Emerging Risk Brief
Cyber Attacks on US Pipelines in 2019
On March 15-16, 2018, the U.S. Computer Emergency Readiness Team (US-CERT) released a joint Technical Alert (TA), which was the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provided information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally and collected information pertaining to Industrial Control Systems (ICS).
In addition to this advisory, it is further believed that these incidents shed light on the many vulnerabilities that utilities face. Pipelines usually have three ways to connect at any station, including a primary network, a backup network — such as GPRS, microwave or satellite — and an array of insecure devices such as modems that are used in pipelines due to large geographic distances.
In March 2018, various major U.S. pipelines across the country reported data system blackouts after a third-party electronic communication system was attacked. At least four U.S. pipeline companies reported their electronic systems, used to communicate with customers, shut down over the last few days. Three of the companies confirmed it was the result of a cyber attack. The primary target was their electronic data interchange (EDI) system, which was identified as Energy Services Group’s Latitude Technologies Unit. This system controls computer-to-computer document exchanges with customers.
At the time, it was unclear whether the attackers were targeting customer data or looking to extract money from the company via DDoS or ransomware. However, several pipeline providers confirmed that they were affected by a cyber attack: Oneok, Boardwalk Pipeline Partners, Energy Transfer Partners and Eastern Shore Natural Gas.
The attacks came at a time of heightened tension between the U.S. and Russia, with the DHS and FBI issuing an alert recently that the Kremlin has been targeting U.S. critical infrastructure for some time (US-CERT Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors). However, it was not confirmed that these are the threat actors in this attack.
The Fortress Emerging Risk Intelligence team will continue to monitor its vast sources and provide further information to our energy industry customers as new events are identified and confirmed.
Because many enterprises use EDI transactional services in their daily operations, indicators of compromise (IoC) in these systems should be taken seriously and drive immediate analysis and remediation efforts.
Our Intelligence team confirms that attacks on energy and critical infrastructure targets came from third-party connections. This data highlights the need for enhanced vigilance of “Third-Party Risk Management” in their organizations. An enterprise's technical footprint and SCADA / OT / ICS environment may be extremely large and complex, requiring a system to monitor both the Third-Party Risk Management and the associated vulnerability management of the OT environment.
The tangible effects of a cyber attack or a breach into the OT networks and the subsequent stoppage could measure 100,000 barrels per day and reduce the refinery’s profit by an estimated $1.4 Million dollars per day. Attacks on enterprises that own multiple refineries and other facilities could result in over $40 Million dollars per day. Such incidents could have a downstream effect in storage and distribution networks, further heightening the monetary impact to the company and its reputation in the market.
The effects of a “Third-Party” Breach combined with known emerging cyber risk vulnerabilities could impact your company in various areas:
- Physical Damage — The attacker may propagate into your networks causing disruption or physical damage to your systems, resulting at minimum in stoppage of product flow and, at worst, resulting in damage to systems causing catastrophic damage and possible loss of life.
- Reputational Risk — As breaches are discovered and publicized, scrutiny from federal agencies, state agencies and your customers could result in financial impacts — ranging from fines, extensive remediation efforts and loss of revenue — and decreased investor and customer confidence.
- Loss of Revenue — Loss of potential revenue and direct impact to profit could occur. During the last year, cyber attacks utilizing WannaCry and NonPetya ransomware caused more than $300M in losses to Maersk, the largest container ship company in the world. This attack on its operational systems forced the company to reinstall 4,000 servers, 45,000 PCs and 2,500 applications in ten days, during which many of the container ships and port facilities were forced to operate utilizing just phone and non-computer-based tools.
Our analysts strongly recommend that security teams take the following actions:
- Contact Energy Services Group’s Latitude Technologies Unit EDI, maker of the electronic data interchange (EDI) system.
- Pipelines using traditionally insecure devices on primary or back-up networks — such as modems, GPRS, microwave or satellite — should be identified, monitored, patched and (if the technology is no longer supported) replaced or architected behind other security items / controls.
Build and scale corporate cybersecurity program, which can continuously identify, prioritize, monitor and provide security risk and patch management support to your OT / ICS / SCADA systems.
- Conduct a penetration test / vulnerability scan of all potentially impacted systems.
- Identify any connections to third-party software, systems and components. Assess the risk posed by connections or loss of those systems. Create a risk-based third-party cyber risk program, which continuously monitors the changes in risk associated with those systems and the vendors who control them.
- Review and test current incident response, business continuity and disaster recovery programs. Consider both the likelihood of the attack and the type of business impact.
- Conduct a full-scale All Hazards Cybersecurity assessment based on potential downstream cybersecurity risks through your entire value chain (see business impact and technical implications below).
Business & Legal
Revisit contract language to ensure third-party relationships reflect the risk posture and risk acceptance requirements of the company.
Establish baseline for normal pipeline operations and monitor for anomalies. Then add technology and analysts to proactively detect and remediate issues and threats identified. This will demonstrate diligence to investors and customers should an incident occur.
Below is an illustrative example of the importance of the All-Hazards risk analysis, utilizing industry data: