Test yourself: Ethical hacking for oil and gas companies

by Jacob Hill, Lead Marketing Manager, Security, AT&T

Oil and gas companies face unprecedented cybersecurity challenges as they modernize their infrastructure and rely increasingly on digital processes. How can they avoid intruders breaking into their networks? One option is to pay friendly hackers to do it first, and learn from what they find.

Ethical hacking, also known as penetration (pen) testing, can be a useful way to identify and fix cybersecurity weaknesses, says Haydn Johnson. Johnson, who leads ethical hacking exercises at loyalty commerce company Points, has conducted pen tests for oil and gas companies and regularly speaks on the topic at security conferences around North America.

“Penetration testing helps a company secure its resources by showing where gaps are, and to what extent they will negatively affect the business,” he says. “A penetration test can show the direct impact of a process that is bad or not working as intended.”

Pen testing can target two subsets of oil and gas infrastructure that are becoming increasingly interlinked: operational and administrative networks.

Operations infrastructure is the "sharp end" of an oil and gas company’s network, and typically serves upstream and midstream operations. This Supervisory Control and Data Acquisition (SCADA) infrastructure is often open to attack, and is an ideal area for pen testing.

Administrative networks are another key attack point for malicious actors who can use them to steal information or as an entry point to target connected operational systems.

Given the complexity of their infrastructures, oil and gas companies should be sure to allocate the appropriate resources for a pen test, warns Johnson.“

Companies should avoid viewing a penetration test as a check box audit,” he says. “Allocate a budget that allows you to conduct a penetration test thoroughly, taking business context into consideration.”

Penetration testing: why you should do it

Penetration Testing Infographic

The pen testing process consists of four stages:

1. Discovery

This is the initial phase, in which the tester enumerates the company’s network. During this stage, the tester finds out everything possible about the company’s infrastructure, identifying the different IP address blocks and domain name system (DNS) domains that the network uses. The tester will identify all of the available host computers on the network at this point. Mapping out the network in this way prepares the tester for the second stage.

2. Vulnerability identification

Armed with a complete picture of the network, the tester can then begin probing each part of it to test for potential security holes. This involves automated tools to scan each network server and retrieve information such as the operating system and hardware used. Many computers will return this information based on nothing but a simple query.

The tester can use this information to find vulnerabilities that can be exploited in these systems. A server may be using a version of an operating system or application with a documented vulnerability that can give the tester a foothold in that computer.

By creating a list of vulnerabilities likely to work on each computer on the company’s network, the pen tester prepares the way for the next stage.

3. Exploitation

This is the part of the pen test that most people identify with "hacking". If authorized, the pen tester can use attack tools such as Metasploit that include scripts designed to exploit many documented vulnerabilities.

This is a dangerous part of the pen testing process, and must be handled by professional technicians.These attacks will give them access to the targeted computers. Stringing together different vulnerabilities will then enable them to escalate their access privileges, in some cases even getting complete access to all of a system’s resources (commonly known as "root" access).

4. Reporting

This is the final stage in the pen testing process, providing the deliverable for the management team. This collates the findings from the pen test and prioritizes the vulnerabilities based on the level of risk. The report should tell the management team what actions they can take to mitigate these risks.

Once they have the report, companies often trip up by not acting on it, Johnson warns. “Whether it is down to a lack of funding, support or time, companies generally receive a penetration testing report and sit on it,” he says.

Oil and gas companies should use a penetration testing report as a tool to help gain funding for their security initiatives. “They should focus on the root causes of findings, such as patch management or a lack of secure process in implementing new workstations,” he adds.

A pen test is a contentious and sensitive process. An oil or gas company embarking on a pen testing initiative is effectively inviting an expert to try and hack its infrastructure. A pen test takes time, planning and communication. Done poorly, it can create tension between different groups in an oil and gas company and even end up as a combative process that delivers little actionable output.

This makes it especially important that everyone is aware of who and what is involved. Articulate your goals for the process, and ensure that all participants in the pen testing project know what tests are authorized. Create clear processes that describe how participants should communicate with each other and keep all members of the team informed.

Done properly, penetration testing can highlight key areas of improvement that will help an energy company to lock down key weaknesses in its infrastructure before real attackers have a chance to exploit them. That possibility makes this intricate cybersecurity process worth a closer look.