Cybersecurity for Oil and Gas Industries: How Hackers Can Manipulate Oil Stocks

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

The industries most plagued by cyber-attacks are oil and gas. Several attacks against the infrastructure of oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major oil companies. The oil and gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in oil and gas industries, and there are even specific SAP modules for oil and gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service, and Oracle Enterprise Asset Management.Cyber-attacks on SAP systems belonging to oil and gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices). Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks. For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.Our talk, based on a several case studies conducted during research and professional services, will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to oil and gas companies as well as guidelines and processes on how to avoid them.


Presenters:

  • Alexander Polyakov - ERPScan
    Alexander Polyakov is the Founder of ERPScan and President of the EAS-SEC.org project. He has been recognized as an R&D professional and Entrepreneur of the Year. His expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions developed by enterprise software companies such as SAP and Oracle. He has received several accolades, and published over 100 vulnerabilities. He has authored multiple whitepapers such as annual award winning "SAP Security in Figures" and surveys devoted to information security research in SAP. Alexander has authored a book about Oracle database security and has presented his research on SAP and ERP security at more than 60 conferences and training's in 20+ countries on all continents. He has also held training's for the CISOs of Fortune 2000 companies, and for SAP SE itself.
  • Mathieu Geli - ERPScan
    Mathieu Geli is a former IT security consultant. He has been in charge in the past with forensics tasks, malware detection and analysis and has a strong background on log analysis in heterogeneous environments. He is now focusing on SAP security research at ERPscan.

Links:

Similar Presentations: