Defending Against Cyber Threats in the Oil and Gas Sector

Trend Micro’s 2022 Oil & Gas Survey asked over 900 companies: what type of attack has forced the shut down operations of ICS/OT systems? Compared to other industries, the oil and gas sector reported a higher percentage of attacks from: 

• exploitation of remote access
• compromise of internet accessible device
• malware infection due to legitimate web browsing 
• phishing

These results reflect the methods used in the Colonial Access Pipeline attack along with the cyber attacks in Norway, Saudi Arabia, and eastern Europe. The Colonial Access Pipeline was hacked due to password reuse with a VPN- exploitation of remote access. The 2012 Saudi Aramco attack became famous for the Shamoon malware that was used during the attack. The Norway, eastern European attacks, and the 2012 Saudi Aramco attacks all included phishing attacks.  CISA and TSA guidance from the Pipeline Cybersecurity Initiative address these same threats and help the oil and gas sector mitigate the risk of attack from phishing and malware.  

CISA’s National Cyber Awareness System provide Alerts, Analysis Reports, Current Activity, and Bulletins. Following the Colonial Access Pipeline attack, CISA released two alerts that applied directly to the oil and gas sector- alerts on ransomware and malware attacks. Ransomware attacks typically rely on a combination of phishing and malware. Five days after the Colonial Access Pipeline attack, CISA released the following alert: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks. The alert mentions implementing network segmentation of OT and IT systems, and specifically addresses three main issues: 

• how to prevent ransomware attacks 
• how to minimize the damage if attacked by a ransomware attack
• what to do if impacted by a ransomware attack

While not all oil and gas sector cyber attacks are ransomware attacks, the best practices listed in the alert fundamentally address the specific issues that come from combining OT and IT systems. The DarkSide Ransomware alert includes a comprehensive list of mitigations, including five actions:

1. Update software
2. Require multi-factor authentication
3. Limit access to resources over networks, especially by restricting RDP
4. Implement regular data backup procedures
5. Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program and simulated attacks for spearphishing

One month after this ransomware alert was issued, CISA released its malware prevention alert. It listed 5 key immediate actions to prevent against malware: CISA’s August 2021 Key Malware Protection Actions 

Malware is a key component of ransomware attacks, so the overlap in these same 5 cybersecurity practices is to be expected. These two alerts illustrate that by following ransomware and malware prevention guidance the oil and gas sector can address specific cybersecurity issues related to pipeline security. Both alerts also specifically address the importance of network segmentation: 

• The CISA ransomware alert states: Implement and ensure robust network segmentation between IT and OT networks
• The CISA malware alert states: implement network segmentation to separate network segments based on role and functionality

In the infographic below CISA highlights that creating boundaries between information technology (IT) and operational technology (OT) systems through network segmentation reduces threats from phishing and malware attacks. The graphic highlights the level of effort needed for an attacker to breach an unsegmented versus segmented network, with yellow represented low effort and red representing high effort: