Cyber Security Threats Lurking in the Shadows
In the age of breakthrough technological progress, we find ourselves in a world of daily developments in blockchain technology, digital payments, and hyper-connectivity. As we become an even more digital-dependent society for everything from ordering groceries online to moving oil well production data safely to operators, we must ask ourselves, “is this data safe?”. Recent events with the Colonial Pipeline remind us that the answer is “not always.”
SCADA security is a keystone element to our critical infrastructures that make everyday life possible. Without these systems in place, things as simple as filling up your car with gas, or heating your home would not be possible. Many of these SCADA systems don’t come without their faults, though. They are often interlaced with porous, outdated software that leaves them vulnerable.
Although these monumental steps in development, integrated networks, and wireless communications are incredible turning points in many industries, there are bad actors lurking in the shadows, waiting to pounce on potentially lucrative opportunities in the forgotten (or ignored) blind spots of legacy software systems.
Thankfully, Iron IQ is leading the way on how Oil and Gas companies need to adapt and implement change in their business services and IT structures to avoid and crush these threats before they happen. We sat down with subject matter experts Josh Spraker (Iron-IQ CRO) and Jacob Allred (Iron-IQ VP SCADA Product) to discuss SCADA solutions, SCADA security, recent events, and industry outlook as it relates to Big Oil in the digital age.
What are common oversights you see from energy companies?
To make it as clear as possible – SCADA is the backbone of all the data being collected, aggregated, and normalized from the field. It’s the central nervous system of the Oil and Gas business, and it should be treated as such. If you lose control of this system, your business is at a standstill and bleeds money & resources each second operations are offline.
There are other considerations as well. If the system is ever compromised, you have to consider the ripple effects across the entire business chain. This could manifest itself as a hazardous situation, impacting the surrounding community and environment. Safety is by far the number one priority of our industry, so these matters are taken incredibly seriously.
Furthermore, a compromised system makes it difficult for the business to understand what’s happening across all its channels. Many teams need this data – Marketing needs the data endpoints, the business office runs off the data, and of course, consumers downstream in terms of gasoline, heating, and electricity. Something as central as an Oil and Gas manufacturer going offline will paralyze everything connected to it.
What are things people may not consider when a SCADA system goes offline?
From a basic standpoint, many of the workers in the field are on contract, and their pay is based on hours worked and jobs completed. If there is no data being fed to them so they can make adjustments, check assets, or monitor systems – they will continue working, but have to do everything manually, and that is rife with challenges.
It’s not only that the business itself is bleeding cash with every passing moment the system is maliciously locked up or hacked; Every piece of the operation relies on the information stored in their network. Without it, you are (in the best-case scenario) offline for a few hours, and things grind to a halt, and at worst, you are talking about days offline, resulting in a potentially dangerous situation.
What’s the worst that can happen?
With all this talk of SCADA and security, you have to give a nod to the Stuxnet virus. It appeared to be a very sophisticated virus with the sole intention of infiltrating a SCADA system controlling Iranian PLCs. The malicious code was able to control the centrifuges that spin nuclear materials at an enrichment facility. More chillingly, it was able to display all operations as functioning normally to plant operators. You can project the life-threatening ramifications of that type of hack going unchecked.
“These viruses infiltrate and embed themselves into the core processes that can change production or instrumentation, control commands, override programs, all while controllers are scrambling to identify why it is happening – or worse – they’re under the impression all systems are normal since many malicious attacks can hide.”–Jacob Allred, VP SCADA Product
The other side of the coin is ransomware, which starts undetected, but will present itself once the attacker has your system locked up. In both cases, you don’t have a lot of great options, and you better hope you have a plan in place to recover. But like we’re seeing with the Colonial Pipeline, sometimes the extent of the hack is such that it makes it difficult to know if you’re back to a clean state with your new deployment, or there aren’t any new backdoors embedded in your control network. It’s a huge problem at that point.
Think of a malicious attack like someone controlling the lights in your house. One light goes off and you can’t figure out why. So you reset the breaker and they all come back on – you think the problem is solved. A few moments later – they all turn off again and you can’t figure out the source. Resetting the breaker doesn’t work and then you get a message on your phone saying, “Pay me $1m dollars and I’ll leave your lights alone”. That’s what’s happened with Colonial Pipeline.
What’s happening during a cyber attack?
Firstly, there will be dozens of internal phone calls made to try to understand the situation and figure out why the system is locked up – if they are even successful at understanding that they have been compromised. Every minute is devastating to the overall production and safety of the plant, well, or production facility. It causes chaos because communications are effectively running blind. I’ve worked with SCADA teams in the past that have had comms offline for an hour. That’s just field communications, not the entire system.
