SOC Incident Toolkit
Back to Campaigns
Cyber Risk to the Oil and Gas Industry

Cyber Risk to the Oil and Gas Industry

gasoilpipelineIIoTICS

There has been significant interest within the offshore oil and gas industry to utilise Industrial Internet of Things (IIoT) and Industrial Cyber-Physical Systems (ICPS). There has also been a corresponding increase in cyberattacks targeted at oil and gas companies.

Indicators of Compromise

Domains (10)

oorgans.comzandelshop.comzeverco.comservice-essential.comsimsoshop.comservice-eset.comservice-explorer.comqualitweb.comsuncocity.comservice-norton.com

IPv4 (21)

88.150.221.10754.37.48.17254.36.73.108195.154.41.72216.244.93.1375.135.199.255.135.120.57185.125.204.5751.77.11.46109.169.89.103185.122.56.23291.134.203.59185.175.138.17331.7.62.4854.38.124.150109.200.24.114137.74.157.84213.32.113.159137.74.80.220193.70.71.112+1 more

APT Groups

CHRYSENE

Iran, Islamic Republic of

LYCEUM

Iran, Islamic Republic of

Comment Crew

China

Energetic Bear

Russian Federation

MuddyWater

Iran, Islamic Republic of

Fox Kitten

Iran, Islamic Republic of

MAGNALLIUM

Iran, Islamic Republic of

XENOTIME

Notes

<div><a href="https://www.dragos.com/blog/industry-news/cyber-risk-high-for-oil-natural-gas-organizations-around-the-globe/">According to Dragos:</a></div><div>The Oil &amp; Natural Gas (ONG) industrial sector is a crucial foundation for other industrial sectors and for civil society in providing critical resources that enable operations in other industrial sectors. Based on our research, the cyber risk to the ONG sector is high due to the increasing number of adversaries targeting oil &amp; natural gas industrial organizations.</div><div><br></div><div>Some of the key findings of the threat perspective are:</div><div><ul><li>The cyber risk to ONG organizations in North America, Europe, South America, and Asia-Pacific is increasing. At the same time, risk to the Middle East and North Africa remain at a high level as before.</li><li>According to Dragos research, between 2018 and 2021 the number of ransomware attacks on industrial control system (ICS) entities increased over 500 percent, with five percent of attacks impacting ONG entities.</li><li>Oil and gas adversaries target and can exploit internet-exposed assets, remote access, and insecure vendor or third-party access and introduce serious risk to the operations environment.</li></ul><div><br></div><div><div><b>Common Attack Scenarios for Global ONG</b></div><div>Our cyber threat perspective also covers an overview of threats to the ONG sector and breaks these threats down by operational segmentation. We provide assessments by region and offer an overview of vulnerabilities that adversaries weaponize and exploit in this sector.</div><div><span style="color: var(--q-dark);"><br></span></div><div><span style="color: var(--q-dark);">The top 5 attack scenarios targeting ONG are:</span></div><div><ul><li>OT Network Remote Access Exploitation</li><li>Disruptive or Destructive Ransomware Events</li><li>OT Cloud Compromise</li><li>Supply Chain Compromise</li><li>Joint Ventures</li></ul></div></div></div>

