Honeypots and pen testers.
If these terms are unfamiliar, you’ll want to learn about them and how they can help to protect critical data in drilling, processing, and other operations. A recent discovery made as the result of a honeypot and pen testers illustrates the increasing complexity and sophistication of malicious malware and its use in the oil field.
Vulnerabilities to malware are not only found in computers, software, or equipment, but perhaps most importantly, in the people using the systems. In most cases, there is no malicious intent or even an awareness of the misstep that introduced an infection into a network or system. But intentional hacks by insiders or outsiders may have the explicit purpose of causing serious outcomes, ranging from a low-level running amok to the theft of sensitive, confidential data, and disruption of safety and operations.
The University of Houston’s Department of Computer Science recently featured speaker Weston Hecker, a principal application security engineer/principal pen tester at NCR Corp. in Bismarck, North Dakota. He has spoken at Defcon and Blackhat 2016, among others. In August, he presented “Hacking the Bakken: Attacks on Kelly and Topdrive Oil Rigs” at the Industrial Control Systems (ICS) Cyber Security Conference in Atlanta, Georgia.
A honeypot contains data that appear to be a legitimate part of the network, but are actually isolated and monitored. When attackers discover the data and attempt to access it, they are blocked. This is similar to the surveillance tactics used by police in sting operations.
A honeypot may also serve as a disposable mail service. Users pay for brief periods of service time (sometimes only minutes) to communicate with each other. The messages are permanently deleted, leaving no trace. The purpose is similar to that of a “burner” cell phone. Burners are prepaid devices, but are used specifically for one purpose and then disposed. Because they can be bought with cash, and without a contract, they are untraceable. Prepay, use once, then dump the phone (and its associated phone number) when it is considered too risky to use, or burned.
A pen (penetration) tester evaluates the security of IT infrastructure by safely trying to exploit vulnerabilities in operating systems, service and application flaws, improper configurations, or risky end-user behavior.
The malware samples were detected in the honeypot maintained by Hecker and a German researcher from late 2016 to early this year. Demonstrating a high level of sophistication and know-how, with layers of complexity built in, Hecker said it was “professionally made” and was attempting to steal land lease information and sleuthing for wildcat well and sensor data. Hecker said, “It most likely was a contractor [who developed the malware]. This wasn’t just a bored person.”
A server in Eastern Europe was waiting for receipt of the data, but the malware was discovered prior to the transmission of any data. The affected operator was immediately notified of the security breach.
Although details of the case cannot be shared, the implications of this malicious act are serious. Hecker said this was probably the work of a landman, who may have hired hacker mercenaries, attempting to steal sensitive information leading to insider knowledge of lease quality.
Hecker required 3½ months to reverse engineer the snared malware, which he said was an extended time in his experience. It was not one of the usual suspects, such as CryptoLocker, CryptoWall (ransomware trojans), or Samsam, which attacks via vulnerabilities in unpatched servers. This rogue was falsifying, or tricking, the WITSML. As a result, the malware was enabled to read memory and hunt down embedded passwords. [WITSML, which stands for wellsite information transfer standard markup language, is a standard for transmitting technical data between organizations in the petroleum industry.]
The malware’s dropper program also originated from Eastern Europe. A dropper, while disguising itself within the computer system, launches its payload of viruses by installing them onto a disk or a hard drive. Because they are hidden, difficult to detect, and relatively uncommon, the dropped viruses often go undetected. Droppers are a relatively new type of virus that remain undetectable to many antivirus programs.
Hecker said the computers used on a drilling site offer many entry points for malware. Any human-machine interface (HMI)—USB ports, the keyboard—are open doors. And he highlighted how USBs, often the vectors of infection, are frequently used across rigs to share data and Excel spreadsheet information. The spreadsheet may contain data, or may be a legacy “cheat sheet” for calculations. (He learned of a cheat sheet that has been circulated since 2008). Once an infected USB is plugged into an HMI to transfer data, the malware “hooks into” the device and takes off like a bot, trawling systems and networks. He added, “One saving grace is that some adjustments are made in the field, such as mud weight, so it’s not as vulnerable.”
The outdated personal computer operating systems (OS) used may also be vulnerable. For example, Hecker said Windows XP, an OS released in 2001, continues to be used in many drilling operations, and extended support for XP, including security updates, was discontinued in 2014. Hackers see old systems as low-hanging fruit because the vulnerabilities are well-known, familiar, and unprotected.
Had the hacker in this case been successful, the result would have been a theft of data for profit. But Hecker hypothesized more alarming scenarios that could lead to serious equipment damage, unnecessary nonproductive time and added cost, destruction, and fatalities.
Hecker highlighted the variety of HMI opportunities for the introduction of malware in oil and gas projects. In addition to the company’s personnel, there are contractors and consultants. Maintaining strict vigilance and control over HMI is challenging, if not impossible. Ramping up network security is one means of protection, but an awareness among users for the need of security at the HMI and the operational technologies used in drilling and processes is one of the most important levels of prevention.
Among the general examples of where malware could trick systems are
Interference with or falsification of directional drilling data
Misrepresentation of the volume of oil in drillpipes, drill collars, and total drillstring volume
Falsified toolface data
Hydrogen sulfide detection in sour gas applications. Sensors could be shut off in the sub or in the control room.
Monitoring input to pipelines; impurities could be introduced and pressures misrepresented
Monitoring of drilling fluids
Inaccurate measured or total vertical depth
Hecker said drilling operations could be tricked by falsified or corrupted data to affect the torque on bit and disorient the toolface by hacking the azimuth and orientation data. Drilling could be misdirected based on the false data, perhaps not landing a curve or over- or undershooting a pay zone, and then requiring unplanned sidetrack drilling.
The trick data may be engineered to indicate problems that don’t exist, prompting unnecessary tripping or replacement of pumps, motors, sensors, etc. The associated cost of lost production, equipment, manpower, and nonproductive time can be significant.
Because most application exploits come from not sanitizing inputs, he suggested that it should be assumed that any data you don’t have control over are malicious; Web applications made by third parties should undergo an audit; and scanning tools are ineffective at finding anything other than the most basic vulnerabilities.
Cybersecurity must begin “with developing a mindset around it. If you aren’t moving in that direction, it’s the wrong direction,” Hecker said.
For Further Reading