In October, four South Korean hackers in Shanghai spent seven hours attempting to infiltrate an oil refinery’s corporate network to gain access to its control systems and shut the facility down.
Another 15 minutes or so, and they likely would have succeeded.
Fortunately for the industry, the attack was not real. It was performed in a live-televised cybersecurity competition put on by Internet security firm Kaspersky Lab. The competition pitted teams from around the world in a race to breach a model of a real oil refinery that is one of the company’s clients.
None of the three teams in the final managed to bring the refinery down; the South Korean team came closest and won the contest. But as the organizers note, real-world hackers do not operate under such tight time restrictions.
“The contest demonstrated once again that, by exploiting weaknesses in the corporate network’s protection and network configuration faults, a remote threat actor can gain unauthorized access to the industrial segment of the network,” Kaspersky’s industrial control system vulnerability research group manager, Vladimir Dashchenko, said.
This was the third annual cybersecurity competition that Kaspersky has held. The 2016 contest invited hackers to penetrate the network of a model power plant.
The competition highlights the vulnerabilities of critical infrastructure, including oil refineries, as the stakes of cyberwarfare grow. The environmental and human toll of a cyber-induced disaster could be significant, to say nothing of the disruption to oil and gas markets.
“Oil and gas is one of the industries that is essential to how societies and economies function,” Dashchenko said.
The Moscow-based company earlier this year said it discovered malware infecting a control system installed at more than 1,000 gasoline stations that would have allowed hackers to shut down fueling systems, change fuel prices and cause leakages, among other acts of sabotage.
Kaspersky itself has faced allegations of helping the Russian government spy on its customers, as the US has banned the use of its products on federal networks and reportedly is weighing sanctions against the company.
The company denies the charges and says it is “caught in the middle of a geopolitical fight” between the US and Russia.
Most sophisticated cyberattacks on oil refineries and other critical infrastructure are multipronged.
Hackers will first try to infiltrate the facility’s distributed control system (DCS) or supervisory control and data acquisition system (SCADA) by installing malware that collects intelligence on its operations, security features and other sensitive information.
They will often also try to gain access to the plant’s independent safety control system, usually with the intention of being able to override automatic shutdowns.
The malware installed to gather this data can lurk on systems for years undetected.
Then, when assailants have gleaned enough information on the facility’s vulnerabilities and the time is right for an attack, they will unleash the targeted, sophisticated code they have developed to bring down the refinery – or worse, cause a catastrophe, such as an explosion that was narrowly averted at a Saudi petrochemical plant last year.
Investigators say that attack was foiled because of a glitch in the malware that had targeted the plant’s safety system.
“Most of the activity seen has been reconnaissance penetrating systems to try to understand these SCADA systems, such that when the attack is made, it’s effective,” said Daniel Quiggin, a fellow at Chatham House who studies energy systems.
To reduce the risk of being hacked, many facilities are “air gapped,” or isolated from public networks. But air gapping is not foolproof, as hackers can still use creative methods to exploit security holes and access secure internal networks. For example, they could steal personal information from an on-site vending machine that uses a wireless internet signal to transmit data and use it to breach the refinery’s secure operating and safety networks, or program a security camera’s infrared LEDs and sensors to transmit information.
“It’s good to have isolation, but there’s no such thing that could secure you with isolation,” said Beyza Unal, a senior research fellow with Chatham House’s International Security Department. “Now we are in an age where the legacy systems can’t cope with today’s needs. There are so many cases where we know air gapping wasn’t enough.”
Once the air gap is breached, facilities are as good as hacked. Companies are largely focused on protecting the perimeter of a plant from hacking, but have relatively few tools to detect or prevent an attack once the hacker is inside the system, experts say.
Capture the flag
In the Kaspersky contest, the teams had to solve several tasks to breach the perimeter of the model refinery’s corporate network. Once they had accomplished that, they would be required to figure out the internal industrial system’s communication protocols and command the refinery to shut down.
The South Korean team was at the final stage of the corporate network level, the most difficult part of the competition, when time expired.
Had they gotten past it, the rest of the job would have been “very easy compared to the previous tasks,” Dashchenko said. “Based on our estimation, they were just 15-20 minutes away from completing it.”
The event did not reveal any previously unknown security holes, known as zero-day vulnerabilities, as happened in Kaspersky’s previous two contests. But these exercises, known as “capture the flag” or CTF, are a crucial step for testing the security of computer systems, as the conditions closely model real-life scenarios.
“Everything that happens at a CTF site can also happen to real critical infrastructure and industrial systems,” Dashchenko said. “Cybersecurity risks [for oil refineries] are still high, and the industry should still take proper security measures for better infrastructure protection.”