Cyber Security and the Energy Sector

The intertwining of digital technologies with critical infrastructure has brought unprecedented efficiency and convenience to the energy sector. However, with this technological advancement comes the looming specter of cyber threats. As the energy landscape evolves, so do the tactics of malicious actors seeking to exploit vulnerabilities in digital systems. In the midst of this technological revolution, ensuring the security and resilience of energy infrastructure has become an imperative.

Exploring the Threat Landscape:

In recent years, the energy sector has emerged as a prime target for cyber attacks, driven by its critical role in powering modern societies. The digital transformation of energy infrastructure has expanded the attack surface, providing adversaries with new avenues for exploitation. From sophisticated state-sponsored actors to opportunistic cybercriminals, the threats facing the energy sector are diverse and evolving.

Understanding the Canadian Context:

Canada's oil and gas sector stands at the forefront of these challenges, grappling with the dual mandate of innovation and security. Through the unique dynamics of the Canadian energy landscape, we’ll highlight the sector's susceptibility to cyber threats and the potential consequences of a successful attack. With energy infrastructure serving as the backbone of the nation's economy, the repercussions of a cyber incident extend far beyond the confines of the industry.

Mitigating Risks and Building Resilience:

Amidst these challenges, proactive cyber security measures have emerged as a linchpin in safeguarding energy infrastructure. Best practices and strategic interventions are recommended by cyber security experts to fortify the resilience of energy systems. From adopting robust defense mechanisms to fostering a culture of cyber awareness, it delineates a comprehensive approach to mitigating risks and responding effectively to cyber threats.

The article "Cyber Security and the Energy Sector" by cyber.gc.ca delves into the intricate nexus between cyber security and the energy industry, focusing on Canada's oil and gas sector. Drawing insights from authoritative sources such as the Canadian Centre for Cyber Security, it sheds light on the evolving threat landscape, assesses vulnerabilities specific to the energy domain, and outlines proactive measures to mitigate risks.

In excerpts from the article, they wrote, “The oil and gas sector is a critical contributor to both Canada’s economy and the security and well-being of Canadians. As a result, the cyber security of the oil and gas sector is important to Canada’s national security. The oil and gas sector employs about 600,000 Canadians and adds $120 billion dollars to Canada’s economy, or about 5% of the gross domestic product (GDP). In Canada, oil and gas are used for energy to heat buildings, move people and goods, seed fields and harvest crops, generate electricity, and also serve as raw materials for many other manufactured products.

It is difficult to overstate the importance of the oil and gas sector to national security because much of our critical infrastructure depends on oil and gas products to operate. At the same time, critical infrastructure, and especially the energy sector, is increasingly at risk from cyber threat activity.?

In the United States, for example, Colonial Pipeline garnered international attention in May 2021 when it was forced to shut down the operation of one of the largest gasoline, diesel, and jet fuel pipelines in the US due to a ransomware incident.?

Although the pipeline was restarted a few days later, the disruption in the fuel supply resulted in shortages that caused the rerouting of flights, panic buying, and short-term price spikes. It was estimated that, at the time that the pipeline was restarted, the Eastern US was only a few days away from experiencing food and other shortages from the disruption of fuel to other sectors such as truck transportation.

Oil and gas sector primer

The organizations that participate directly in the oil and gas sector can be divided into three broad categories:

• Upstream: the organizations involved in exploration, extraction, and production
• Midstream: pipelines, transportation, and storage
• Downstream: refining, distribution, and sales

The upstream oil and gas sector organizations are involved in the discovery and extraction of crude oil and natural gas from natural deposits. Activities start with environmental and geological research and planning, leading to extraction, including drilling and operating oil and gas wells, and mining oil sands.

Midstream activities include the storage, processing, and transportation of oil and gas products. Oil and gas can be transported by pipeline, train, truck, and marine tankers. Pipelines are the primary midstream delivery mechanism for moving oil and gas products from producers to consumers in North America.?

Canada is roughly 7,500 km from east to west. In that space, there are about 850,000 km of gathering, feeder, transmission, and distribution pipelines for oil and gas products. This includes just under 120,000 km of large-diameter transmission pipelines used to move larger volumes of oil and gas long distances, often across provincial and international borders.?

Large storage facilities are connected to the pipeline network to counter changes in supply and demand so that pipelines are used efficiently. Natural gas is usually stored underground in large reservoirs; above-ground tanks are used for crude and refined oil, finished oil products, and natural gas.

The downstream part of the oil and gas sector is responsible for the refining of crude oil and raw natural gas into final products, as well as the distribution and sales of oil and gas products to clients. This includes refineries and chemical plants, and distribution and retail companies.

The cyber threat surface

Oil and gas organizations tend to have a broad attack surface of connected digital systems. These systems could include business information technology (IT) systems, industrial operational technology (OT) assets, and a connected web of suppliers of digital products and services.?

As we noted in our National Cyber Threat Assessment 2020, the more Internet-connected assets an organization has, the larger the threat surface, which could increase the cyber threat it faces. In 2019, Statistics Canada survey data shows that about 25% of all Canadian organizations classified as oil and gas reported a cyber incident - the highest of any critical infrastructure sector.

Like virtually all heavy industries worldwide, the oil and gas sector has embraced digital transformation of their OT in production, transportation, and distribution of their products. The digital transformation of the energy sector’s OT has many management, performance, and productivity benefits.?

For example, it allows organizations to centrally monitor and manage OT devices that might be spread over a wide geographic area. The Cyber Centre assesses that the digital transformation of OT assets is expanding the attack surface of vulnerabilities for cyber actors and exposing oil and gas sector OT assets to cyber threats.

Cyber threats originating in the digital supply chain

We assess that medium- to high-sophistication cyber threat actors are likely to consider targeting organizations indirectly by first targeting the supply chain. Cyber threat actors target the supply chain for two general purposes: to obtain commercially valuable intellectual property? and information from suppliers about the target organization’s networks and OT, and as an indirect route to access a target organization’s networks.

Large industrial asset operators, including those in oil and gas, depend on a diverse supply chain of products and services from laboratories, manufacturers, vendors, integrators, and contractors, as well as Internet, cloud, and managed service providers for daily operation, maintenance, modernization, and development of new capacity.?

Oil and gas OT asset operators’ dependence on the supply chain is a critical vulnerability that gives cyber actors inside information and opportunities for access to otherwise protected IT and OT systems. We assess that medium- and high-sophistication actors will almost certainly continue to target the supply chain for these purposes for the next 12 months and beyond.

The threat from the proliferation of cyber tools

The Cyber Centre notes that pre-built cyber tools and training in their use are becoming readily available via the Internet, and we judge that there is an even chance that low-sophistication actors with the intent to disrupt the oil and gas sector could adopt these tools to mount a future successful sabotage attack.

For example, there are OT-specific exploit modules in free cyber tools as well, such as the open-source Metasploit framework developed and released by researchers and security professionals for testing OT network defenses. These tools are widely available to actors of all sophistication levels and include documentation and tutorials in their use.?

The Cyber Centre is also aware of high-impact crimeware such as Trickbot, Qakbot, Dridex, etc., using the leaked commercial cyber tool Cobalt Strike to target large organizations and critical infrastructure in Canada. Both Metasploit and Cobalt Strike are in wide use by states and criminal groups to facilitate cyber espionage and ransomware activity.

In addition, a large illegal marketplace for cyber tools and services is greatly reducing the start-up time for cybercriminals and potentially other actors by enabling them to conduct more complex and sophisticated campaigns. Many online marketplaces allow vendors to sell specialized cyber tools and services that users can purchase and use to commit cybercrime, including espionage, distributed denial of service (DDoS ) attacks, and ransomware attacks, any of which could be used by actors intending to sabotage OT systems.

We assess that the wide availability of free, stolen, commercial, and criminal cyber capabilities and services is likely lowering the threshold of sophistication necessary to target and sabotage OT.?

In the National Cyber Threat Assessment 2020, the Cyber Centre assessed that the development of commercial markets for cyber tools and talent has reduced the time it takes for cyber actors to build cyber capabilities. Some vendors are developing OT-specific capabilities for sale to clients. As more cyber actors gain access to commercial cyber tools, actors that are interested in sabotaging OT, but previously lacked the capability, can now more readily attempt this type of cyber threat activity.?

