"Explosive" cyber attacks in Oil and Gas are life threatening

Published Mar 15, 2018
by Matias Madou, Ph.D.
cASE sTUDY

"Explosive" cyber attacks in Oil and Gas are life threatening

Published Mar 15, 2018
by Matias Madou, Ph.D.
View Resource
View Resource

The focus of most cybersecurity discussions relate to protecting money, reputation and information. Within financial institutions, it is often a threat to personal or company finances. In the telecommunications industry, it is more about personal identity information or intellectual property theft. At a government level, cyber-espionage is a relatively easy and low-cost way to acquire high-value intelligence.

However, the dangers of cyberattacks on physical infrastructure including SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) are very real, growing and frightening, as a recent New York Times article about an attack on a petrochemical company with a plant in Saudi Arabia explains.

Within the Oil and Gas sector, cybersecurity attacks can cause explosions. For a long time, these plants were not connected to networks, but now, in the interests of simplicity of management, they have all been dangerously connected. The probability of these systems being attacked - and successfully so - is now much higher. These  applications are NOT designed with security in mind, because, it was not the intention to have them connected to the internet.

The NYT article details an attack that was not designed to simply destroy data, or shut down the plant, but also to sabotage the firm's operations and trigger an explosion that would likely harm other humans. Investigators said the only thing that prevented an explosion was "a mistake in the attackers'computer code", one which they believe the hackers have "probably fixed by now". Investigators believe it is "only a matter of time" before they deploy the same technique against another company successfully.

Software developers are becoming key architects who underpin the success and safety of many public and private organizations. There is no greater example than in the Oil and Gas industry. It is more important than ever that they have a better knowledge of the security implications of their work and that they learn how to code securely, whatever language or frameworks they use.

If you want to see how developers can learn about security to help protect critical infrastructure, play the following challenge:

https://portal.securecodewarrior.com/#/simple-flow/web/injection/oscmd/cpp/vanilla

The only thing that prevented an explosion was a mistake in the attackers'computer code, the investigators said.

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

The cyberassault was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to trigger an explosion. https://t.co/kQqcAhoW01

" The New York Times (@nytimes) March 15, 2018

A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. https://t.co/q9UdicR7dv

" Colin Wright (@colinismyname) March 22, 2018

The attack was a dangerous escalation in international hacking, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. https://t.co/G8bBCteouZ#CyberSecurity #NetworkMonitoring

" Elitery Indonesia (@eliterydc) March 22, 2018

A recent failed #cyberassault on a Saudi Arabian petrochemical company had a deadly goal. This @NYTimes article explains more: https://t.co/3g8oDuPijm pic.twitter.com/MfSqrXSd9u

" Symantec EMEA (@SymantecEMEA) March 21, 2018
View Resource
View Resource

Author

Matias Madou, Ph.D.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Want more?

Dive into onto our latest secure coding insights on the blog.

Our extensive resource library aims to empower the human approach to secure coding upskilling.

View Blog
Want more?

Get the latest research on developer-driven security

Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.

Resource Hub

"Explosive" cyber attacks in Oil and Gas are life threatening

Published Mar 15, 2018
By Matias Madou, Ph.D.

The focus of most cybersecurity discussions relate to protecting money, reputation and information. Within financial institutions, it is often a threat to personal or company finances. In the telecommunications industry, it is more about personal identity information or intellectual property theft. At a government level, cyber-espionage is a relatively easy and low-cost way to acquire high-value intelligence.

However, the dangers of cyberattacks on physical infrastructure including SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems) are very real, growing and frightening, as a recent New York Times article about an attack on a petrochemical company with a plant in Saudi Arabia explains.

Within the Oil and Gas sector, cybersecurity attacks can cause explosions. For a long time, these plants were not connected to networks, but now, in the interests of simplicity of management, they have all been dangerously connected. The probability of these systems being attacked - and successfully so - is now much higher. These  applications are NOT designed with security in mind, because, it was not the intention to have them connected to the internet.

The NYT article details an attack that was not designed to simply destroy data, or shut down the plant, but also to sabotage the firm's operations and trigger an explosion that would likely harm other humans. Investigators said the only thing that prevented an explosion was "a mistake in the attackers'computer code", one which they believe the hackers have "probably fixed by now". Investigators believe it is "only a matter of time" before they deploy the same technique against another company successfully.

Software developers are becoming key architects who underpin the success and safety of many public and private organizations. There is no greater example than in the Oil and Gas industry. It is more important than ever that they have a better knowledge of the security implications of their work and that they learn how to code securely, whatever language or frameworks they use.

If you want to see how developers can learn about security to help protect critical infrastructure, play the following challenge:

https://portal.securecodewarrior.com/#/simple-flow/web/injection/oscmd/cpp/vanilla

The only thing that prevented an explosion was a mistake in the attackers'computer code, the investigators said.

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

The cyberassault was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to trigger an explosion. https://t.co/kQqcAhoW01

" The New York Times (@nytimes) March 15, 2018

A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try. https://t.co/q9UdicR7dv

" Colin Wright (@colinismyname) March 22, 2018

The attack was a dangerous escalation in international hacking, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. https://t.co/G8bBCteouZ#CyberSecurity #NetworkMonitoring

" Elitery Indonesia (@eliterydc) March 22, 2018

A recent failed #cyberassault on a Saudi Arabian petrochemical company had a deadly goal. This @NYTimes article explains more: https://t.co/3g8oDuPijm pic.twitter.com/MfSqrXSd9u

" Symantec EMEA (@SymantecEMEA) March 21, 2018

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.