Conference PaperPDF Available

Potential cyber-attacks against global oil supply chain

Authors:

Figures

Content may be subject to copyright.
Potential Cyber-attacks against Global Oil Supply
Chain
Muhammad Ali Nasir
Dept. of Computer Science
National University of Emerging Sciences - FAST
Islamabad, Pakistan
Email: ali.nasir@nu.edu.pk
Samia Nefti-Meziani
School of Computing, Science and Engineering
University of Salford
Greater Manchester, UK
Email: S.Nefti-Meziani@salford.ac.uk
Shizra Sultan
Dept. of Computing,
National University of Science and Technology - SEECS
Islamabad, Pakistan
Email: 12msccsssultan@seecs.edu.pk
Umar Manzoor
Dept. of Computer Science
National University of Emerging Sciences - FAST
Islamabad, Pakistan
Email: umar.manzoor@nu.edu.pk
Abstract the energy sector has been actively looking into cyber
risk assessment at a global level, as it has a ripple effect; risk taken
at one step in supply chain has an impact on all the other nodes.
Cyber-attacks not only hinder functional operations in an
organization but also waves damaging effects to the reputation and
confidence among shareholders resulting in financial losses.
Organizations that are open to the idea of protecting their assets
and information flow and are equipped; enough to respond quickly
to any cyber incident are the ones who prevail longer in global
market. As a contribution we put forward a modular plan to
mitigate or reduce cyber risks in global supply chain by identifying
potential cyber threats at each step and identifying their immediate
countermeasures.
Index Terms oil supply chain, cyber-attacks, threats to energy
sector, cyber-attacks countermeasures
I. INTRODUCTION
We live in an era of information, where relevant, reliable,
timely and economical information is a key to success for any
organization. Having the right kind of information can make
you a billionaire while abuse of it could get you at end of the
line. Global supply chain is the progression of a product as it
moves from its origin to destination including all the entities,
technologies and solutions that help facilitate its finishing [5].
Global supply chain is playing an important role in making
world market as prosperous as it was never before and
companies are putting their best to make it efficient day by
day. On the other hand due to globalization, decentralization
and outsourcing of supply chains, numbers of exposure points
have also increased because of the greater number of entities
involved and that too are scattered all around the globe [18].
Such increase of far distant exposure points can only be
managed through extensive information sharing which
ultimately results into potential increase in information
security threats. Therefore we can safely derive that
information sharing is a key enabler in global supply chain.
Information sharing is a vital ingredient in making supply
chain processes successful, but the sensitive nature of this
information means it needs to be protected. As there are a lot
of entities involved so trusting all of them to protect data with
same care is not practical since they might not be aware of its
consequences if misused [9]. To summarize sharing
information with associates is indispensable but it also
escalates the risk of it being compromised.
Most of the global supply chains (such as energy sector) are so
complex that it is difficult to even assess the risk of
compromised information at every stage. Malicious entities
are constantly in a hunt of the slightest weakness they can find
so as to exploit it. Cyber-attack on supply chain is the most
destructive way to damage many linked entities at once due to
its ripple effect. Significant examples are stuxnet, Shamoon
and night dragon etc. [24]. Stuxnet was an attack on Iran
nuclear plant reported in 2012, it targeted industrial PLCs
which ruined almost one-fifth of Iran's nuclear centrifuges.
Shamoon was used for cyber espionage in the energy sector, it
can replicate itself from one computer to all others on the
network, and it paralyzed 30,000 computers in a network of
Saudi Aramco. Night Dragon was able to steal gigabytes of
highly sensitive records including proprietary information
about oil- and gas-field operations, financial transactions, and
bidding data [11]. These are just few known documented
attacks; while other attacks may be ongoing without the
companies being aware of it or the attacks that are being
planned currently. So as a first step to protect data we
primarily need to identify the gaps through which information
could be hijacked so that we can bridge these gaps [16]. Thus
it wouldn’t be an overstatement if we say that cyber security is
a primary issue in global supply chain.
Quantity and sophistication of cyber-attacks on global energy
sector are increasing day by day. They have a potential to
severely damage the basic infrastructure that is evolving, and a
year ago Shamoon virus show cased this intensity of
developing digital threats in this sector [21]. Initiating
widespread destruction globally still stays difficult, but not
impossible for state-of-the-art security expert sand on lesser
level, hackers from all around the world are aiming specific
targets that are causing evident losses [7]. We understand that
malicious entities are targeting energy sector so as to attain
political outcomes, cause financial losses or at worst end up in
mass human causalities. As a contribution we put forward a
modular plan to mitigate or reduce cyber risks in global supply
chain and first step to that is identification of potential cyber
threats thereof. In order to illustrate this we have considered
an example of oil supply chain as a case study, not just
because of its critical infrastructure but also because of its
significant importance in global market.