The proliferation of commercial tools also makes it more difficult to identify, attribute, and defend against this cyber threat activity. We assess that although the threat to oil and gas from other actors is likely currently low, the inconsistent level of cyber security in connected OT devices, the global discoverability of devices on the Internet through OT-specific search engines, and the availability of free cyber tools will, in combination, likely increase the threat from low sophistication cyber actors in the near future.

The threat of cybercrime

We assess that cybercriminals motivated by financial gain, particularly criminals attempting business email compromise (BEC) and ransomware, are the top cyber threats facing the oil and gas sector. Although BEC is very likely more common and more costly than ransomware to victims, we assess that ransomware is almost certainly the main threat to the supply of oil and gas to customers.?

The underground cybercriminal ecosystem is continuously evolving to maximize profits and increase the payouts extracted from targets. For example, the adaptation of ransomware to a service model (ransomware-as-a-service, or RaaS) and the widespread adoption of stealing and leaking of sensitive data to increase the pressure to pay are two of the main drivers of the recent increase in successful incidents.

The oil and gas sector, like other parts of the energy sector, reportedly attracts more than its share of attention from financially motivated cyber threat actors due to the high value of the industry’s assets and the degree of customer dependence on the industry’s products. Other assets of value in the oil and gas sector targeted by cybercriminals include intellectual property, business plans, and stores of client information.

Since oil and gas organizations are part of Canadian critical infrastructure (CI), they are attractive targets for extortion because of the importance of these products and services to Canadians. Cybercriminal activity has the potential to disrupt operations and critical delivery of products by limiting a company’s access to essential business data in the IT network or by preventing safe control of industrial processes in the OT network. The disruption or sabotage of OT systems in Canadian CI poses a costly threat to owner-operators of large OT assets and could conceivably jeopardize national security, public and environmental safety, and the economy.

Cybercriminals are opportunistic and will not hesitate to exacerbate a crisis for profit. For example, in late January 2022, incidents at two subsidiaries of the German oil transportation company Marquard and Bahls and an unrelated ransomware incident at Amsterdam-Rotterdam-Antwerp (ARA) caused significant disruption in the delivery of oil products in parts of continental Europe, potentially worsening the existing energy crisis. We assess that cybercriminals will almost certainly continue to target high-value organizations in the oil and gas sector in Canada and globally.

The state-sponsored cyber threat to oil and gas

State-sponsored cyber activity against the oil and gas sector has become a regular feature of global cyber threat activity, especially in times of rising geopolitical tensions. Politically motivated state-sponsored cyber threat actors have targeted the global energy sector for both espionage and disruption/destruction.?

State-sponsored actors typically conduct espionage on oil and gas targets for foreign intelligence (to obtain oil and gas sector data of economic or foreign relations intelligence value) or for commercial reasons (to obtain business plans or valuable intellectual property to deploy for national competitive advantage).?

State-sponsored actors are almost certainly the most sophisticated cyber actors, and that some very likely have the capability to launch coordinated effects and target more than one CI component at a time. In addition, state-sponsored actors use a variety of tactics to work covertly and are often difficult to identify and attribute with confidence.

Commercial espionage

Canada's oil and gas sector will likely continue to be targeted by states for commercial or economic reasons. This could include organizations at any level of the oil and gas value chain. Oil and natural gas digital assets of value to adversarial states include an organization’s proprietary trade secrets, research, client data, and business and production plans.?

Examples of these assets might include oilfield development plans or research and development on equipment or techniques, which, if stolen, could result in a competitive disadvantage from lost investment, lost revenue, and damaged reputations.?

Pre-positioning and capability development

The Cyber Centre assesses that critical infrastructure, and especially the network-connected OT in critical infrastructure, is a strategic target for disruption or destruction by state-sponsored cyber actors in times of rising hostilities between states.

Energy, water, government, telecommunications, and finance sectors have been targeted over geopolitical disputes. Offensive cyber activity against oil and gas OT to deny essential products to a target country could be used to send intimidating messages about power and capability, delegitimize target governments, demoralize leaders and the public, degrade defenses, and threaten a population’s health and safety. We assess that it is very unlikely that a state-sponsored cyber actor would intentionally disrupt or damage the oil and gas infrastructure in Canada outside of hostilities.

Some large OT asset owner-operators, such as the utilities, pipelines, and refineries in the oil and gas sector, are not likely targets for commercial espionage because most of the commercially valuable IP in use and in development resides in the supply chain.?

We judge that the intent of most state-sponsored cyber activity against oil and gas sector OT asset owners is likely to collect information and pre-position cyber tools as a contingency for possible future sabotage or as a form of intimidation from a demonstration of state cyber power.?

These early stages of potential future cyber sabotage tend to resemble commercial espionage.

We assess that it is very likely that state actors are using the information gathered from cyber reconnaissance and espionage to develop access and additional capabilities that would allow them to sabotage the OT used in Canada’s CI sectors, including oil and gas.

State-sponsored cyber threat actors are almost certainly continually improving their capability to conduct destructive or debilitating cyber activity against CI. They do this by locating and prioritizing systems of interest, identifying vulnerabilities, developing access to and pre-positioning in those systems, conducting espionage on the OT in use, and developing techniques and tools to disrupt or destroy the OT.

In early 2022, Pipedream (aka Incontroller) malware was uncovered, with modules for exploiting OT supervisory workstations and affecting industrial OT automation and safety controllers typically found in liquefied natural gas and electric power facilities. The heightened level of technical sophistication of PIPEDREAM over earlier malware such as TRITON points to both a state-sponsored author and the effort that these actors are willing to commit to developing OT-specific offensive cyber capabilities.

The state-sponsored actors intending to disrupt the supply of oil and gas in Canada are likely to target supply bottlenecks in the product transmission and processing stages to maximize the effect. Potential targets for this activity could include large-diameter pipelines, marine terminals, and major refining facilities.

Other actors

We assess that low-sophistication actors such as terrorists, hacktivists, thrill seekers, and disgruntled individuals, motivated to attract attention by embarrassing or harming the sector through public incidents are currently more likely to engage in noisy, nuisance-level cyber activity, such as website defacement, than to attempt direct OT disruption.?

Outlook

The cyber security of Canada’s critical infrastructure is also national security. The oil and gas sector in Canada plays a major role in the economy, both as a contributor to the GDP and as an energy provider to other parts of the Canadian economy, critical infrastructure, and Canadians. The importance and high profile of the oil and gas sector, along with its expanding threat surface from digital transformation, makes it a target for cyber actors intent on maximum disruption.

The Cyber Centre encourages all critical infrastructure network owners, including those in the oil and gas sector, to take appropriate measures to protect their systems against the cyber threats detailed in this assessment. The Cyber Centre joins our partners in the US and the UK in recommending proactive network monitoring and mitigations. The US Cybersecurity and Infrastructure Security Agency's (CISA) advisory.”

We hope this article shed light on the critical intersection of cyber security and the energy sector, with a particular focus on Canada's oil and gas industry. We aimed to underscore the indispensable role of this sector in the nation's economy and emphasize the imperative of safeguarding it against evolving cyber threats.

By delving into the intricate threat landscape, we hoped to highlight the vulnerabilities inherent in the digital transformation of energy infrastructure. From state-sponsored actors to opportunistic cybercriminals, the range of threats facing the sector is diverse and ever-evolving. We also aimed to underscore the significance of the energy sector's susceptibility to cyber attacks, given its status as a cornerstone of Canadian critical infrastructure.

Mitigating these risks necessitates proactive cybersecurity measures and a comprehensive approach to building resilience. Recommendations from cyber security experts emphasized the adoption of robust defense mechanisms and the cultivation of a cyber-aware culture within organizations. Furthermore, collaboration and information sharing among stakeholders are essential for effectively countering cyber threats in the energy sector.

Ultimately, the cyber security of Canada's critical infrastructure, including the oil and gas sector, is intrinsically linked to national security. We hope we underscored the importance of collective action in fortifying the resilience of energy systems and encouraged stakeholders to implement proactive measures to mitigate cyber risks. By prioritizing cyber security, the energy sector can continue to thrive and fulfill its vital role in powering Canada's economy and ensuring the well-being of its citizens.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business's IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at [email protected]