Blog

To Secure Oil and Gas Critical Infrastructure, Nordics Shall Strengthen Defenses in Cyberspace

Oct 06, 2022

Background

Russia’s Nord Stream 2 gas pipeline leaked gas off the coast of Denmark on September 26, 2022. The next day, not far from almost the same sea area, two leak points were also found in the Nord Stream 1 gas pipeline. Experts believe that the steel Nord Stream pipes are 1.6 inches thick, with up to 4.3 inches of concrete wrapped around them [1]. Therefore, it must be blasted with a considerable amount of TNT, in addition to Denmark and Sweden detecting earthquakes equivalent to magnitude 2.3 – not to mention that the pipeline is buried under the sea. Most media speculated that this was not an ordinary accident, but could somehow be a coordinated international act.

The Nord Stream gas pipeline incident has disrupted energy markets and exacerbated security concerns. First, until Russia invaded Ukraine, the Nord Stream pipelines supplied 18% of all Europe’s gas imports in the fourth quarter of 2021[1]. As soon as the news of the pipeline leak came out, the European gas benchmark, the Dutch TTF, jumped more than 10% on September 28, 2022, to approach €210/MWh [2]. Secondly, While the EU has begun to prepare for the possibility of a complete severing of ties with Russia, emergency measures have been rolled out to make up for the shortfall in the critical winter. For example: push for mandatory gas storage requirements in EU member states, gas use reduction plans, and new agreements with alternative suppliers [3]. Nevertheless, the incidents will scupper any remaining expectations that Europe could receive fuel via Nord Stream 1 before winter. Finally, Europe now receives mostly pipeline gas from Norway, Azerbaijan, and Algeria, and liquefied natural gas (LNG) from the US, Norway, and Algeria [4]. Therefore, ensuring the physical and digital safety of critical infrastructure and LNG transportation in Europe has become a top priority.

Governments in northern Europe have already begun to ask significant energy companies to improve security measures. For example, the Danish Energy Agency confirmed in a statement that it had asked Energinet, the company responsible for the overall operation of Denmark’s electricity and gas system, to check the physical security of important buildings and installations [5]. Additionally, Norway’s Equinor, Europe’s largest gas supplier, said it had tightened security measures at its facilities following the alleged sabotage of the Nord Stream pipeline in the Baltic Sea [6].

In the Cyber World, however, the impact is not much different in a digital attack from a physical attack. The Industrial Internet of Things has been widely used in critical infrastructure industries such as oil and natural gas. Although these technologies bring convenience to industries, they are accompanied by derived cybersecurity risks, which affect people’s lives, economic activities, and national security. Once attacked by malicious programs executed by malicious people, it will seriously affect the continuous operation of the infrastructure.

 

Lesson Learned from a Major Pipeline Incident

In May 2021, one of the largest fuel pipeline operators in the United States, referred to here as “a well-known pipeline company”, suffered a ransomware attack by a criminal hacker gang from DarkSide. This caused the company to shut down operations on May 7, 2021. The company in question is responsible for transporting about 45% of the fuel used throughout the East Coast of the United States. The shutdown of operations resulted in an insufficient fuel supply. Many airlines are experiencing fuel shortages, and in many places, people are frantically buying gasoline due to fuel shortages at gas stations and skyrocketing oil prices. This led to the declaration of a state of emergency in the United States on May 9, 2021.

 

1. Darkside Employs RaaS (Ransomware-as-a-service)

DarkSide adopts a ransomware-as-a-service (RaaS) business model, which is different from traditional malware that destroys computer data to make it impossible for victims to access data; Recently, hacker groups have started to triple extortion, including:

(1) destroying the victim’s information and network systems.

(2) holding the information as a hostage, threatening to disclose the company’s sensitive data to the public.

(3) notifying A victim’s partner, shareholder, or supply chain suffers a security breach that forces the victim to pay the ransom.

In addition to advances in hacking technology, the RaaS model is gradually maturing. They assist victims with payment and even provide victims with 24/7 service center assistance to expedite ransom payment, encryption system, or data recovery [7]. In the RaaS model, hackers can buy or rent different attack modules to create a variety of APT attacks, which will make the defense more complicated because each hacker can focus on what they specialize in, constantly improve their attack modules, and build a complete set of attack tools through “integration” while lowering the “barrier to entry” for hackers.

 

2. Darkside Ransomware Attack Analysis

According to US CISA [8] and Trend Micro research [9], Malicious cyber actors deployed DarkSide ransomware against the pipeline company’s information technology (IT) network. The attack method is as follows:

(1) Initial Access: DarkSide participants first gained initial access through phishing. Then take advantage of remotely accessible accounts and systems and virtual desktop infrastructure (VDI).

(2) Persistence: DarkSide uses legitimate tools to evade detection and maintain persistence throughout the attack, such as PowerShell, Metasploit Framework, Mimikatz, BloodHound, and Cobalt Strike.

(3) Lateral movement: DarkSide begins its lateral movement, the goal of which is to gain access to the Domain Controller (DC) or Active Directory.

(4) Privilege Escalation: When they gain access to DC or AD, they started stealing login credentials, escalating privileges, and obtaining other valuable assets to send the stolen data.

(5) Command and Control: DarkSide actors primarily use The Onion Router (TOR) for Command and Control (C2) and use the TOR browser to read ransom payment information pages and personal data breach webpage.

(6) Exfiltration: They moved laterally between systems and eventually deployed DarkSide ransomware via the DC network share to encrypt and steal sensitive data.

(7) Impact: DarkSide actors threaten to release data publicly if the ransom is not paid.

 

How TXOne’s Support Critical Infrastructure Strengthen Digital Security

The critical infrastructure industries need to comply with the regulations of the NIS2 Directive. To achieve this goal, TXOne Networks recommends the following OT zero trust-based solutions to mitigate potential threats that infrastructures may encounter:

 

1. Security Inspection:

Using a USB flash drive, the portable scanning device can scan and clean assets of Malware without needing to install the software. Leveraging the portable security scanning tool allows critical infrastructure companies to detect Malware without altering sophisticated manufacturing equipment and avoid warranty violations. This will help the infrastructure industry to ensure the integrity of the device while complying with the regulations:

(1) Reduce the impact of antivirus software on OT/ICS.

(2) Offline virus and configuration checks can be performed even if the OT/ICS is in an air-gapped environment.

(3) Quickly verify the presence of Malware in the OT/ICS of personnel and suppliers and perform cleanup or quarantine.

(4) Log the OT/ICS information collected for each scan and send it to the central management console for viewing and archiving.

(5) In addition to malware scanning during data transmission, AES-256 hardware encryption is also used to protect files and ensure the data’s integrity.

 

2. Endpoint Protection:

The device software activation phase requires system hardening methods to eliminate or reduce the means of attack entry, including deploying antivirus software, turning off unnecessary software services, disabling high-risk network protocols, restricting user permissions, and managing physical ports (such as USB access), through asset security hardening, technicians can significantly reduce the chances of attackers gaining access to critical systems and preventing malicious programs from running.

 

For example, if an engineering workstation (EWS) is installed with Stellar, it will protect EWS from compromise by blocking the new process outside the baseline because of the exploitation of ICS package vulnerabilities. If EWS is installed with Stellar, the ICS package can be locked in changes, so that exploited vulnerability would not be able to drop files or inject new data into the existing files within the package. Behavior monitoring and abnormal behavior prevention would also block the abnormal use of resident system tools such as PowerShell or script, preventing further lateral movement from the compromised EWS.

 

Another way is to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the folder.AppData/LocalAppData[8].

 

3. Network Defense:

Network Zero Trust can use network isolation, optimized network access control, and better intrusion detection analysis to prevent or prevent a compromised OT/ICS production from evolving into a large-scale disaster. While simplifying monitoring and making it harder for hackers to gather information or move around the OT network, TXOne Networks recommends deploying EdgeIPS or EdgeFire on the OT network:

(1)  Network Segmentation: EdgeIPS or EdgeFire installed inline in protection mode have learned the regular operational traffic, and even if perimeter network control is loose, allowing access to a OT/ICS from the Internet, the EdgeIPS sitting next to the OT/ICS in the production cabinet would block abnormal connection from the Internet and prohibit upload of the compromised OT/ICS configuration file to the attacked OT/ICS.

(2) Network trust listing: Supports in-depth analysis of various industrial control network protocols and L2-L7 network traffic and filters network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL trust lists.

(3) Network service hardening: It supports restricting network access to resources, especially restricting RDP. If the company deems RDP to be operationally necessary, the company may need to restrict the origin and require multi-factor authentication.

(4) Virtual patching technology: This is implemented through a host-based intrusion prevention system, also known as a network IPS. These devices have specially designed network policies for packet filtering. These are designed to defend against attacks that exploit known vulnerabilities without forcing endpoints to perform security updates, which means they can avoid system restarts and production line downtime.

 

4. Complete Visibility in OT Environments:

TXOne Network will centralize information security logs related to OT/ICS devices into a single window for comprehensive situational awareness or archive asset configuration information for managers to analyze and reference, including:

(1) Management Program: The TMPS3 collected asset information can be to the CSV format through the centralized management program as an asset inventory or sent to a SIEM or Rsyslog server for further asset management such as maintaining OT asset inventory or identifying impact levels, known vulnerabilities, and cyber risks.

(2) StellarOne: The StellarOne allows management from a single pane of glass with support for Syslog forwarding, indicators of compromise (IoC) integration, and centralized monitoring.

(3) OT Defense Console: The OT Defense Console (ODC) platform gives comprehensive visibility of the connected, air-gapped, and standalone OT environment using Edge series products. ODC is a centralized management platform for multiple sites for each deployed Edge series product.

 

Conclusion

TXOne Networks is committed to assisting the critical infrastructure industry in enhancing operational resilience and employing EU NIS 2 compliant technologies to harden critical infrastructure systems against cyberattacks and help companies identify threats related to industrial control systems. As the saying goes, “prevention is better than cure.” CISOs of critical infrastructure must learn from the experience of a well-known pipeline company in the United States to re-examine enterprises’ IT and OT protection architecture and build the EU into a multi-faceted resilient society.
 

References

[1] Chris Stokel-Walkerarchive, “Here’s how the Nord Stream gas pipelines could be fixed”, MIT Technology Review, October 3, 2022

[2] Adis Ajdin, “European gas prices soar following damage to Nord Stream pipelines”, Splash, September 28, 2022

[3] Alice Tidey & Sandor Zsiros, “Nord Stream leaks highlight difficulty of protecting critical infrastructure”, euronews, September 29, 2022

[4] Nora Buli, “Norway to deploy military to protect its oil and gas installations”, REUTERS, September 28, 2022

[5] Ritzau “Denmark’s energy infrastructure on alert after Nord Stream gas leakages”, The Local dk ,27 September 2022

[6] Nerijus Adomaitis, Gwladys Fouche, “Norway’s Equinor raises emergency preparedness at installations”, REUTERS, September 28, 2022

[7] CISA Alert, ”2021 Trends Show Increased Globalized Threat of Ransomware”, CISA, February 10, 2022

[8] CISA Alert, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks “, CISA, July 08, 2021

[9] Trend Micro Research, “What We Know About the DarkSide Ransomware and the US Pipeline Attack ““, Trend Micro, May 21, 2021

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​