II. LITERATURE SURVEY
Globalization of world arcade comes with a need of an agile,
adaptable and aligned network for understanding impulsive
demand supply requirement. To achieve that high level of
information sharing, automation and integration is required in
a supply chain [5]. Information sharing in a supply chain
brings understanding and coordination among all involved
entities and information technology regulates this coordination
[4]. It strengthens the SC partnerships as well as brings
fortune and because of this it plays a pivotal role in managing
key attributes like demand, supply and financial flow in a
supply chain [22]. But on other hand Information sharing is
also the most sensitive part of SC and many organizations are
unwilling to share even relevant information out of fear of
information leakage, lack of trust, malicious individuals to
misuse that information etc. [25]. Right form of connectivity
and willingness to share information among business partners
is challenging and if information is not shared properly or
carefully it can result into unfavorable outcome [17].
Supply chain (SC) management because of its vastness is
heavily dependent on information sharing [21] and malicious
entities have always looked for weaknesses which can be
exploited and apart from physical damage, this also makes SC
highly vulnerable to different kind of cyber-attacks such as
unauthorized access, DoS, unavailability of resources etc.
[18]. SC security has become a major concern in a global
market so it is the need of the hour to identify, assess and
mitigate the loopholes that aid cyber-attacks [3].
Supply chain risk management is one of the 12
“comprehensive national cyber security initiatives (CNCI)”.
Security risks range from unreliability of fabricates,
information leakage, adversary controlled hardware etc. [13].
This calls for inspection of all the check points in an SCM
where there is a possibility of cyber-attacks so they can be
mitigated. As a node in supply chain to protect one’s firm
from cyber threats is not good enough, possibility of attacks
on their suppliers, transportation providers, customers, and
communication line should also be assessed [21] as it creates a
bullwhip effect, attack on one node transcends to other nodes
too.
Out of all supply chains, utilities (electricity, water, energy)
SC have the most critical infrastructure because of their
billions of users worldwide and as their infrastructure is
constructed on a complex system known as the Supervisory
Control and Data Acquisition (SCADA). In oil supply chains
production and distribution of oil are greatly dependent on
SCADA systems [6]. A report was published by [16],
according to this 53% of the 200 attacks responded to by its
Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) between October 2012 and May 2013 were
focused on energy sector. Global oil supply chain in energy
sector is trending as a most potential area for cyber-attacks all
over the globe because of its immensity among borders [3]. It
covers information sharing in exploration, production
domestic and international transportation, inventory
management, and import/export acceleration. Thus, energy
sector offers a comprehensive model for assessing cyber risks
at every step of SCM [12].
It can be concluded from the section above that global supply
chains are vulnerable to cyber-attacks, which if not mitigated
properly can result in to losses at high scale. Most of the
methodologies in literature address either certain cyber threat
to a particular entity in supply chain or give an overview of
the cyber-attacks associated to overall supply chain process.
Whereas we have considered a modular approach to identify
potential cyber threats associated with every step involved in
an oil supply chain, and have also proposed countermeasures
to mitigate these attacks.
III. CYBER-ATTACKS AGAINST OIL SUPPLY CHAINS
To-date as cyber-attacks are directed towards energy sector
it’s essential that oil companies reduce their risk exposure.
Currently Energy sector is data driven and malicious entities
are targeting existing vulnerabilities to gain access to critical
information as well as sensitive financial data [10].
Considering the vastness and diversity of the oil SC cyber-
attacks against it greatly differ so as their reasons, objectives,
and methods. Individuals targeting it range from casual
hackers to organized trained terrorists, highly skilled
intelligence agencies to employees with privileged access, and
attacks vary from cyber espionage to casual hacks [18].
Cyber-attacks on oil SC can be broadly categorized into two
groups; first are Cyber Espionage and the second and most
common is “disruption of critical business or physical
operations by attacks on network” [2]. Former comprises of
the attacks done on high level to collect sensitive information
that can do the most damage at mass level. They are highly
sophisticated and very acute on their point of attack, and hit
the whole system at once. Oil supply chains are highly
vulnerable to these types of attacks because of their very
extensive network around the globe, thus it can create a ripple
effect among number of countries. Hackers are very skilled as
they can penetrate into the network and steal critical
information. The disclosure of such copyrighted information is
damaging for companies reputation and could be fatal for
business.
Second type of attacks is most common, as they focus on one
exposure point, and it’s not very difficult to find a loophole in
such an extensive supply chain with so many entities involved.
Global SCs are certainly getting dependent on automation
technology for its timely and efficient depiction of end to end
product delivery but this is also making them more vulnerable
and attack prone. An average hacker with the right skill and
access to internal network can be highly damaging [1].Threats
like these can lead to major environmental damage, leakage of
confidential information, data corruption in geological
surveys, power outages for long periods of time etc. Stuxnet
and Shamoon virus is a current example of such attacks[2].
