There is no air gap between IT and OT – that was the key message for oil and gas sector CISOs coming out of the Black Hat Amsterdam talk by Alexander Polyakov and Mathieu Geli.
Their key recommendation: review all connections.
In their presentation, Cyber-security for oil and gas industries: how hackers can manipulate oil stocks, the pair provided an overview of the structure of oil and gas cyber-security including points of vulnerability, dividing the industry into three main processes – upstream (exploration and drilling/production), midstream (pipelines, transport and storage), and downstream (sale and usage).
Each process has its own SCADA, ICS and field control systems, and with many different companies, each with different vulnerabilities based on different configurations, the attack surface is broad.
Burner management systems is one area which is easy to manipulate, they said. These systems protect against explosion by avoiding tampering with heat, fuel, and oxygen needed for a reaction.
It was explained that attackers wanting to commit destructive sabotage would need only control any of the flammable mixtures, for instance, facilitating a leak of fuel into the combustion chamber, not purging after firing, insufficient combustion air, quenching the flame with cold dust entering the furnace, repeated unsuccessful ignition attempts and risk of fuel entering furnace.
The simplest attack on the BMS is to turn off the purge.
Metering is another risk area, affecting information about the sources of supply. It's an important fiscal issue as metering measures quantity of oil in storage or delivery, derived by complex calculations of volume at ambient temperature which fluctuates.
SAP systems control 75 percent of the world's oil, so a small change in stocks affects oil price, thus price can be manipulated by affecting reporting of stocks – for example, an energy pipeline error of 0.1 percent could equal £50 million a year. If the figure can be artificially manipulated up or down there could be illegal benefits either side – as the commodity price will go up with a shortage and down with excess.
But while the flow meters and flow computers are relatively hard to manipulate, data aggregation and management was described as easy to manipulate. And when it comes to storage, business enterprise applications are connected to oil and gas processes to share the data. There are “At least five different ways to get from operations to enterprise – there is not an air gap even if people imagine there is,” said Polyakov.
Looking at vulnerabilities, misconfigurations, and custom code issues enabling hackers to move from enterprise IT to operations, the researchers reported 3,500 plus vulnerabilities in SAP, and a similar number in Oracle, along with hundreds of misconfigurations. There are also custom code issues and vulnerabilities as well as backdoors left by third-party organisations.
The range of attack vectors to get to the plant, reported on Erpscan.com, covered Oracle EAM, SAP HANA, SAP xMII, SAPPCo; it covered XSS vulnerabilities; SQL injection vulnerabilities and XXL injection vulnerabilities.
Geli explained how to hack HANA and SAP HANA vulnerabilities, including how they found memory corruption using a special HTTP request, then gained full control of these servers (subsequently patched).
SAP MII (manufacturing integration and intelligence) was then described by Geli as the bridge between enterprise and manufacturing as it runs on top of SAP Netweaver J2EE.
Meanwhile, blind SQLi/XXE gets to the admin password – a vulnerability that they have not fully disclosed as it has not yet been patched.
With admin access it was possible to see OS execution command access. Setting up a machine run by the researchers, the system could then connect back for the control of remote machines.
A backdoor was dumped to get a remote shell, then PC hacking when the researchers not only found an encrypted database, but also the key to decrypt.
The PCO was hosted on OT network, with the SAP Plant connectivity forming the bridge between the industrial world and SAP manufacturing modules. Escalation continued and finally acquired administration access to the MII.
The password was 3DES encrypted, but the key was inside the Secure Storage inside MII – which was described as well designed and difficult to get if not an ME Administrator, but it was possible to get control over the encryption, to bring it down to a Base 64 password (fixed this month by SAP).
MII-PCo connection is not authenticated by default. So it was possible to fake the PCo, kill the actual PCo and show all is OK in MII.
At this point it became possible to steal oil but tank level shown on the indicators doesn't change.
Polyakov commented: “We are now inside the OT network and can do what we like.”
Some of the other useful advice for would-be attackers came from a SAP help forum, where users posted advice on how to overcome problems including in relation to configuration.
In a demonstration, using a water-tank to represent oil storage, the researchers showed how the hackers' fake messages are shown on the readout so that, even if the water was allowed to flow into the system to the point at which the tank was emptied, it still showed as full.
Some 1,000 attendees are expected during this 15th Black Hat Europe event.