Perspective of the cyber threat to oil and natural gas terminals in the Arabian Gulf region

Dragos, the world’s leading cyber security company, continues its expansion in Saudi Arabia and the Arabian Gulf region. The company has issued a thorough report that provides a comprehensive perspective on the cyber threats facing the oil and gas sector in the GCC countries; The report studies the security environment of that sector in detail, evaluates the effectiveness of cyber security in it, and then gives tips to further strengthen the security of those countries.

The Dragos report focuses mainly on the attacks that disrupted operational technology and industrial control systems at oil and gas facilities in the Gulf Cooperation Council (GCC), and states that these attacks could cause major problems over the next year for reasons such as an increase in the number of disruptive attacks on the oil and gas sector in general, The significant increase in ransomware attacks, the increasing focus on state-supported cyber activities, and the rise of the Gulf states as a major target of attacks.

The main types of threats

The Dragos report says that the oil and gas sector faces the greatest cyber threat than any other sector in the Arabian Gulf, so OT networks and industrial control systems in the Gulf countries such as supply chains, transport systems, energy, oil and water supply systems can exposed It is in danger of reconnaissance and espionage intruders from hostile countries, as well as of penetrations by other criminal groups.

The report places ransomware attacks as the number one threat to IT and OT environments in the oil and gas sector; These attacks have resulted in significant financial losses and damage, and have tarnished the region’s reputation for cyber security. Between 2018 and 2021, the number of ransomware attacks on industrial control systems increased fivefold, and 5% of them were on oil and gas facilities.

The report also notes that these areas are vulnerable to attacks by direct internal access due to poor physical security, wireless cyber operations and remote control devices. Where poor physical security or censorship opens the door to cyber attacks and intrusions.

The report also indicated the existence of groups specialized in industrial control systems targeting the oil and gas sector and the energy sector in general, and considered it one of the biggest risks to the Gulf countries. The burglaries of these groups provide the opportunity to gather and steal confidential information, and inflict cyber damage that is in line with the economic interests of hostile countries.

Infrastructure threat groups

Dragos is currently following up on 15 threat groups targeting industrial infrastructure in Saudi Arabia, the GCC and the world, in particular:

    • PARASITE Group: Target utility, aviation and NGO entities, and its geographical target includes the Golf Cooperation Council countries along with North America and Europe, and according to Dragos statistics, this group has been operating since 2017.
    • XENOTIME Group: Notorious for the TRISIS attack that caused disruption at the NGO facility in Saudi Arabia in August 2017, and in 2018, XENOTIME expanded to include electrical utilities in North America and the Asia-Pacific region, and NGOs companies in Europe, including the United States and Australia.
      In February 2020, Dragos revealed an incident at an NGO facility, outside the GCC, that interfered with XENOTIME, but there was not enough data and evidence to attribute the activity to the group that committed it.
    • MAGNALIUM GROUP: It was initially a holding company for aircraft and NGOs and was based in Saudi Arabia, but expanded its target to include entities in Europe and North America.
      In the fall of 2019, in the wake of heightened tensions in the GCC, Dragos revealed that Magnium had begun expanding its targets to include electrical utilities in the United States.

Dragos Cyber ​​Security Recommendations

One of the key things Dragos mentions in his report is his recommendations to the governments of the Gulf Cooperation Council countries based on the company’s extensive experience in cyber security and on everything he observed in the security environment of the oil and gas sector there. has. The recommendations focused on strengthening cyber infrastructure, increasing surveillance, and preparing a response plan for any attacks on industrial control systems. The recommendations are:

    • Segmentation of the operating technology network at oil and earth filling stations, conducting periodic inspections of the infrastructure to identify all assets and communications between IT networks and operational technologies, and then conduct and conduct accurate studies of communications between facility networks and industrial control systems limited to known and only required processes.
    • monitoring and follow-up; The report advises organizations to identify and correct their vulnerabilities by increasing their monitoring of things like audit systems, permissions, and unreliable software and settings. He also recommended improving the scope and quality of visibility for all parties and facility operations, including long-term event registration, to use that information as an intelligent resource when investigating an issue.
    • Monitoring ICS network assets; This is to identify important network assets, points and connections, as well as to limit the scope of access to resources, ie file sharing, remote communication and unnecessary services based on an external network.
    • the preparation of a response plan for any attacks on industrial control systems; Whether the attack is on oil or gas facilities, mechanisms to detect industrial threats should be exploited to identify malicious software within the OT, improve its network-level defense strategies, strengthen the capabilities of the security team, and prepare an appropriate response plan. to verify. .

The industrial environment of the GCC countries offers unique interdependence on water, oil, natural gas and energy. Industrial environments consist of; Such as gas pipelines, power transmission systems, transmission systems and water distribution systems (operating technology networks, control systems, data management and processing). These components are vulnerable to attack by direct access through internal threats to these systems or vulnerable security systems, close access by wireless electronic operations, or remote access. Poor design or configuration always leaves environments vulnerable to cyber exploitation.

Why should we worry in the industrial sector?

Because there are many runways and ways in which adversaries can continue to evolve and become stronger and more aggressive toward our industrial systems.

Edwin Wade

Chief Consultant for Industrial Cyber ​​Security at Dragos Corporation

Leave a Comment