Next Generation Cyber Attacks Target Oil And Gas SCADA

By Eric Byres, P. Eng., ISA Fellow, Tofino Security Product Group, Belden Inc. | February 2012, Vol. 239 No. 2

Anyone working with SCADA or industrial control systems (ICS) in the oil and gas industry is aware of the pressure to increase productivity and reduce costs through network integration. For example, sharing real-time data from field operations with management is standard practice for most companies. Similarly, the demand for remote support has made many pipeline control systems accessible via Internet-based technologies.

At the same time, SCADA systems themselves have changed radically. Proprietary networks have been replaced with equipment using Ethernet technology. Single-purpose operator stations have been replaced with computers running Windows™, and IT software such as PDF readers and web browsers are installed in every station or control center.

These new technologies are enabling companies to implement agile, cost-effective business practices. Unfortunately, they also come at a cost - many of the same security vulnerabilities that have plagued business systems now appear in SCADA systems. Pipeline control systems are now exposed to cyber-security threats they were never designed for.

Stuxnet - The Game Changer
Cyber attacks on automation systems were considered by many to be a theoretical problem until the discovery of the Stuxnet worm in July 2010. At that moment the world changed, not only for oil and gas companies, but also for automation vendors, hackers, criminals and even governments.

Stuxnet was specifically designed to attack Siemens automation products. It was capable of downloading proprietary process information, making changes to logic in PLCs, and then covering its tracks. It employed previously unknown vulnerabilities to spread. It was powerful enough to evade state-of-the-art security technologies.

Stuxnet’s intended target was the uranium enrichment centrifuges used by Iran in its nuclear armaments program. Seizing control of the automation system, the worm was able to reconfigure the centrifuge drive controllers, causing the equipment to slowly destroy itself.

Stuxnet had a specific target, but like all attacks, cyber or conventional, there was collateral damage. Several companies in the U.S. had PLCs that were reconfigured by Stuxnet, probably by accident. No real damage, but a lot of labor charges were incurred and shutdowns occurred.

Even these problems soon stopped; software patches and anti-virus signatures soon drove Stuxnet into extinction. Unfortunately, the problem did not end there.

Stuxnet’s Children Have Arrived
The real impact of Stuxnet began to appear after the worm itself was history. Thanks to Stuxnet’s publicity, hackers and criminals discovered that SCADA/ICS products are attractive targets. These systems soon became targets of choice for public security disclosures; in 2011 the U.S. ICS-CERT released 104 security advisories for SCADA/ICS products from 39 different vendors. Prior to Stuxnet, only five SCADA vulnerabilities had ever been reported.

What was particularly concerning is that attack code was released for 40% of these vulnerabilities. This meant that the bad guys both knew where to find holes in SCADA/ICS products and had the software to exploit them.