Abou Saleh ... cybersecurity is crucial

Cyberattacks in oil and gas can shut down entire countries, cause explosions, and even environmental impact via oil spills or leaks, Emile Abou Saleh of Proofpoint tells OGN


Proofpoint, a leading cyber security and compliance company, released research identifying only 25 (50 per cent) of the top 50 oil and gas companies in the Middle East to have a Domain-based Message Authentication, Reporting and Conformance (DMARC) record in place, meaning that half of them are leaving customers at heightened risk of email fraud.

The lack of a DMARC record makes companies potentially more susceptible to cybercriminals spoofing their identity and increasing the risk of email fraud targeting their customers.

In an exclusive interview, Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint, tells Abdulaziz Khattak of OGN the implications of this:

How important is cybersecurity for the oil and gas sector?

Since oil and gas is one of the most critical sectors for economies, it also becomes a valuable target for threat actors seeking to exploit Industrial Control Systems (ICS) vulnerabilities. Additionally, as the sector witnesses increased adoption of digital technologies and more organisations embrace digital transformation, they are also becoming more prone to cyberattacks. Therefore, it is crucial to ensure that security efforts are integrated into every facet of an oil and gas organisation’s operations.

Can you share an incident where lack of security posed a serious threat to a facility?

In February 2020, a US natural gas compression facility was the target of a ransomware attack, which shut down operations for two days. A spear-phishing technique was used by the attackers to gain access to the facility’s information technology (IT) network and then pivoted to the operational technology (OT) network. From there, attackers planted what the agency called ‘commodity ransomware’ within both networks that encrypted data throughout the facility. The utilities sector has long been targeted, and in 2019, Proofpoint identified FlowCloud malware, which similarly to LookBack, gives attackers complete control over a compromised system. Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command and control. Lately, Proofpoint determined that both LookBack and FlowCloud malware can be attributed to a single threat actor named TA410, which is known by the use of shared attachment macros, malware installation techniques, and overlapping delivery infrastructure.

What is the level of security preparedness of oil and gas companies in the region?

The region is maturing their cybersecurity skills and while we see better levels of awareness overall. Our latest research shows that only half of the top 50 oil and gas companies with operations in the Middle East have a DMARC record in place. The lack of DMARC may make those organisations more prone to fall victim to cybercriminal activity such as identity spoofing or email fraud targeting their customers.

Can you elaborate on DMARC, its importance, and on the ‘reject’ element?

DMARC is an open email authentication protocol that provides domain-level protection of the email channel. It prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks. For a message to pass DMARC authentication, it must pass Sender Policy Framework (SPF) authentication and SPF alignment and/or pass DomainKeys Identified Mail (DKIM) authentication and DKIM alignment. If a message fails DMARC, senders can instruct receivers on what to do with that message via a DMARC policy. There are three policies the domain owner can enforce: none (the message is delivered to the recipient and the DMARC report is sent to the domain owner); quarantine (the message is moved to a quarantine folder); and reject (the message is not delivered at all).

Once the domain owner is confident they have identified all legitimate senders and have fixed authentication issues, they can move to a policy of ‘reject’ and block phishing, business email compromise, and other email fraud attacks. As an email receiver, an organisation can ensure that its secure email gateway enforces the DMARC policy implemented to the domain owner. This will protect employees against inbound email threats.

Where are the gaps with respect to cybersecurity in the oil and gas sector?

According to the global joint study conducted by Ponemon Institute and Siemens Energy on global utilities organisations, 64 per cent of the respondents said sophisticated attacks are a top challenge and 54 per cent of those surveyed expected an attack on critical infrastructure in the next 12 months. Additionally, one quarter of the respondents reported being impacted by mega-attacks with expertise developed by nation-state actors. The same study also revealed a lack of preparedness, as only 42 per cent of respondents rated their cyber-readiness as high. Some of the gaps are related to a few challenges such as the fact that OT is at higher risk than IT, and cyber risks, particularly those impacting the supply chain, are usually more difficult to address.

What kind of security do you recommend for the oil and gas sector?

Firstly, energy companies need to ensure that the communication methods they use are secure. We recommend implementing robust email defences and inbound threat blocking capabilities (including deploying DMARC email authentication protocols).

Furthermore, in multi-vendor and multi-application IoT networks, as within the oil and gas sector, decentralisation allows smart devices, controllers, and applications to cooperate securely.

Lastly, similarly to any other organisation, oil and gas companies need to guarantee employee awareness as a crucial frontline defence to fostering a strong understanding of cybersecurity best practices. In order to achieve that companies need to put in place ongoing trainings that fit their industry’s structure to foster the detection and response capabilities, including through proactive contingency planning and prioritisation for recovery.

Who pose the greatest threats to oil and gas facilities: Is it state-backed elements, non-state actors, or both?

Against a backdrop of escalating geopolitical and geo-economic tensions, one of the biggest threats nations face today is from state-sponsored cyber warfare as they can infiltrate the critical infrastructure of countries around the world. However, nowadays non-state actors have more technical ability, motivation, and financial resources than ever before to carry out disruptive attacks on a country’s critical infrastructure. This is particularly serious as any attack on critical infrastructure in one sector may lead to disruption in other sectors as well.

The threat landscape for utilities has expanded to include more threats from more actors. Nation-state actors and other sophisticated players have demonstrated greater willingness to target infrastructure providers as part of their broader campaigns.

What benefit can hackers make with the data stolen from oil and gas companies?

The risks of cyberattacks on the oil and gas space can have large scale and serious impact even nation-wide as attacks are capable of shutting down entire countries, causing seriously damaging explosions, or even creating long-term environmental impact via oil spills or leaks. And while nation-state actors can cause security and economic dislocation, another type of attack can be related to the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure. This can make companies vulnerable to exploitation, including billing fraud with wireless ‘smart meters’, the commandeering of OT systems to stop multiple wind turbines, and even physical destruction.

What are the top cybersecurity threats oil and gas firms need to watch out for?

Phishing is one of the most common attacks that exploit the lack of end user awareness. There is also theft of data and information where the attackers usually conduct a wide distributed denial of service (DDoS) attack on the systems of the companies, they deface their websites, or steal and expose confidential data.

Another common threat is cyber espionage, which involves the theft of classified or sensitive data or intellectual property to gain advantage over a company or even a government.

Lastly, another key threat impacting oil and gas companies, and all sectors globally, is social engineering that uses employees as the weakest security link. They rely on human interaction to trick the users into breaking security procedures in order to get sensitive data. This is where training is crucial for employees to be able to identify suspicious acts and protect their organisation from a cyberattack.