Unsophisticated Actors, Poor Hygiene Prompt CI Alert for Oil & Gas  – Source: securityboulevard.com

A recent multiagency alert is pressing critical infrastructure organizations within the oil & gas sector to clean up their act to avoid operational disruptions, configuration changes and/or physical damage. 

The alert from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA) and Department of Energy (DOE) came after CISA observed attacks by “unsophisticated” cyber actors leveraging “basic and elementary intrusion techniques” against ICS/SCADA systems. 

This should come as a surprise to exactly no one. Oil & gas is notorious for its poor hygiene and cybersecurity posture — until the last decade, much of the sector still relied on paper documentation and pipelines, particularly those in remote areas, were left unattended and open to attack. And though the industry has made strides in the last ten years, gaping holes still exist that represent low-hanging but high-yield fruit for attackers. 

Fortinet research shows a dramatic evolution of OT cyberthreats and pegs OT as a top target for attackers. 

Industrial organizations experienced almost half (44%) of the ransomware and wiper activity in the Fortinet FortiGuard Labs’  latest Global Threat Landscape Report. “The rise of crime-as-a-service (CaaS) has made it easier for adversaries to launch attacks, providing them with ready-made tools to breach critical infrastructure,” says Derek Manky, chief security strategist and global vice president of threat intelligence with Fortinet’s FortiGuard Labs. “Additionally, state-sponsored actors and financially motivated cybercriminals are focusing on disrupting industrial operations, often leveraging ransomware and advanced persistent threats (APTs). 

Those attacks can be amplified by AI and give gravitas to actors who would otherwise flail. “This alert ties back into the broader theme that AI is enabling less sophisticated threat actors to operate in a more sophisticated fashion,” says Bugcrowd CEO Dave Gerry, who points out that “for years, critical infrastructure has been viewed as a ‘top target’ for threat actors — across hacktivist, cybercriminal gangs and nation state actors.” 

Nathaniel Jones, vice president of threat research at Darktrace, explains that “impact to Critical National Infrastructure (CNI) is a continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams.”  He believes “the targeting of CNI [Critical National Infrastructure] entities, and the subsequent operations following access, suggest threat actors may be building strategic pathways to yield geopolitical leverage in the event of conflict.” 

But “the motivation of the malicious actors is irrelevant; if an organization’s exposed sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise,” contends Thomas Richards, infrastructure security practice director at Black Duck.  

To mitigate potential damage from OT cyberthreats, CISA and others are pushing critical infrastructure asset owners and operators to remove OT connections to the public internet. The OT devices used often don’t have authentication and authorization methods that can fend off open threats. And because would-be attackers can use search engine tools to easily find OT-related victims on open ports on public IP ranges, the devices are essentially sitting ducks. 

The agencies also urged oil & gas to adopt other basic hygiene measures, such as changing default passwords in favor of unique passwords. Securing remote access to OT networks is crucial as well. A slew of CI entities or contractors “make risk-based tradeoffs when implementing remote access to OT assets,” the alert notes, urging operators to reevaluate those tradeoffs. “If remote access is essential, upgrade to a private IP network connection to remove these OT assets from the public view,” and switch to a VPN with strong passwords and MFA. 

“Many times, these systems are provided internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls,” says Richards, urging organizations to “conduct a complete review of their external attack surface and identify insecure devices that are exposed.  Once these devices are identified, controls should be put in place to prevent unauthorized access.”  

The alert also calls for IT and OT network segmentation with a “demilitarized zone for passing control data to enterprise logistics.” And, finally, operators should be able to revert to manual controls quickly so they can restore operations after an attack.  

“That CISA has a need to report on the activities of an unsophisticated threat activity is noteworthy. Their issuing an intelligence product focusing on hygienic cybersecurity foundations like this is a reminder — all security programs are on a journey, and failure in these seemingly obvious controls leads to certain failure and compromise,” says Bugcrowd CISO Trey Ford. “I also dream of a day where OT technologies can be safely (whether willfully or accidentally) exposed to the internet with resilience and confidence.” 

Me, too, buddy. Me, too.