Gas and oil industry: easy targets for hackers

Security researchers warn that cybercriminals could with comparatively simple methods, control a significant share of global oil production.

 scada oil industry

The cryptologists Alexander Polyakov and Mathieu Geli security company ERPScan to show how it comes to the security of IT and Operational Technology Systems (OT) systems is the gas and oil industry (PDF download). They explain a broad range of targets to go into ERP systems. Hackers could so about the worst case control 75 percent of global oil production, warn Geli and Polyakov.

In her presentation at the Black Hat security conference in Amsterdam, Europe have shown that it is possible SCADA systems infect not only on the Stuxnet-way through a USB flash drive, but also directly are vulnerable on the Internet.

About IT systems infiltrate OT systems

The problem is that many OT systems are closely linked to IT systems, explain the security researcher. This opens up the possibility of an attacker to launch attacks on the Internet or network. As an example, they lead to equipment in manufacturing facilities that collect data on oil volumes and forward them to the IT network of an oil company for processing. These same compounds are said to be often insecure, and hackers grant access to about SCADA systems.

In this case, the attacker could, for example, manipulate the information on oil stocks and cause economic damage as having an impact on the world market. In this position, attackers will also have access to critical control systems and can paralyze an entire factory.

Vulnerable systems spread widely

Where a hacker via an IT system in critical control systems, it can exploit vulnerabilities within these. Here, Geli and Polyakov relate, among other things, recently uncovered memory errors in SAP HANA. The in-memory database comes about in Rolta OneView-system is used, which is used in the oil and gas industry often.

The security researchers have also found in their investigations vulnerabilities in different Oracle platforms, OTC servers and SAP systems, can enter via the attacker in OT systems. Also, insecure configurations of the systems should open the floodgates attackers.

Administrators also need to check the connections of the OT system for safety and so make possible insertion points for attackers locate accordingly in addition to the compounds within an IT network, advise Geli and Polyakov.