Defending midstream operations against cyber threats: ransomware

The midstream and LNG sectors already have many strategic and day-to-day operational concerns, but now they must be wary of ransomware, a cybersecurity threat to operational technology (OT). Ransomware is an insidious form of malware that can encrypt critical data until a large ransom is paid. Typically, after encrypting files, ransomware displays a note on infected devices with the ransom amount and payment instructions.

For industrial enterprises, ransomware focuses on causing costly disruptions dwarfing the ransom demand. In February 2020, for example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, reported that an unnamed midstream operator was forced by a ransomware attack to shut down its entire pipeline asset for two days.¹

According to the report, “Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies.”

The amount of the ransom demand was undisclosed, but the cost of the two-day shutdown likely dwarfed the ransom demand. A two-day shutdown of the pipeline might have cost the operator millions in lost revenue.

Financial loss is not the only damage that could have occurred. During that two-day shutdown, chances are good that the operator and its customers would have had to scramble to reroute their products in transit, using alternative transmission pipelines, and quite possibly incurring premium charges. The operator could have been liable for contractual financial penalties, as well.

The operator’s customers could also have diminished trust in the integrity and efficacy of the company’s cybersecurity safeguards. Even if those protections are stepped up substantially, how can the pipeline’s customers know if the systems hardening is sufficient and, importantly, that the new security measures are working?

Finally, although no health, safety or environmental (HSE) impacts were reported in this attack, the malware could have compromised specific HSE safeguards. Had that happened, it could have caused a major life-safety incident endangering personnel and nearby communities, or a significant environmental event. The operator’s shutdown could have lasted much longer while forensic investigations and impact assessments took place. It also could have resulted in large fines and costly litigation.

Ransomware attacks rising. Other recent ransomware attacks include five incidents involving unnamed oil and gas operators, as reported in December 2019 by the U.S. Coast Guard (USCG). One cargo transfer facility regulated by the Maritime Transportation Security Act (MTSA) suffered an attack by what cybersecurity experts have termed the Ryuk ransomware variant.²

According to the USCG, “The [Ryuk] virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate information technology (IT) network (beyond the facility’s footprint), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”

As a result, the facility was shut down for 30 hr, until the incident could be remediated. Although the target was not an LNG terminal, cyber criminals presumably could consider such a facility to be prime for a potentially lucrative ransomware attack.

In some cases, ransom demands are far higher. In November 2019, Petróleos Mexicanos (Pemex), Mexico’s vertically integrated, state-run oil and gas conglomerate, reported a ransomware attack that encrypted files, crippled servers and disrupted administrative operations and transactional capabilities. The price the attackers sought to restore Pemex’s operations was $5 MM. (Pemex, however, had sufficient backups and incident response to recover its operations without paying the ransom.)

Ransomware as a service. Although the first ransomware attack occurred more than 30 yr ago,³ such attacks have grown dramatically in frequency and sophistication. In 2018, a global provider of cybersecurity safeguards reported 181.5 MM ransomware attacks worldwide in just the first half of that year—a 229% increase over the previous year.⁴

It is safe to assume that those numbers have grown since, along with many different types, not just Ryuk. While many ransomware campaigns require their victims—often employees of a targeted organization—to click on a malicious link in a phishing email or when visiting a compromised website, many others operate using brute force tactics or remote desktop protocol (RDP) credentials. The latter can be hard to detect because the malware enters via an approved access point.

Making matters worse, “ransomware-as-a-service” (RaaS) providers are now available on the Dark Web at no initial charge to third parties seeking to mount attacks. The latter group merely splits the ransom—reportedly as high as 60%–70%—with the former; no technical skills are needed.

Ransomware has shifted from IT-focused attacks to OT-focused attacks. The latter can be more difficult to defend against because, compared to enterprise IT infrastructures, OT infrastructures have three key distinctions:

• OT sensor, control and automation systems, plus their communication networks, have much greater performance demands
• OT infrastructures include the equipment of multivendor original equipment manufacturers (OEM) that are increasingly seeking remote access for performance monitoring and remote diagnostics of machines
• OT failures or disruptions can cause potentially significant HSE impacts, as previously discussed.

What happened? The CISA-reported ransomware attack on the unnamed midstream operator included a forensics investigation into how the perpetrators were able to penetrate the company’s digital infrastructure and shut down its operations for two days. Among the CISA’s findings:¹

• The operator failed to implement sufficient segmentation between the IT and OT networks, which allowed the adversary to traverse the IT–OT boundary and disable assets on both networks.
• Commodity ransomware was used to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included human-machine interfaces (HMIs), data historians and polling servers.
• The existing emergency response plan focused on physical safety threats and not cyber threats. As a result, emergency response exercises did not provide employees with decision-making experience in dealing with cyberattacks.
• The operator cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.

Safeguarding midstream OT. What steps can midstream operators take to strengthen their safeguards from ransomware and other cyberattacks? As is the case with all cybersecurity threats, effectively combating them requires technologies; however, relying on technology alone may provide a false sense of security.

Furthermore, contrary to what is a commonly held belief, cybersecurity is also not IT’s job—although IT must certainly play a leading role. Cybersecurity is everyone’s job, from the “top floor to the shop floor,” as the saying goes (FIG. 1). Otherwise, a big blind spot can occur, adding to a midstream operator’s vulnerabilities, not only from cyber threats but also from an enterprise IT-oriented, defense-in-depth model that is insufficiently supportive of OT’s rigorous requirements.

FIG. 1. All employees in a midstream operation have a vital stake in securing it from ransomware and other types of cyberattacks.

In other words, midstream cybersecurity requires a coordinated, collaborative, enterprise-wide effort across several stakeholder groups, starting with the executive management team. Readers can assume that the two-day shutdown of the pipeline in February certainly got the rapt attention of the operator’s leadership team, but doing so after an incident occurs is too late and too costly to the enterprise.

Too often, cybersecurity is delegated solely to IT while leaving operations and OT engineering teams to focus on production, output and asset utilization. However, the latter groups must realize that a ransomware attack can force a literal shutdown of those focus areas, as it did with the unnamed operator cited in the CISA report and other examples.

Put another way, IT teams are typically not as aware of, or as sensitive to, the practical and critical production issues of reliability, availability, safety and resiliency as are their OT and operations counterparts. To elaborate, an intrusion into OT’s industrial control systems (ICSs) and networks can cause major disruptions that can seriously compromise these systems as fundamental requirements of any midstream pipeline or LNG operation.

• Reliability of capital assets—complex machinery, ICSs, SCADA/DCS platforms, data historians, manufacturing execution systems, electromechanical and pneumatic systems, and the networks interconnecting them—to perform as expected
• Availability of those assets, which must typically operate 24/7, in real- or near-real time, and require 99.9% uptime or better
• Safety of both personnel and assets throughout the operational environment, as well as the surrounding natural environment and nearby communities
• Resilience of oil and gas operations should a breach occur, and how quickly it can be discovered, contained and remediated to prevent or minimize disruptions.

To ensure that OT-oriented cybersecurity safeguards protect these four requirements, OT and operations teams must be fully engaged in the design, engineering, and deployment of cybersecurity safeguards to protect their production and logistics infrastructures. There is no better team than OT and operations to recognize significant disruption of an OT security breach. 

Of course, a midstream operator’s executive leadership also must be involved and support a collaborative, cross-functional cybersecurity approach, just as they traditionally will do with HSE and human resources (HR) functions. Importantly, HSE and HR must be engaged—the former for obvious reasons, and the latter because employee training and awareness-building of suspicious emails (e.g., phishing attacks, a common entry point for ransomware) are required.

Building an OT-oriented cybersecurity model. For midstream and LNG operators, ransomware attacks and other threats will only increase as they automate and digitalize more of their assets and operations and link them with their enterprise IT networks and external third parties (e.g., OEM suppliers) for asset monitoring and diagnostics.

Enterprise IT cybersecurity models start with baseline defense-in-depth protections, as defined by IEC 62443 and other cybersecurity standards, such as the NERC and NIST. However, adding OT safeguards are not out-of-box solutions, especially because midstream and LNG operations are far too complex for such an approach. Instead, they must be applicable in a more expansive OT context: across entire asset classes of machines, systems, processing units, and the ICS and networking systems commanding and linking them together.

To be comprehensive, an OT-oriented cybersecurity model must focus on three core facets, as explained in the following subsections.

Assessment and planning. Assets must be fully inventoried to understand what needs protection. Potential threats should be identified and documented, while also compiling a risk-ranked list of all vulnerabilities and weaknesses. Identify single points of failure, technical and human, and enact redundant coverage for each one.

Based on this information, with inputs from all core stakeholders, an OT cybersecurity roadmap can be developed as an action plan that complements both OT digitalization efforts and enterprise IT cybersecurity. The plan should be revisited at least annually, if not more often, to ensure its relevancy amidst changing operational requirements and environments.

A thorough evaluation must include an inventory of what safeguards are now in place for different OT assets and which ones are needed. Their effectiveness should also be tested and, if necessary, upgraded or replaced. If a written security policy and governance of that policy is not in place, one should be developed and implemented, including companywide communications to all employees and specialized role-based trainings for specific stakeholders.

Protection. This is the model’s preventative dimension, with the following recommendations for midstream and LNG operators to ensure that they are incorporated:

• Implement robust network segmentation, especially between OT and IT networks, so that intrusions in either one cannot transverse to the other
• Further segment OT assets into logical zones defined by their workflow relevance and adjacency, as well as their operational criticality
• Employ hot, failover ICSs for extremely critical production processes, so if a cyberattack disrupts the primary ICS, the redundant one can take over immediately
• Ensure all firewalls are updated and patched when necessary; also keep OT software and firmware updated
• Use antivirus software to scan IT network assets against always-updated malware signatures, while employing a risk-based approach to assess OT network assets for malware but without disrupting the deterministic timings of ICS and automation systems
• Conduct regular vulnerability scanning and penetration testing by qualified third parties
• Deploy a comprehensive OT/IT data protection model, including periodic, automated data backup and recovery capabilities, and ensure that the data repositories (e.g., network attached storage) are segmented from threat-actor access.

Detection and response. These measures will define what a breach is, how to know one has occurred, proper responses to different kinds of attacks, and how to remediate the vulnerability that was exploited and identify new vulnerabilities over time.

A midstream operator’s business continuity plan should include mitigation and remediation protocols for ransomware or any other disruptive cyberattack. Roles and responsibilities should be assigned, individuals named to those roles and responsibilities, and escalation paths defined.

Going further, a response simulation exercise—called a “tabletop exercise”—should be conducted at least yearly. A representative from each group should act out their respective role as if an intrusion happened and a cyberattack successfully disrupted operations. When an actual attack occurs, individuals must know what to do immediately to ensure the proper response is made and to minimize the time involved. Periodic role-playing will help considerably.

Growing dangers. Midstream and LNG operators cannot afford to wait until an adverse event occurs to discover where their vulnerabilities are located, nor can they delegate solely to their enterprise IT staff to cover all the complexities of their OT environments.

Without the active engagement and support of other key stakeholders—executive management, OT and operations, HSE and HR—they risk providing criminals, state-actors, so-called hacktivists, and other threats with large organizational blind spots that can be exploited.

In addition, it is worth noting that enterprise IT staff often lack the time, skills and know-how needed to sufficiently protect OT environments. In those cases, it can be cost-effective to engage a qualified third party to either augment IT staff or completely outsource the function, in close cooperation with IT staff members.

Ransomware and other cyber threats against midstream and LNG operators will continue to increase in sophistication and frequency. The need to ensure that cyber safeguards are more than sufficient and fully operational at all times has never been more urgent in the face of these growing dangers. Operators can be sure that keeping their availability, reliability, and safety intact will require a focused and organization-wide effort on OT cybersecurity. GP

LITERATURE CITED

1. CISA, “Ransomware impacting pipeline operations,” Alert (AA20-049A), February 18, 2020, online: https://www.us-cert.gov/ncas/alerts/aa20-049a
2. U.S. Coast Guard, “Cyberattack impacts MTSA facility operations,” Marine Safety Information Bulletin, December 16, 2019, online: https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf
3. Palmer, D., “30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world,” ZDNet, December 19, 2019, online: https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/
4. HelpNetSecurity, “Ransomware back in big way, 181.5 million attacks since January,” July 11, 2018, online: https://www.helpnetsecurity.com/2018/07/11/2018-sonicwall-cyber-threat-report/