ERP Holes Add Risk to Oil, Gas Firms

Friday, November 13, 2015 @ 05:11 PM gHale

One vulnerability in an ERP suite used inside oil and gas companies can escalate to the point where attackers could gain access to an entire infrastructure.

ERP systems from SAP and Oracle, advertised as complete management solutions and deployed in numerous oil and gas refineries around the globe, came under attack during a talk at the Black Hat Europe 2015 security conference in Amsterdam by Alexander Polyakov and Mathieu Geli from ERPScan, according to a report in Softpedia.

Bridging IT and OT
IT Getting an OT Education
Blackhat: Hacking a Chemical Plant
Blackhat: Recovering from Shamoon

The talk technically separated IT (Information Technology) from OT (Operation Technology) but also showed how intertwined the two were inside a typical oil and gas company.

The researchers said one or few vulnerabilities in the IT solutions deployed inside these companies can provide attackers with crucial access to OT infrastructure.

“For example, if you have some plant devices which collect data about oil volumes, you should somehow transfer this data to the corporate network to demonstrate it on nice dashboards managers to develop a long-term financial strategy and take decisions,” Alexander Polyakov, ERPScan CTO, said in the report.

“That’s why even if you have a firewall between IT and OT, there are some applications which are still connected, and these connections are often insecure. So, it is possible to conduct such attack and jump from IT network (or even the Internet) into OT network up to SCADA systems, OPC servers, field devices, and smart meters.”

The two researchers named ERP systems, Enterprise Asset Management Systems, Manufacturing Integration Systems, Project Portfolio Planning Systems, and Laboratory Information Management Systems as the main sources of security vulnerabilities.

Pointing fingers, they also mention software solutions like SAP xMII system, SAP Plant Connect, SAP HANA, Oracle E-Business Suite platform and some widely used OPC servers such as Matricon OPC, as the main source of bugs, the report said.

But actual software vulnerabilities were not alone to blame, and the ERPScan researchers said misconfigurations, the presence of unnecessary privileges, and custom code added to Oracle and SAP products also provided entry or access escalation points for their theoretical attacks.

With today’s Internet proliferation, attackers can leverage the constant online state these ERP systems sometimes need, to infiltrate IT solutions, and then slowly trickle down to OT devices and machinery to carry out devastating attacks with actual physical consequences.

The attacks can vary in results from plant destruction to equipment sabotage, and even to oil market fraud if the hackers know what they’re doing.

Making things worse is the fact SAP systems are also in around 85 percent of all Fortune 2000 Oil and Gas companies. With over 3,500 vulnerabilities publicly disclosed in SAP products, and over 2,500 in Oracle systems, attackers only need to craft exploit kits for these issues and find unpatched systems to attack.