like the best approach for decision-makers stuck in a corner.
After Colonial paid close to $5m in bitcoin for a decryption key, the FBI managed to get some of the ransom back, which then opened questions around the possible traceability of bitcoin and the agency’s approach.
Moles says: “The FBI were able to track the bitcoin. And the interesting thing was, it jumped through about 20 different digital wallets before they got to the last one, which the FBI had a key for. How did they have the private key for the bad guys’ wallets?
“Now I can speculate, I don’t know the answer to that, but my speculation would be that they’ve infiltrated certain groups and potentially had some of their data to be able to get this.”
While the FBI managed to get back about 60%-70% of the ransom in this case, their operational secrecy remains means we might never know what actions they took in order to help Colonial.
Advice to O&G operators
When asking Moles advice that can help oil and gas operators protect themselves better against possible cyber attacks, he admits: “It’s been patently obvious by the number of high profile large breaches that we’ve seen since Aramco in 2012, we had the Target breach a year later, we had Talk Talk here in the UK two years later, we had the Lockheed Martin breach in 2011, before Aramco, so it’s patently obvious you cannot keep a determined threat actor out.”
While it should be accepted that operators cannot stop every possible attack, over the past 10 to 15 years, IT security has focused on the idea of defence in depth, trying to keep people out of their systems. Prompted by recent developments however, this focus might need to shift onto the task of catching an intruder as quickly as possible, before they can cause more harm.
Another issue comes from the fact that oil and gas operators often have a lot of outdated operational technology used to monitor systems and because there are many different standards, they have problems with monitoring and controlling everything that is taking place.
As a possible solution, global research and advisory firm Gartner came up with the idea of a “SOC (Security Operations Centre) triad”. As Moles explains: “So these are the three technologies that you should use to give yourself maximum visibility in any corporate or enterprise environment. First is a sim tool, something that captures logs and correlates them and corroborates with other tools looking for threats.
“Second is an EDR, an endpoint tool that deploys agents on PCs and servers. And the third part of the SOC triad is NDR – network detection response, looking into network traffic.”
Another useful piece of advice he offers operators is tracking what the ransomware is doing once in the system, instead of trying to stop ransomware running on the endpoint.
“It’s going onto your network file shares, it’s reading lots of files, and then it’s writing to those files to encrypt them. If I can see that happening in the first couple of 1,000 files and I knock that device off the network automatically, then I’m not going to lose the millions of files I potentially have on my file server,” Moles says.
With the help of such tools, operators can take precautions on the practical side to protect their working environments, but a lot of it is also about visibility and observing what is happening in their networks.
The ‘good guys’ and the ‘bad guys’
When it comes to the changing nature of the ransomware industry, it has ultimately turned into a type of unregulated “service”, which, like every other service receiving large amounts of investment, is upping its game and becoming more proficient.
Moles explains: “There are people writing ransomware and providing ransomware as a service where you just buy access or rent access to the tools from them, pay them a commission and you get a piece of malware that’s well written and well supported by the authors.
“The days of a bad piece of malware coming out that gives you the keys are pretty much gone now. But you never know, as sometimes the bad guys make mistakes in their operations as well as potentially the good guys.”
As decision-makers’ responsibilities in oil and gas companies now involve the use of the best technology to defend themselves and not become complacent about the threat, this often ensures a fantastic victory against a prospective ransomware attack.
However, while operators’ general perceptions towards the importance of cybersecurity is advancing over time, we might never reach the point where every operation is completely safe and secure, simply because the bad actors are constantly moving and improving their techniques.
Depicting it as a race between the vendors and the bad guys, Moles is optimistic about the future of industry security: “I think the fact that corporate boards can be held responsible and sent to prison, if they’re found to be negligent, as recent laws over the past few years acted in the UK, has made it more of a personal responsibility issue.
“They would rather deal with shareholders being annoyed at price drops of stock than sit in a prison cell.”