Information technology-based cyberattacks are being used to disrupt oil and gas companies or hold them to ransom, while subversion of legitimate software allows criminals to steal from them and defraud them, says global cybersecurity firm Kaspersky Lab Critical Infrastructure Protection business development head Andrey Suvorov.

Cyberthreats have risen to become one of the top three risks to industrial companies. A disruption at an oil and gas production site caused by a cyberattack can cost hundreds of thousands of dollars a day and can last for several days before operations are restored.

Two key cyberthreats are the subversion of industrial systems to defraud companies and hacking industrial control systems (ICS) to gain undetected control over industrial equipment.

Industrial fraud involves a criminal group, often including company insiders, well-versed in technological processes, that realise they can make adjustments to technical information and use it for financial gain.

For example, it is possible to change the density information of a shipped product and end up with a substantial surplus that the fraudsters can then dispose of at their own discretion. It is almost impossible to track this sort of interference using conventional business applications. There have been two verified reports of how vulnerabilities in infrastructure were used to steal light-oil products in the past year, he explains.

Meanwhile, industrial cyberattacks are targeted computer attacks performed without any physical interference.

“In the past six months alone, we have detected more than 80 zero-day vulnerabilities in industrial equipment. Each of these vulnerabilities could lead to control over the equipment being seized while company management and the head of the ICS would not be aware.”

Intruders can gain control over all the equipment, while the attacks are invisible to ordinary controllers. In one of Kaspersky Labs’ projects, it demonstrated how attackers could gain access to a vacuum gas oil unloading system within 14 hours – the time depends on the expertise of the ‘hackers’ – and how the intrusion would go unnoticed.

Another example was an attack on a Middle Eastern national oil company in 2014. About 2 000 computers responsible for the company’s operations were infected and, as a result, the company could not ship its products for two weeks.

To combat cyberthreats, companies must organise training for employees. Engineers may know all the nuances of production automation, but often they do not know enough about cybersecurity of ICS.

Monitoring abnormal activity in production processes and equipment should follow. Today, there are practically no isolated ICSes, and any connection can be an opening which the attackers will use to penetrate a corporate network.

Any cyber incident can interrupt production processes, because it is a cyber-physical system; the computing resources are integrated into the technological processes and come into contact with physical assets, concludes Suvorov.