Mitigation

<div><div>Recommendation for IT and OT Environments</div><div><br></div><div><ul><li>Tamper-resistant controls on field devices: Field devices must implement hardware security controls to prevent physical tampering.</li><li>Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing certified devices that follow strict security standards.</li><li>Patching and updating: Support staff must install critical updates as soon as they are available after appropriate testing, both for operating systems and ICS software. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.</li><li>Encryption: Devices must implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices and this includes protection from side channel attacks that can compromise encryption keys.&nbsp;</li><li>Authentication and access control procedures: Facilities should implement strict authentication and authorization procedures for their employees and for all software entities. Develop access control measures to prevent unauthorized access to critical cyber systems.</li><li>Penetration testing and internal audit: All facilities must implement rigorous vulnerability assessment and penetration testing audits on a regular basis to ensure continuous analysis of operational systems.</li><li>Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.</li><li>Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, ICS should not share the same network with internet-accessible devices.</li><li>Use of different technologies: Implemented ICS should use devices and systems from different vendors to reduce the number of compromised assets per vulnerability. Although this measure introduces management complexity, it is a vital control for increasing resilience of critical systems.</li><li>Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job description and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.</li><li>Catalog and reduce system dependencies: Critical systems must identify and minimize dependencies on other systems and services, such as third-party processes.</li><li>Minimize unified closed loop: Although closed-loop systems facilitate monitoring and control and manual control exacerbates workload, operators should minimize the use of automatic controls over critical machinery or at least implement heavy monitoring and break closed-loop systems down to individual procedures.</li><li>Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.</li><li>Recovery plan: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update incident response (IR) plans and continuity of operations plans (COOPs).</li><li>Ensure password security: Use multi-factor authentication (MFA) where possible. Use strong passwords and regularly change passwords for network systems and accounts, implementing the shortest acceptable time frame for password changes. Avoid reusing passwords for multiple accounts.</li><li>Use secure networks only: Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a VPN.</li><li>Email security: Consider adding an email banner to messages originating outside your organization and disable hyperlinks in received emails.</li></ul><div><br></div><div><hr></div></div></div><div><span style="color: var(--q-dark);"><br></span></div><div><span style="color: var(--q-dark);">According to </span><a href="https://www.cisa.gov/uscert/ncas/alerts/aa21-201a">CISA</a><span style="color: var(--q-dark);">:</span><br></div><div><span style="font-family: &quot; line-height: 1.1; color: rgb(51, 51, 51); margin-top: 20px; margin-bottom: 10px; font-size: 24px; font-size: 3rem; color: var(--q-dark);">Mitigations</span><br></div><div><div class="field field--name-field-aa-mitigations field--type-text-long field--label-hidden field--item" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: &quot;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">CISA and the FBI urge Energy Sector and other CI owners and operators to apply the following mitigations to implement a layered, defense-in-depth cyber posture. By implementing a layered approach, administrators will enhance the defensive cyber posture of their OT/ICS networks, reducing the risk of compromise or severe operational degradation if their system is compromised by malicious cyber actors.</p><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Harden the IT/corporate network&nbsp;</strong>to reduce the risk of initial compromise.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Update all software</strong>, including operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Replace all end-of-life software and hardware</strong>&nbsp;devices.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Restrict and manage remote access software</strong>. Remote access tools are a common method for threat actors to gain initial access and persistence on target networks.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Manage and restrict users and groups who are permitted to access remote capabilities. Permissions should be limited to users that require the capability to complete their duties.</li><li style="box-sizing: border-box;">Require multi-factor authentication (MFA) for remote access.</li><li style="box-sizing: border-box;">Limit access to resources over networks, especially by restricting Remote Desktop Protocol (RDP). If RDP is operationally necessary, restrict the originating sources and require MFA.</li></ul></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Enable strong spam filters to prevent phishing emails</strong>&nbsp;from reaching end users.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement unauthorized execution prevention by:</strong><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Disabling macro scrips from Microsoft Office files transmitted via email.</li><li style="box-sizing: border-box;">Implementing application allowlisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common malware locations, such as temporary folders supporting popular internet browsers.</li></ul></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Filter network traffic</strong>&nbsp;to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Set antivirus/antimalware programs</strong>&nbsp;to regularly scan IT network assets using up-to-date signatures.</li></ul></li></ul><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement and ensure robust network segmentation between IT and ICS networks</strong>&nbsp;to limit the ability of cyber threat actors to move laterally to ICS networks if the IT network is compromised.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement a network topology for ICS that has multiple layers</strong>, with the most critical communications occurring in the most secure and reliable layer. For more information refer to National Institute of Standard and Technology (NIST)&nbsp;<a href="https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Special Publication 800-82: Guide to ICS Security</a>.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Use one-way communication diodes to prevent external access</strong>, whenever possible.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Set up demilitarized zones (DMZs)</strong>&nbsp;to create a physical and logical subnetwork that acts as an intermediary for connected security devices to avoid exposure.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Employ reliable network security protocols and services</strong>&nbsp;where feasible.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Consider using virtual local area networks (VLANs)</strong>&nbsp;for additional network segmentation, for example, by placing all printers in separate, dedicated VLANs and restricting users’ direct printer access.</li></ul></li></ul><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement perimeter security between network segments</strong>&nbsp;to limit the ability of cyber threat actors to move laterally.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Control traffic between network segments</strong>&nbsp;by using firewalls, intrusion detection systems (IDSs), and filter routers and switches.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement network monitoring</strong>&nbsp;at key chokepoints—including egress points to the internet, between network segments, core switch locations—and at key assets or services (e.g., remote access services).</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Configure an IDS</strong>&nbsp;to create alarms for any ICS traffic outside normal operations (after establishing a baseline of normal operations and network traffic).</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Configure security incident and event monitoring (SIEM)</strong>&nbsp;to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.</li></ul></li></ul><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Implement the following additional ICS environment best practices:<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Update all software</strong>. Use a risk-based assessment strategy to determine which ICS network and assets and zones should participate in the patch management program.<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Test all patches in off-line text environments before implementation.</li></ul></li><li style="box-sizing: border-box;">I<strong style="box-sizing: border-box;">mplement application allowlisting on human machine interfaces.</strong></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Harden field devices</strong>, including tablets and smartphones.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Replace all end-of-life software and hardware devices.</strong></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Disable unused ports and services on ICS devices</strong>&nbsp;(after testing to ensure this will not affect ICS operation).</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Restrict and manage remote access software</strong>. Require MFA for remote access to ICS networks.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Configure encryption and security for ICS protocols.</strong></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.</strong></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Do not allow vendors to connect their devices to the ICS network</strong>. Use of a compromised device could introduce malware.&nbsp;</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Maintain an ICS asset inventory</strong>&nbsp;of all hardware, software, and supporting infrastructure technologies.&nbsp;</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Ensure robust physical security is in place</strong>&nbsp;to prevent unauthorized personal from accessing controlled spaces that house ICS equipment.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Regularly test manual controls</strong>&nbsp;so that critical functions can be kept running if ICS/OT networks need to be taken offline.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Manage the supply chain</strong>&nbsp;by adjusting the ICS procurement process to weigh cybersecurity heavily as part of the scoring and evaluation methodology. Additionally, establish contractual agreements for all outsourced services that ensure proper incident handling and reporting, security of interconnections, and remote access specifications and processes.</li></ul></li></ul><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Implement the following additional best practices:<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement IP geo-blocking</strong>, as appropriate.</li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement regular, frequent data backup procedures</strong>&nbsp;on both the IT and ICS networks. Data backup procedures should address the following best practices:<ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0px; padding-left: 1.5em;"><li style="box-sizing: border-box;">Ensure backups are regularly tested.</li><li style="box-sizing: border-box;">Store backups separately, i.e., backups should be isolated from network connections that could enable spread of malware or lateral movement.</li><li style="box-sizing: border-box;">Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt.</li><li style="box-sizing: border-box;">Retain backup hardware to rebuild systems in the even rebuilding the primary system is not preferred.</li></ul></li><li style="box-sizing: border-box;"><strong style="box-sizing: border-box;">Implement a user training program</strong>&nbsp;to train employees to recognize spearphishing attempts, discourage users from visiting malicious websites or opening malicious attachments, and re-enforce appropriate user response to spearphishing emails.</li></ul></li></ul></div></div>