These attacks get more horrifying when they are able to
penetrate to networks that control physical infrastructure in oil
supply chain, results will be catastrophic. Targeting SCADA
(ICS) of physical infrastructure network can cause devastating
damages to atmosphere and human lives.
Cyber Crime is a very diverse turf like nothing else, hackers
from all over the world with different mindset, motives and
skill level, are attacking different targets. Oil is one of the
most important commodities now days, household to industry
it’s everywhere, and attacks on this will have overwhelming
losses. Effective cyber-attacks against energy sector supply
are universally increasing. According to one survey energy
sector has faced more targeted attacks than any other business
[12].different companies have collectively lost approximately
600 billion dollars in intellectual property theft, [9] attacks on
physical infrastructure are less because they are difficult to
breach but its impact cannot be undermined. SCADA systems
that monitor internal network of different parts of oil supply
chain continue to be susceptible [1] mostly because they have
a centralized system and if its ICS is breached whole supply
chain could be compromised.
Complexity and occurrence of cyber-attacks on oil supply
chain are increasing rapidly with time and their potential
target seems to get to control and damage the physical
infrastructure. Incident prevention and recovery protocols and
systems are easily sidestepped, possibly leading to a release of
oil or gas, generating a big explosion. Malicious program
hosted by hackers or malevolent employees is another high
risk [11]. Globally 4more than 50% of cyber-attacks on
critical infrastructure resources in 2012 were targeted at
energy sector. The forthcoming cost of such attacks will touch
$1.87 billion by 2018. There should be a proper mechanism
via which information is shared minimizing its leakage and
corruption. Energy sector should invest more effort and
energy on identification and mitigation of cyber-attacks on its
SCs to keep their companies secure. It is the need of the hour
that we revise the whole global oil supply chain, identify the
possible exposure points and vulnerabilities that can be
exploited, categorize different cyber-attacks and then manage
them to prevent further losses
IV. SOLUTIONS AND RECOMMENDATIONS
Due to globally distributed nature and critical infrastructure of
Oil SCs they are particularly susceptible to different kind of
cyber-attacks. In oil SC from digging to refining and
transportation to industry and household, a lot of entities are
involved so there are a lot of exposure points at every step of
the way which can be targeted. Most common attacks on oil
SC are spear-phishing (because of the extensive web-based
control systems), default passwords, secret backdoor and
social engineering attacks (as attackers mostly target
employees and extract confidential information from them).
We mean to identify the basic vulnerabilities or attacks that
can be made on an oil supply chain and how they can be
mitigated. We will go step by step in generic oil SCM and
explore different kind of attacks that are possible on each unit.
Figure 1 : flow of oil supply chain
Generic oil SC starts from the extraction of crude oil
and ends at the delivery of refined oil to the consumers. The
first step in this process is the consideration of oil reservoirs.
After a site is chosen an exploration unit is built in that area
and then various geological investigations are done to check
the suitability of site. After that relevant information is
gathered and transmitted back to parent organization by
employees from their workstations. Critical information about
studies it is highly vulnerable to social engineering attacks; if
shared by employees with others, it may lead to information
leakage, destruction of facility, damage to reservoirs and
reputation loss.
Next is Extraction facility, it includes drilling and
then extraction of crude oil from underground. Extraction of
oil is a very critical and sensitive process, as oil is drilled and
recovered it needs a very specific temperature range because
first natural gas is separated then oil is extracted. It is a big
unit with lots of employees with computers and accesses to
other communication mediums, with this a risk of infiltration
through other devices is highly increased or if internal
network is breached critical information like threshold
temperature and voltages, or alert mechanisms could be
tampered resulting into evident losses.
After extraction crude oil goes to the Production
facility, which is then transformed into different semi
commercial forms. Crude oil has different qualities that are
differentiated by its density, API gravity, and length of
hydrocarbon chains, sulfur content and many more.
Production facilities are highly automated and have several
control and regulatory IT systems, if those units were able to
be breached and information of critical values such as
temperature and density could be manipulated that will result
into both human and environmental fatalities as well as
financial losses.
Further down the lane oil from production facility is
either transported through oil pipelines or shipped through
oil tankers through Sea. Delivery lines act as a major
transportation unit of crude oil to the process. Both
transportation mediums have cyber risks involved, in former
there is a hazard of corrosion damaging pipelines so stake
holders have sensors installed over the pipelines which
transmit information about thickness of pipes, or temperature
of oil within the pipe to detect the corrosion level etc. if
sensors are not applicably secured (i.e., send messages in
encrypted form to secure servers), it might lead to information
leakage which can then be tampered. Shipping is mostly
vulnerable to malicious insiders, if there is a skilled hacker
involved in crew who could manipulate records, transmit
wrong tracking information to back station, or report false
anomalies or no anomalies at all so this can outcome into a
financial as well as major reputation loss.
Next comes the Storage units; here a potential threat
is related to inventory control and management, if access to
internal database is penetrated then it can result into serious
financial losses. