General security

Midstream Security for Oil

Alexander Polyakov
November 21, 2016 by
Alexander Polyakov

I hope you enjoyed the previous parts of Oil and Gas Cyber Security series (Upstream Cyber Security and Oil and Gas Cyber Security 101). Today we will talk about OT and ICS with a special focus on the Midstream sector of the petroleum industry.

Risks to Oil and Gas Midstream companies

As you may know, various green activists and alternate energy companies may be interested in the attacks on the oil and gas industry. Nonetheless, the most alarming fact is that attacks on oil and gas systems are a common choice for international terrorists. There were several examples of such attacks.

  • In Columbia, several terrorist groups are used to attack the national oil pipeline Cano Limon-Covenas so often that it has become notoriously nicknamed "the Flute" [1]
  • In 2006, the terrorist group ULFA (United Liberation Front of Asom) conducted several attacks on oil pipelines in the region of Assam, which is the source of approximately 15% of India's onshore oil production [2]
  • In Mexico six simultaneous attacks against oil and gas pipelines conducted by terrorists from so-called People's Revolutionary Army on September 10, 2007, caused severe supply shortages, leading to the temporary closure [3]

As you can see, these attacks are often conducted by terrorists without any interaction with IT infrastructure of a particular Oil and Gas system. However, it's early to rejoice. Let's see the list of requirements for conducting terror attacks.

As you can see from the table above, almost every scenario involves a couple of armed terrorists and some additional equipment. When we speak about attacks on communication systems, there is only one requirement - a hacker. Now terrorists don't even need to come to a particular country to wreak havoc.

Let's recall the most critical risks related to unauthorized access to Oil and Gas a company's infrastructure. They are as follows:

  • Plant Sabotage/Shutdown
  • Equipment damage
  • Utilities Interruption
  • Production Disruption (production suspension or termination)
  • Product Quality (poor oil and gas quality)
  • Undetected Spills
  • Illegal pipeline taping
  • Compliance violation (pollution)
  • Safety violation (death or injury)

Today we are discussing the Midstream Cybersecurity, there are three most important risks that threaten this area: undetected spills, illegal pipeline tapping, and attacks on maritime transport. All of them relate to transportation and pipeline security. However, spills can happen unintentionally, while illegal pipeline tapping and attacks on maritime transport are often the results of malicious actions.

Critical Processes in Midstream Oil and Gas

As you know from the previous articles, there are estimated 20+ processes in Upstream, Downstream, and Midstream sectors. These processes are managed by 100+ different types of systems, and there are more than 1000 solutions from hundreds of vendors.

Now let's see what kinds of processes exist in the Midstream segment in particular, what kinds of OT systems are used there, and what are they responsible for. For every asset, we provide a short overview of potential risks.

In a nutshell, the midstream sector involves the transportation, storage, and wholesale marketing. In this article, we will look closer at these 4 processes considered the most significant ones, namely Terminal Management Process, Maritime Oil Transportation, Pipeline Oil Transportation, and Oil Storage.

1. Terminal Management Process

Description

Tankers that transport oil and its derivatives by sea pass through a specific set of terminals, where they either unship the goods or just do a technical stop. There are numerous terminals in the world, each of them has critical importance to ensure the continuity of supply chain. Breakdowns of oil unloading and counting mechanisms, or even an accounting system, may entail huge losses.

Risks

  • Terminal Shutdown or Equipment damage
  • Fiscal metering fraud
  • Compliance violation (pollution)
  • Safety violation (death or injury)

Systems

There are different types of systems used to control and automate terminal management processes.

1. Terminal Management

Efficient management of terminals and improved usage of storage facilities are essential to move product throughout the enterprise. It means that every issue in this system may lead to hazardous circumstances.

Terminal management example diagram from RockWell Automation

Examples:

  • RockWell Automation Intelligent Terminal Automation System

This system is responsible for the operations and management of the entire production and business processes at the terminal.

Here is the list of operations:

  • material receiving and distribution
  • stock tracking material change and calculation
  • tank farm condition monitoring
  • metrical information collection of volume and quality data
  • water separation
  • tank cleaning, etc.

This system is connected with ERP and manufacturing execution systems. Thus an attack against this system can be performed via a vulnerability in SAP.

  • Endress+Hauser Terminalvision [4]

    This system provides business administration functionality for road, rail, and barge loading terminals. The most important point is that the system has interfaces and links to business applications such as SAP ERP. For example, all transactions can be connected to financial planning as well as commingled stocks and quantities allocation across multiple customers and accounts. [5]

    Moreover, this system is connected with metering solutions such as Endress+Hauser Loading Metering Skid (LMS). This solution is responsible for custody transfer of light hydrocarbons such as gasoline, diesel, jet fuel between tanker trucks, railcars, and ships.

    The System itself is a client-server technology where the server is based on the SQL Server database, and a client is basically a Windows application that connects to the server remotely. The database server stores information about all the persons (drivers), vehicles, orders, and BOL (Bill of Lading –the most important document about vehicle which leaves terminal)

Potential Attack vectors

Terminal management systems are usually presented in 2 configurations:

  • 2-tier systems which consist of the database (usually MSSQL) and Fat client. This is the most common configuration. As a rule, all access control measures are configured on the client side. It basically means that attackers can sniff the database password from a Fat client or find it in a configuration file, then use this password to directly connect to the database and get full access to the data. It may seem quite strange that it's so easy to bypass the security of such system, but I have seen many solutions based on a 2-tier architecture and all of them could be hacked via insecure authentication.
  • 3-tier systems which consist of the database, application server, and a web browser. Usually, these systems have web applications that are susceptible to typical web issues such as XSS and SQL Injections because the solutions are rarely examined regarding security.

Also, the systems are connected with ERP systems via different database links of file transfer. One of the ways to get access to the systems is via insecure trust connections.

2. Order Movement Management (OMM)

OMM is a tool for the translation of business orders into process movements, which then are executed by operation staff.

Example:

  • Schneider-electric SimSci [6]

3. Movement Automation Systems (MAS)

MAS is a solution providing the automatic path selection; it checks equipment availability, verifies product compatibility, and controls movement sequential.

Example:

  • Schneider-electric SimSci

Real attack

2003 was marked by a cyber attack on Venezuelan state-owned petroleum company PDVSA. Hackers were able to penetrate the SCADA system that controls tanker loading at a marine terminal. Then, they deleted PLC's firmware responsible for operating the facility thus preventing tanker loading for eight hours.

2. Maritime Oil Transportation

A tanker that transfers oil is an easy target for physical terrorist attacks for several reasons.

First, security on board are usually limited to high-pressure water hoses or sirens and several crew members responsible for security, and any additional assistance is available with a delay, if at all. As an example, in October 2002 supertanker Limburg, carrying 397,000 barrels of crude oil, was hit by an explosive-laden dinghy near the coast of Yemen.

An essential IT element of a ship is a navigation system; hence it may attract malefactors' attention. Cyber attacks on oil tankers can cause time-consuming route changing so that oil tankers will delay; if delivery isn't duly made, a company will suffer a loss.

Hackers are also capable of changing navigation system parameters to make a ship reachable for attacks. Moreover, tankers are too cumbersome to maneuver away from attackers that make them easy targets.

Risks

  • Ship Equipment Shutdown or damage
  • Route falsification
  • Compliance violation
  • Safety violation (death or injury)

Systems

There are dozens of specific OT systems in tankers, and this topic is out of the scope of this article.

3. Pipeline Oil Transportation

Pipelines responsible for long-distance distribution of oil and gas are built either above ground or buried underground. The first group is visible, the second one is easy to identify as there are some markers above ground. Furthermore, significant physical protection of additional installations (i.e. compressor stations) is usually not implemented. [7]

Risks

  • Equipment damage
  • Disruption or significant reduction of service and deliverability (production suspension or termination such as destroying pipelines)
  • Product Quality (pipeline intrusion for quality and chemistry modification)
  • Disruption or significant reduction of intended usage of liquids (spills, illegal taping, pollution)
  • Compliance violation
  • Mass casualties or significant health effect (safety violation, death, injury)

Systems

1. Field Device Management (FDM )

These systems are responsible for managing field devices including ones located in the pipeline. As a part of their functionality, RFMs are also responsible for the detection of leaks in pipelines. Thus the security of these systems is paramount.

Example

  • Schneider Electric's Foxboro Field Device Manager

2. Pipeline Management System (SCADA)

Examples

  • Honeywell's Experion SCADA [8]
  • UCOS Pipeline SCADA
  • PSIcontrol/Oil
  • Schneider-Electric' OASyS DNA [9]

Potential Attacks

Most of the pipeline management systems are developed on well-known SCADA systems, which can be relatively easily found on the Internet. The ability to download this software dramatically increases the chances that cybercriminals will be able to identify some vulnerabilities in these tools and then exploit them to perform cyber attacks. Some of the systems have already had publicly known vulnerabilities.

If the systems don't have publicly known vulnerabilities, I recommend that you scan devices for open SCADA protocols such as Modbus. You can find a plenty of Modbus scanning tools. [10]

Last but not least, the SCADA systems are usually connected with field devices using HART protocol. The vulnerabilities in this protocol are described here. [11]

3. Leak Detection Systems

Examples:

  • SimSuite
  • Krohne PipePatrol

Real Attacks

The book "At the Abyss," written by Thomas C. Reed, reveals a story took place during the Cold War. The USSR was allowed by the U.S.A. to steal pipeline control software from one of the Canadian companies; this software contained malicious code. A grave explosion of the Trans-Siberian gas pipeline occurred in June 1982, as this software was programmed to break down after a while to produce pressure far beyond the acceptable. It was the first public example of the vulnerability in oil and gas operation which was used for intentional external cyber attacks on control systems.

The pipeline explosions is not an unusual thing, there were more than 3000 incidents such as explosions leaks and spills from 2010 till 2015.


To Secure Pipeline systems, it's recommended first to look through the guidelines published by TSA. [12]

4. Oil Storage

Oil is stored in storage tanks. Storage location usually consists of 10-100+ tanks with 1-50m barrels. To manage these tanks, companies use Tank Inventory systems. Tank Inventory System collects data from special tank gauging systems such as level, pressure or float radars that are used to measure the level in storage tanks, they also store records of volumes and history.

Initiating incidents may result in adverse impact both on safety and the environment, and monitoring the levels in remote storage tanks of flammable materials significantly reduces the risks. Deviations of tank level can cause such severe situations as a tank overfilling or an extraction pump running dry. The gravity of consequences intensifies owing to the large inventories of flammable materials.

Risks:

  • Plant Sabotage/Shutdown
  • Equipment damage
  • Production Disruption
  • Compliance violation
  • Safety violation

Systems

1. Tank/Terminal Management Systems

Examples

  • Enfaf TM BOX
  • Honeywell's Experion® Process Knowledge System (PKS) (For Terminals)

2. Tank Inventory Systems (single-window interface for Tank Gauging Systems)

Examples

  • Emerson Rosemount TankMaster WinOpi
  • Schneider-electric SimSci™
  • Honeywell Enraf Entis Pro
  • MHT's – VTW

3. Tank Gauging Systems

Tank Gauging systems are programmable controllers that monitor and measure the amount of fuel in reservoirs.

Examples

  • Emerson TankMaster Server
  • Honeywell Enraf BPM
  • Saab, Varec, GSI, MTS, L&J…
  • Meter Management
  • ControlLogic PLC
  • SmartView

Potential Attacks

Management consoles of Tank Inventory systems do not just read the data. Some of them (such as Emerson Rosemount TankMaster WinOpi) can also control Tank Gauging software and hardware. If an attacker gains unauthorized access to control commands, he or she, for example, can change any alarm (level, temperature, pressure, etc.) for tanks configured as servo tanks or send Freeze and Lock commands to a servo gauge.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

You saw a number of examples of mission-critical systems in the Midstream segment and the ways cybercriminals can attack them. Now, be ready for the next articles of Oil and Gas Cybersecurity series. I will show the most important systems in Oil and Gas Downstream segment.

Further Reading

  1. Oil and Gas Production Handbook http://www.saudienergy.net/PDF/Intro%20Oil.pdf
  2. Principles of Pipeline Leak Detection http://krohne.com/fileadmin/content/files-2/PipePatrol/KROHNE_Gerhard_Geiger_Principles_of_Leak_Detection_2012.pdf

References

[1] "Oil, terrorism and drugs intermingle in Colombia," [Online]. Available: http://www.iags.org/n0805032.htm.

[2] "Pipeline sabotage is terrorist's weapon of choice," [Online]. Available: http://www.iags.org/n0328051.htm.

[3] "Mexican Rebels Claim Pipeline Attacks," [Online]. Available: http://www.washingtonpost.com/wp-dyn/content/article/2007/09/10/AR2007091000596_pf.html.

[4] "Business administration on terminals," [Online]. Available: http://www.endress.com/en/solutions-lowering-costs/inventory-management-solutions/terminal-management/business-administration-terminals.

[5] "Technical Information. Terminalvision NXS85," [Online]. Available: https://portal.endress.com/wa001/dla/5001035/6262/000/00/TI01269GEN_0115.pdf.

[6] "Yield Accounting Solution," [Online]. Available: http://software.schneider-electric.com/pdf/industry-solution/yield-accounting-solution/.

[7] "Security Risks to the Oil and Gas Industry: Terrorist Capabilities," [Online]. Available: http://www.muskingum.edu/~bking/2009gulfcoast/4-Security-Risks-to-the-Oil-and-Gas-Industry.pdf.

[8] "Honeywell Process Solutions," [Online]. Available: https://www.honeywellprocess.com/library/marketing/notes/experion-scada-pin.pdf.

[9] "Pipeline Management Solution," [Online]. Available: http://www.schneider-electric.com.co/documents/local/xperience-efficiency/Pipeline_Management_Solution.pdf.

[10] "File modbus-discover," [Online]. Available: https://nmap.org/nsedoc/scripts/modbus-discover.html.

[11] "Advisory (ICSA-15-029-01)," [Online]. Available: https://ics-cert.us-cert.gov/advisories/ICSA-15-029-01.

[12] "Pipeline Security Guidelines," [Online]. Available: https://www.tsa.gov/sites/default/files/tsapipelinesecurityguidelines-2011.pdf.
Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.