TLP: WHITE | The NJCCIC assesses with high confidence the cyber risk to the oil and gas industry is high and the energy sector at large is a priority target of foreign intelligence services. While state-sponsored groups have demonstrated the capability to launch cyberattacks that cause physical damage to energy infrastructure, New Jersey’s energy sector is most likely to face reconnaissance and intelligence collection activities aimed at exfiltrating data and establishing persistence on high-value networks, for potential use in future sabotage operations. New Jersey’s high risk level is largely due to its significance as a major distribution center for petroleum products throughout the Northeast; the Nation’s largest production pipeline terminates in Linden and the State is home to three operating oil refineries and five key interstate natural gas carrier pipelines. Additionally, the consequences of a destructive cyberattack on oil and gas resources range from significant financial loss for the private sector to potential physical and economic impacts on the affected municipalities. According to security firm Symantec, 43% of global mining, oil, and gas companies were victims of at least one cyberattack in 2014, and the Ponemon Institute found that, on average, energy companies lose $13.2 million annually from the impact of cyber incidents, higher than any other industry.
- In early August 2015, the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) published advisories for six zero-day vulnerabilities existing in supervisory control and data acquisition (SCADA) systems, particularly the human machine interface (HMI) used for remote access. The extent to which any of the affected HMI devices are used throughout the energy sector is unclear, however, all five of the manufacturers of these products supply systems and services to the oil and gas industry. The disclosure of these vulnerabilities underscores the increased attention to weaknesses in ICS/SCADA systems and the risk to critical infrastructure.
- Since at least 2011, the Russian espionage group known as ENERGETIC BEAR has infected more than 2,800 victims around the world and reportedly shifted their focus to US and UK energy firms in 2013. This group is known to use the Havex Trojan as well as spear-phishing, watering hole attacks, and other trojanized software as infection vectors. In September 2012, Telvent Canada Ltd. discovered a breach of their security systems allegedly carried out by a Chinese group. The attackers were able to exfiltrate project files related to the company’s remote administration tool, OASyS SCADA, used to connect legacy systems with more modern ‘smart grid’ technologies. The attackers’ motivation was unclear, but they were likely seeking intellectual property and potentially conducting reconnaissance for future sabotage.
- In August 2012, the world’s largest oil producer, Saudi Aramco, was the victim of a damaging cyberattack in which the Shamoon virus erased data on 30,000 corporate computers and forced the company to shut down their internal network for ten days. Western officials have regularly attributed the incident to Iran, however, any supporting evidence and the true motive remain unclear. In December 2014, another notable attack was revealed; a 2008 explosion of a Turkish oil pipeline, originally thought to be a malfunction, was allegedly the result of Russian hackers over-pressurizing the crude oil in the pipeline. These two incidents set concerning precedents for destructive attacks capable of disrupting business operations and causing physical damage to infrastructure.
One of the most common issues across critical infrastructure sectors is the poor segmentation of corporate and operational networks, as well as internet-connected SCADA devices. Attackers are able to gain access to a corporate network, often through spear-phishing or strategic web compromises, then move laterally to the intended target by compromising user credentials or exploiting existing vulnerabilities in software or hardware.
- The NJCCIC recommends all asset owners implement the best practices outlined by ICS-CERT and the National Security Agency to secure ICS/SCADA systems, including network segmentation, strong authentication and encryption policies, and a defined process to deploy patches to all systems and software as soon as available.
Any agency with comments or questions about this document should contact the NJCCIC at firstname.lastname@example.org.
Traffic Light Protocol: WHITE
TLP: WHITE INFORMATION MAY BE DISTRIBUTED WITHOUT RESTRICTION