Hacktivists Vs The Oil and Gas Industry

Technology and the strategies surrounding cyber attacks have begun a transformation, with many of the known hacking groups rapidly adapting to the security measures often put in place by industrial operators to minimise such attacks. Yet, with ever increasing and rapidly changing digitalisation of industrial assets, the concern for cyber attacks is mounting and knowledge behind why there are groups targeting industrial players may be linked to ‘Hacktivists’. 

What are Hacktivists?

The corporate finance institution defines ‘hacktivism’ as “a social or political activist attack by using a plethora of hacking methods that allow them to gain access to personal computers, where they can take control and gain private information.” (CFI, 2021) Within the oil and gas industry there are many access points that can be threatened by hacktivists. For illustration, one of the biggest cyber attacks this spring was on the Colonial Pipeline, the United States’ largest fuel pipeline. This attack was attributed to the hacktivist group DarkSide who created ransomware that spurred the shut down of the lines. Overarchingly, there’s a crimewave of ransomware specifically made for the energy industry. A notable case was the Energetic Bear attack of 2014. These hacks have a devastating impact that goes beyond more than just a fiscal dent. The impacts include social disruption, environmental risks, and the potential for loss of life. 

Colonial’s spokesperson said, “Remediation and recovery is not necessarily a quick and easy process, and while essential functionality can be restored more quickly, it can take organizations weeks or even months to fully return to normal operations”.

When and how did hacktivism rise?

Hacktivism dates back to 1994, originating from a hacker group called “Cult of the dead cow”. It started as a way for people to protest online to effect change. Still, these hackers tend not to be motivated by malicious intent and their ideology is similar to that of vigilantes attempting to enact social justice. There’s no one way these individuals operate; alone or in groups, ranging in size and geographical location; often through a decentralised structure. With the impacts of global warming and climate change ever pressing in our modern day society, it can be easy to blame the most apparent of these greenhouse gas producers, without acknowledging the efforts to make industry cleaner. 

G7 goal 7; cleaner industry, cleaner energy…

The G7 has highlighted this point; with goal 7 focused on implementing a cleaner and more sustainable energy industry. A simple “flip” to renewables alone is not only unrealistic but also unattainable with current renewable production centres, as this transition should be focused on changing the way we produce and consume energy.

The digitisation of industry enables this; with more data we can focus on carbon releasing processes that have the highest concentration and minimise waste and reduce the replacement of components. Making a solid impact and encouraging energy organisations to align with operations to Goal 7 will hopefully aid in the decrease in hacktivism (from climate impact motivations), as industry would be making progress towards a cleaner industry.

There are many more factors that contribute as motivation behind cyber attacks. The Darkside Group said they are ‘non-geopolitical’ and were ‘motivated by money’, however the landscape has definitely changed since Covid-19 and revealed vulnerabilities in the industry make it much more susceptible to cyber attack.

Cyber-security audits during Covid-19

How does cyber security in industry work then? Effectively, the Network Behavior Anomaly engine in the SCADA (Industrial Control) Network has the ability to pick up anonymous mapping activities and call outs that go out to command and control servers and serve to protect many direct attacks.

However the increase in virtual transition for many companies has been an abrupt one. With Covid-19, most operations have been left to managers attempting to plan and strategise remotely. Increasing digitisation and automation is on the rise in the oil and gas industry, which means there are more digital “doors” that can be breached if not properly protected through security. There are several dangers of embedded systems, which are greatly reduced when security tools monitor all behaviour elements and review all traffic, not just concentrate on known ports throughout the system. 

The increase of virtual meetings has also come around with cyber security very much an afterthought. For example, there has been a rise in ‘Zoombombing’, a phrase given to those not invited to Zoom meetings and enter without permission. Though these rather juvenile occurrences may not seem immediately threatening, in large confidential meetings of 100+ members, it can lead to a security breach if information if extended to individuals with malicious intent and use that information to launch further attacks. Of course, there are frameworks and safeguards that can be put in place, Zoom allows the host to restrict users by location and control which individuals can join the call, rather than admitting them immediately. This is one example of the unexpected adjustments and potentially critical access points that may be missed in a traditional cyber security audit. 

Industry data vulnerabilities?

Industry organisations often will have a multitude of data set sources and data interfaces. These are secured with encryption and multiple layers of security. The issue is that hacking has innovated itself over the years, there is behavioral manipulation that can offer vulnerabilities from an internal workforce perspective. A way that organisations attempt to tackle this is having a trusted workforce with different hierarchical access points based on the role of the individual. Though, it is those with administration access, authority access or access to core data sources that are often targeted. Regular password audits, three-factor authentication and email scanning can aid to protect the human-failure potential in hacking. 

Part modernisation within analogue industrial units can be a focus for attacks as they operate as data sources for their data interface, without acknowledging that these systems are a part of the platform and any corruption to data ingestion will carry through to the main systems. There are several hacking tactics that should be known:

• DDoS (Distributed denial-of-service) is a tactic to overload computer systems and crash company websites, this is commonly performed on large organisations
• Defacement is a tactic to alter the appearance of websites, this tactic is most commonly done to spread activist agendas
• Doxxing is a tactic to leak confidential information from organisations and government bodies

How industry’s current cyber-security is lacking

Security and cyber-security should be regularly monitored, in addition to ensuring that those working at home have proper security systems in place. Keeping in mind that initial attacks can always be a dry run for bigger attacks. The industrial control systems cyber emergency response team published several mitigation techniques; from keeping patch levels up to date to “whitelisting” legitimate executable directories, in addition to preserving any detected evidence from an attack for forensic analysis, both externally and internally.

They also recommend having multiple layers of cyber-security that are regularly monitored and updated, and implementing an automated incident response platform in addition to the regular industrial monitoring. Immense security is needed throughout the platform, not just on known ports, and purchasing security software for individuals to implement in their work from home environment such as Total AV and McAfee may be useful for a multi-faceted approach. Frameworks and strategies to formulate an in-depth response plan is key to prospective strategies for attacks. Having a centralised system with strong cyber-security systems could be crucial to tackle the struggle in documenting who has access to what between managerial layers and producing foresight to attack-vulnerabilities before they arise.

Why does this impact Dashboard, what can we do?

Dashboard has a committed approach to IoT security. We believe this problem will not persist for much longer and can be resolved, from our experience, all significant harm to industry and consumers can be avoided. Real-time monitoring for anomaly small threats can easily become bigger in no time, which is why Dashboard would like to emphasise the importance of protecting energy structures, especially since infrastructure-based organisations and systems are often seen as easy targets. We design our Industrial Internet of Things platform in a security first pattern to ensure it’s secure at all stages and install effective encryption solutions to ensure protection.

In addition, Dashboard has invested in a quantum encryption project that has redesigned our cyber security. Our role-based system means that operators and management have access to different information on the platform, limiting the human-interactivity weak points due to homogenous access throughout the levels of management.