Cybersecurity for Oil and Gas Industries: How Hackers Can Manipulate Oil Stocks
by Alexander Polyakov & Mathieu Geli
The industries most plagued by cyber-attacks are oil and gas. Several attacks against the infrastructure of oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major oil companies. The oil and gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in oil and gas industries, and there are even specific SAP modules for oil and gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service, and Oracle Enterprise Asset Management.
Cyber-attacks on SAP systems belonging to oil and gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices). Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks. For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.
Our talk, based on a several case studies conducted during research and professional services, will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to oil and gas companies as well as guidelines and processes on how to avoid them.