The LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program has completed Project 12 testing for safety instrumentation and management assets. The project was carried out to review and study cybersecurity issues in industrial control systems (ICS) that impact safety and business performance related to the oil and gas (O&G) sector.
The project sought to detect vulnerabilities in safety instruments used within the safety system architectures typically found in the O&G sector, according to the project report. It also set out to make recommendations for security design alternatives and configurations that can mitigate the exploitation of found vulnerabilities.
Project 12 testing is an upgrade of Project 11 that focused on safety controllers, engineering workstations (EWSs), and human-machine interface (HMI) components within various vendors’ safety system offerings. The project sought to generally assess whether different safety system configurations had inherent risks rather than uncovering specific vulnerabilities in specific vendor products.
These instrumentation devices include items such as transmitters from fire and gas detection analyzers, pressure sensors, solenoids and positioners. They typically communicate with distributed control systems (DCS) and safety instrumented systems (SIS) using a non-IP-based communication protocol called Highway Addressable Remote Transducer (HART) communication.
The LOGIIC program tested four instances of each reference architecture using a representative set of vendor products in the various categories, including safety instrumented systems (SISs), instrument management systems (IMSs) or asset management system (AMSs), transmitters, fire detectors, gas detectors, and smart valve positioners, the report said.
The LOGIIC program is an ongoing collaboration of the U.S. Department of Homeland Security, Science and Technology (S&T) Directorate with oil and natural gas companies. It takes up collaborative research and development projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. The program aims to promote the interests of the sector, while maintaining impartiality, independence of the participants, and vendor neutrality.
Current members of LOGIIC include BP, Chevron, ConocoPhillips, Shell, Total, and other oil and gas companies that operate significant global energy infrastructure.
Project 12 testing focused on data flow, stability, connectivity, security controls, and architectural and configuration vulnerabilities, the project report said. It sought to learn how attackers, using the IMS/AMS platform as an attack launch point, could modify device configurations to create unsafe conditions. Alternate platforms were out of scope for assessments with one exception – determining if IMS/AMS-to-SIS communications could be hijacked from a network-connected device, it added.
The IMS/AMS communicates with field devices using the HART protocol and Ethernet communications. Attacks based on physical access to instruments during the architecture assessment were out of scope. However, the detailed instrument assessment was conducted with physical access.
A representative set of vendor products included SISs, IMSs or AMSs, transmitters, fire detectors, gas detectors, and smart valve positioners. A single representative HART Multiplexor (MUX) was used, while supply chain attacks were in scope. All other products were out of scope for this project. A multiplexor device selects between several analog or digital input signals and forwards the selected input to a single output line.
Project 12 testing also revealed numerous consequential and recurring exploitable weaknesses across individual assessments that indicate a systemic and pervasive industry-wide problem.
Industrial cybersecurity firm Dragos worked with LOGIIC to examine potential physical sensor issues that can be used and abused in real-world facility environments, and made some discoveries.
“We’ve found situations where it is possible to disable sensors, to manipulate sensor signals to prevent safety activation, and even to lock legitimate operators out of devices,” Dragos said in a blog post. “But these discoveries are just the start—the goal is not to scare the industry but to help it get better at securing these sensors and mitigating existing gaps.”
The LOGIIC report concludes that safety systems are vulnerable to “malicious attacks and that extreme caution should be taken before introducing any software or hardware, including device type managers (DTMs), which could introduce malware into the process control network (PCN). Safety system owners should immediately verify the pedigree and integrity of all DTMs currently in use. We cannot sufficiently emphasize the severity of this vulnerability to end-users.”
Last month, researchers from DeNexus discovered around three campaigns in the wild that are adopting the same or matching spear-phishing email templates. The campaigns were first spotted during investigations of targeted attacks on the oil and gas supply chain industries in the Middle East.