Oil and gas companies at risk

Cyber attacks on the applications running your critical infrastructure
Sept. 15, 2015
8 min read

CYBER ATTACKS ON THE APPLICATIONS RUNNING YOUR CRITICAL INFRASTRUCTURE

MARIANO NUNEZ, ONAPSIS, BOSTON

OIL AND GAS EXECUTIVES are experienced in managing risk carefully, but a new set of hazards that has previously gone largely undetected is gaining visibility with executives as well as the Federal Bureau of Investigation. While the economic impact for companies could range into the loss of millions of dollars in revenue per minute, the effects could have even broader reaching implications for compliance, brand trust, and national infrastructure.

The risk in question is cyber security, and it is no longer an issue confined to the IT department. Because mission critical business applications are vulnerable, cyber security must be considered at the business executive level as well as by financial managers.

SAP systems are run in 100% of the oil and gas companies listed in the Fortune 500. Yet, these systems have required more than 3,000 security patches to date, with 46% of them considered "high priority."

With more than 30 patches per month being released during 2014, it is not feasible to assume security teams are able to patch systems immediately or, in fact, apply the patches properly as SAP systems are particularly complex, with infrastructures that tend to fall victim to sprawl and overlapping components that make tracking down all instances of vulnerabilities an unwieldy prospect.

In fact, research shows that more than 95% of the SAP systems assessed were exposed to vulnerabilities that could lead to full compromise of the company's business processes and information.

A WIDENING CREVICE OF VULNERABILITY

Just what data are vulnerable? It can be difficult to understand the breadth and depth of a business's SAP systems.

Oil and gas companies depend on business-critical applications to process and record financial and operating data, analyze seismic and drilling information, conduct reservoir modeling and reserves estimation, communicate with employees and business associates, perform compliance reporting, as well as other critical activities. As a result, companies are increasingly at risk to cyber incidents such as deliberate attacks or unintentional events that could impair business critical processes.

In the finance department, performance and risk management functions, compliance, accounting, and treasury are most likely to rely on SAP for daily operations. In human resources, payroll, workforce planning and analytics, and talent management functions can rely on SAP and contain sensitive information. A wide variety of IT management and technology solutions also might rely on SAP and support vital activities such as analytics, data management, consumer experience, strategy, and governance.

In addition, Capital Spend Effectiveness & Procurement, Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity among many other key processes are facilitated by SAP and contain data critical to business and market advantage. These systems are far reaching and contain "the crown jewels" of business information.

DON'T CRY WOLF!

If these systems are so insecure, why are we not hearing more about security breaches? The truth is, many companies are simply unaware that the back door has been left open.

Although logging systems that can track network behavior exist, most companies do not enable them due to the negative impact on system performance and the reality that analyzing extensive log data proactively for suspicious activity is not feasible. Even with the standard audit features enabled, certain types of cyber security attacks cannot be detected through this method.

As such, many organizations mistakenly believe their SAP systems have never been hacked or are incapable of being hacked. But SAP security breaches are real and are increasing in both numbers of detection and awareness.

In 2012, the hacker group Anonymous claimed a breach and stated: "A sweet 0day SAP exploit is in our hands and oh boy we're gonna sploit the hell out of it." Zero-day vulnerabilities are known as such because once a flaw is known, there are zero days to fix it.

In 2013, an old banking Trojan was modified to look for SAP GUI installation on infected endpoints. This vulnerability meant that hackers could potentially gather corporate information such as lists or employee personal information and sell it to third parties.

In 2014, a Chinese hacker exploited a vulnerability estimated to be three years old in a corporate SAP NetWeaver portal. NetWeaver underpins many SAP business applications, and although a patch had been released by SAP, many enterprises had not applied the fix. The vulnerability would allow a hacker to take full control of the SAP NetWeaver portal platform and execute commands to access ERP, CRM supply chain, or business intelligence systems.

In the breach of USIS, the US government's largest commercial provider of background checks, most likely utilized a known SAP attack vector that enterprises had been warned about. In the USIS breach, Chinese hackers had been able to access "internal" networks and pivot to other systems. This pivot strategy is often used to gain access to a system of lower security and then progress to systems with higher security containing employee data, customer information or credit-card data.

The USIS breach marks the first time an SAP attack against a national security service provider has been publicly uncovered. This example, as well as others, dispels several myths, specifically the false idea of SAP business critical applications being 'internal and isolated.'

MINDING THE GAP

The idea that SAP security breaches can be performed only by highly-skilled attackers is misplaced. The most likely perpetrator is an unethical competitor, disgruntled employee, "hacktivist," or a foreign state. Most vulnerabilities can be exploited anonymously and remotely, and in most scenarios, anyone who can "ping" an SAP server - a relatively low-level activity requiring minimal technical knowledge, can break into it.

"Internal" networks are a thing of the past. There are no more "perimeters" as spear-phishing, rough contractors, and malicious employees are often within an organization's trusted network. Many SAP systems are connected to the Internet via web apps, HANA, mobile, and cloud deployments. And, compliance with standards such as those established by the North American Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC), or Payment Card Industry (PCI) data standards, could be jeopardized via these systems.

Business managers maybe believe security is being managed by the SAP security team within its IT department. But SAP security teams have been traditionally focused only on enforcing Segregation of Duties controls (user roles and authorizations) and most do not have the right skills, focus, or tools to deal with technical vulnerabilities and advanced threat vectors. Other teams tasked with "cyber security" for a given area likely do not have the visibility into the SAP platform or the experience required to properly analyze the operational risk and patch sensitive business-critical platforms effectively.

And, unfortunately, while SAP HANA is the defacto database/application server platform for new SAP solutions and is thought to be more secure, HANA has resulted in a 4-1/2 fold increase in new security patches. In 2014, 82% of these patches were considered "high priority," posing significant risk to business systems.

SECURING THE BUSINESS CROWN JEWELS

The reality is that while SAP security is currently no one's specific responsibility, it is also everyone's responsibility. Leading organizations are solving this responsibility gap and taking proactive steps to secure their most valuable assets.

Financial stakeholders and executives are taking up the reins to drive a new model of security and risk reduction that starts with a few simple steps.

First, business leaders must engage in asset discovery. This is a triage and scoping exercise: Find out if you have 10 or 100 SAP systems and identify their interfaces.

Second, ensure the business process that each system supports is well understood and mapped. This highlights potential interrelationships and single points of failure that are important to protect.

Third, understand the information that each system houses to enable prioritization for the protection of highly sensitive data.

Understanding risk involves an assessment of the economic impact that could come from a disruption to the value chain that SAP systems and applications support. It also means calculating the dollars SAP platforms are managing. Identifying critical compliance gaps comes from meticulous mapping of policies against SAP security guidelines and authoritative sources including Sarbanes-Oxley, NERC/FERC and PCI compliance frameworks.

These steps help ensure an actionable, manageable plan forward. Helping to prioritize risks considering likelihood and business timing increases the opportunity that measurable progress can be made.

By gaining visibility into systems, business managers can set the path for prevention and response that mitigates risk and loss and keeps their companies out of the headlines for the wrong reasons.

ABOUT THE AUTHOR

Mariano Nunez is CEO and co-founder of Onapsis. A respected authority in the business-critical application security/SAP cyber-security field, he was the first to publicly present on cyber security risks affecting SAP platforms and how to mitigate them, and is a frequent lecturer on the topic.

Sign up for Oil & Gas Journal Newsletters