In an era where the threats to industrial control systems (ICS) are increasingly sinister, a Red Team assessment has revealed critical vulnerabilities at a Balkan oil refinery. This incident lays bare the gravity of cybersecurity shortcomings that could lead to catastrophic events, as seen with prior cyber incidents such as the Triton malware attack and the Ukraine power grid cyberattack.
According to the assessment, the root of the issue lay in a compromised Programmable Logic Controller (PLC), which our team identified as an entry point into the refinery's process network. "The PLC was accessible due to a misconfigured remote access rule," said a cybersecurity expert involved in the operation.
"The PLC was accessible due to a misconfigured remote access rule,"
Further examination revealed that this controller was operating with outdated firmware, combined with the vendor's default credentials. This lack of security allowed for a straightforward breach, as the team exploited the known vulnerability—establishing the PLC as a foothold into the ICS environment.
As an alarming facet of the investigation, the refinery's internal communications were found to lack both encryption and authentication. "By exploiting the PLC's firmware vulnerability, we gained access to the controller, which offered us entry into a broader network of critical operations," said the Red Team leader, emphasizing the precarious position of the refinery's cybersecurity.
"By exploiting the PLC's firmware vulnerability, we gained access to the controller, which offered us entry into a broader network of critical operations,"
Flowing through the compromised network, the team encountered poorly segmented networks that facilitated further infiltration. Utilizing their initial access, the team intercepted network traffic and managed to harvest credentials from an engineer logged into a Human-Machine Interface (HMI) station. Notably, these credentials were transmitted in plaintext, underscoring a serious lapse in security.
With the acquired HMI credentials, the team accessed the Level 2 operator station, which permitted them to view and issue control commands for the refinery's operations. "The HMI itself was an outdated Windows workstation without modern endpoint protection, allowing us to establish persistence in the system," noted one analyst.
"The HMI itself was an outdated Windows workstation without modern endpoint protection, allowing us to establish persistence in the system,"
The chain of command escalated further as the HMI was inadvertently connecting both to the Level 2 network and the Level 3 operations network, a practice labeled as dangerous by cybersecurity professionals. Through this route, the team uncovered Active Directory credentials for an engineer with domain admin privileges. "This indicated overly permissive access policies within the ICS domain," a source affirmed.
"This indicated overly permissive access policies within the ICS domain,"
Upon accessing the engineering workstation, the team found numerous unprotected project files, as well as control logic backups that included hardcoded passwords across various devices. "The same password was reused across multiple devices, making it simple to gain access to safety PLCs responsible for emergency shutdowns," the assessment lead explained, painting a disconcerting picture of systemic vulnerabilities.
"The same password was reused across multiple devices, making it simple to gain access to safety PLCs responsible for emergency shutdowns,"
The investigation turned critical as the team explored the interconnections with the corporate IT network, revealing a troubling lack of separation. "The historian server in Level 3 had a second network interface connected to the corporate network for reporting purposes, but it was not properly firewalled," they said. This realization extended the reach of the attack into the corporate domain, exacerbating the potential for disaster.
"The historian server in Level 3 had a second network interface connected to the corporate network for reporting purposes, but it was not properly firewalled,"
Team Dynamics
Throughout their lateral movement within the networks, the team employed tactics to avoid detection by existing defense measures. "We utilized built-in Windows tools and tunneled communications through allowed protocols, ensuring we weren't triggering any antivirus alerts," they noted, showcasing their ability to bypass security layers effortlessly.
"We utilized built-in Windows tools and tunneled communications through allowed protocols, ensuring we weren't triggering any antivirus alerts,"
The findings from this case study underline the perilous state of cybersecurity among oil and gas companies, particularly in regions with insufficient investment in technology and practices. As emphasized in the initial commentary, "These vulnerabilities highlight the urgent need for increased vigilance and proactive measures to fortify critical infrastructure against evolving cyber threats."
As oil and gas companies face the shifting landscape of cyber threats, the necessity for robust infrastructure protection becomes paramount. The revelations from this assessment serve as a clarion call for increased investments and updates to cybersecurity protocols across the industry, ensuring that facilities remain resilient against sophisticated attacks.