Now, imagine a SCADA system being offline for a week. The impact on both financial and environmental levels is orders of magnitude more devastating, which is likely why Colonial Pipeline decided to pay the ransom. Being thrown into this situation takes your control operations back decades. You will need to jump into your truck and start hitting your routes because that’s the only way to gain visibility into your assets if you’re in this type of scenario. Your operations are entirely hindered. Every man has his price, and these hackers know what your business is worth.
What was the core flaw with the Colonial Pipeline that allowed the hacker group to take over their systems?
From what we’ve gathered, it was due to an unpatched active directory server. Typically, IT at these facilities secures the networks, but the content of the systems is often overlooked. We see this all across the country with people we talk to in the industry. They are working on a legacy application that hasn’t been updated in a very long time resulting in numerous vulnerabilities.
Not everyone runs regular audits, intrusion detection, updates software, applies patches, or does monthly patch rollups because teams would rather have a stable system than a secure one. These legacy applications need to be constantly updated to stay compliant. Still, not all companies adhere to best practices and remain a considerable threat vector.
“Think of it like installing Windows 2000 on your PC right now and NOT patching it. Next, plug in the network cable to the internet – how long do you think it is before something catastrophic locks up your computer?”–Jacob Allred, VP SCADA Product
Control networks are supposed to be on a segregated network from the business, and even air-gapped, but the reality of the situation is that a lot of producers don’t take security seriously, or some SCADA systems have their own special rules that allow them to navigate from business into control and back. Those are the exact vulnerabilities that these hacker organizations will exploit.
What precautions must be taken for those still on legacy SCADA systems, and what’s preventing them from updating to modern cloud-based SCADA solutions like Iron-IQ provides?
There are no sure bets with old legacy systems as they all have inherent flaws. The software, in many cases, has been used for so long that if you change one aspect of it, you can cause cascading breaks within the environment and expose yourself to even more risks. Many producers feel like they can’t make a move since they have hours & hours invested in the setup and finally have things where they want them. The changeover is also very complex and delicate if not done correctly.
Discussions surrounding change management go top-down, meaning that the C-Suite is driving decisions that usually go against what their IT or security experts recommend. It is true that there are costs associated with upgrading, but the longer you put it off, the harsher the potential consequences are by using outdated, on-premise legacy software. You really can’t afford to wait any longer in the current climate.
How does Iron-IQ mitigate these risks with their powerful, cloud-based SCADA solutions and SCADA security protocols?
We really look for the pain points and share how we minimize the lift of change while holding your hand through the entire process. This allows businesses to scale back on meetings, people in the field, and site visits. One of the first things we ask a potential partner is – do you have a NOC (network operations center) in place or a team monitoring operations? You can not have just one IT guy or a SCADA guy – an entire, dedicated team is needed to handle things. Still, many producers operate on an insufficient skeleton staff and believe they are covered.
“Iron-IQ brings that all-in-one solution to you since we are not just a SCADA provider but also a SCADA security provider. We monitor and manage things while you sleep, and we’re the first person contacted in an emergency event. With us, it’s as easy as knowing that your system will be there regardless of what threats attempt to take it offline.”–Josh Spraker, Chief Revenue Officer
What would you say to a potential partner that’s skeptical of joining Iron-IQ in this SCADA revolution?
Imagine your current SCADA system as a car you’ve owned for ten or maybe 20 years. If you’re a car guy, you know how to get in and maintain those systems, keep it running just right. Now, your friend wants to drive across the country with their family in style, and they ask to borrow your old car. Would you let them borrow your car for a couple of weeks? Maybe, but you would probably suggest they bring along a mechanic to keep it running! These legacy SCADA systems are so delicate that they require a trained specialist to keep the system up and running all the time.
Additionally, your legacy system doesn’t grow at the same rate as technology does. SCADA, built for the cloud, has access to many cloud-based services that can add massive value to your platform at very cost-effective prices. In the world we’re in now, getting your data into these new services is accessible in ways you never thought possible. At some point, it’s time to trade in your beater for a new car.
What are your final thoughts on SCADA Security?
The problems we’re seeing are widespread across the nation. There are attacks happening every single day because so much software is outdated, has weak points, or is just poorly maintained due to things like cost constraints, fear of the unknown, or fear of taking the blame if something goes wrong. So many engineers are wearing multiple hats trying to cobble together systems that are effectively obsolete or teetering towards dangerously insecure, all because the producers are comfortable with the devil they know.
The industry is rapidly digitizing but is still significantly behind other industries in its adoption of cloud-based and high-tech systems. There is an incredible opportunity for many companies to make the leap to cloud-SCADA and secure not only their software but their financial outlook and market share with Iron-IQ as their cybersecurity Sherpa of the future.