You end up paying for petrol with not just cash but sensitive data: here is what industrial infrastructures must do ASAP.
Industrial Control Systems (ICS) demand specific approaches to cybersecurity due to their complex structure, connected devices with different capabilities, software and operating systems, and critical functions. And this is not just a theory.
Something as common as a petrol station has all the attributes of an ICS, such as connected equipment including pumps and tanks; controllers; a management system; a payment system; as well as connection to the corporate network, third-party service systems, and the internet.
Just like any industrial facility, the station has cybersecurity issues that firms should consider, to avoid disruptions that may affect the business, its employees, and the general public. This happened recently when petrol stations in Iran were shut down because of a targeted attack.
Where are the problems?
Through our research, we managed to classify what could go wrong in a petrol station or any ICS infrastructure, comprising potential operational technology (OT) and IT security issues.
- Potential remote access from external networks: Many industrial systems today are connected to public services through the internet, these include cloud banking systems or specialized fleet management systems. Remote access to the fuel station allows further malicious actions inside the network. In one Kaspersky customer incident, the suppliers and service firms that had access to some parts of the firm’s infrastructure were compromised, leading to loss of sensitive data.
- Network and device issues: These may potentially lead to the disruption of infrastructure services or direct financial impact. Attacks can come from remote networks or via connection to onsite wireless networks or wired network ports.
If the network is not segmented, the attack can spread from entry points such as secondary equipment in a shop and office workstations, to critical components such as the fuel management controls in a petrol station.
The use of unencrypted protocols (HTTP, CDP, FTP, Telnet, etc.) in the petrol station network may allow adversaries to disclose sensitive information for further attack development. - Endpoint vulnerabilities or security flaws: Cybercriminalscan exploit compromised POS terminals, network equipment, as well as corporate endpoints and applications to gain entry to the infrastructure.
In 2015, 5,800 automatic tank gauges (ATGs) were found to be exposed to unauthorized access from the internet because of a lack of password protection on a serial port. Figures from 2015 also suggested that at the time, most ATG systems were in petrol stations in the US and represented 3% of those used in the country. By compromising such critical systems as automatic tank gauges, criminals can unlock options for fraud or even physical damage.
Other vulnerable endpoints include all workstations used on the forecourt such as POS terminals; back-office systems; fuel controllers or payment terminals. They must be continually secured, down to their software configuration and even access to on-board USB ports.
For example, a lack of encryption or incompliancy to the PCI DSS standard in a payment system can contribute to the risk of an attack. For a fuel controller, it is also important to check industrial protocols. Lack of source authentication or integrity control may give adversaries, (performing a man-in-the-middle attack) the opportunity to intercept data and manipulate station controllers.
Finally, insecure industrial protocols and vulnerabilities in wireless gateways and reader units can be exploited for jamming and spoofing attacks.
Patching up the cyber gaps
The four following security measures should help increase the cybersecurity of the overall level of operational technology infrastructure. It is applicable to fuel stations, but is no less relevant to any industrial network.
- Purpose-based network segmentation enhances overall security and minimizes the surface of possible attack. The segment of the network that has access to untrusted parts (such as corporate IT) should also be separated and protected with appropriate enterprise-grade protection software.
- Passive OT network monitoring is essential for asset and communication inventory and detection of intrusions before they affect the technological process. Monitoring data also helps IT security teams to analyze events and consider hardening measures.
- Restricting physical and logical access to the automation and control system will help the organization to circumvent third-party incidents.
- Implementing specialized industrial-grade security software for OT hosts and servers ensures that the software is approved by the automation vendor and is compatible with its solutions. This should help to avoid a situation where the protection product affects operation functions.
- Implementing centralized security event collection and protection software policy management that facilitates vulnerability and patch management is important. If the system can be integrated with Security Information and Event Management, that would be a ‘nice to have’ option. Real-time continuous monitoring and endpoint data collection with rules-based response and analysis capabilities will help to further improve protection from advanced attacks.
Finally, long-term measures to improve the overall cybersecurity posture are fundamental to a perennial cybersecurity posture. This means adhering to industry standards for information security controls such as IEC 62443, NIST, NERC CIP, and so on. The organization should also conduct penetration testing or security analyses regularly to identify vulnerabilities and information security problems. And then, of course, all recommended measures must be administered properly.
