Warning over cyber-threat to oil and gas by ‘unsophisticated’ attackers

Industrial control systems running oil, gas and other energy infrastructure face attack

CISA has issued a public warning to critical energy infrastructure operators following a series of attacks against underlying IT systems. The nature of the attacks suggests hacktivism rather than nation-state sabotage.

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned of a rising threat to critical infrastructure operators in the oil and gas sectors following a spate of attacks against industrial control systems (ICS) and supervisory control and data acquisition (SCADA) IT systems.

However, the signs indicate that the threat actors are relatively “unsophisticated”, according to CISA, leaving behind clear evidence of their attacks and their intent.

“These activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets [but] can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage,” CISA warned in an Alert.

It’s unclear who the threat actors may be, but the nature of the attacks may point to hacktivists rather than nation-state attackers, despite the rising geopolitical uncertainty in recent years.

Yuval Wollman, president at CyberProof, writing in Computing last year pointed to a surge in recent years in criminal attacks – as opposed to nation state attacks – on critical infrastructure.

“Until recently, attacks on ICS were mostly initiated with nation-state backing, led by countries such as China, Russia and Iran. But today, these types of attacks are also launched by criminal groups.

“The rise of ransomware-as-a-service streamlined the hacking process so that now, even those with minimal hacking experience can utilise advanced ransomware programs by paying a relatively small fee to malware creators. This has led to a surge in hackers actively engaging in cybercrime,” he wrote.

Despite the alleged unsophisticated nature of the latest round of attacks on critical infrastructure in the US, the agency nevertheless updated its factsheet on mitigations to reduce such cyber threats to critical operational technology.

Its recommendations include removing connections to the internet from operational technology (OT) to reduce the attack surface; checking and changing default passwords; auditing, documenting, configuring and securing remote access to networks running OT; and ensuring that IT and OT networks are segmented, with demilitarised zones for passing control data between the two.

Moreover, with geopolitical threats rising, it also recommended that organisations ought to practise the ability to operate OT systems manually.

“Business continuity and disaster recovery plans, fail-safe mechanisms, islanding capabilities, software backups, and standby systems should all be routinely tested to ensure safe manual operations in the event of an incident,” the factsheet urged.

Attempted intrusions against critical infrastructure across the world are now a regular occurrence, with the UK’s National Cyber Security Centre (NCSC) last year warning that OT running in the could is also a potential target. And, following a series of incidents involving communications cables, Parliament launched an inquiry into the UK’s preparedness to defend the internet cables linking it to the rest of the world earlier this year.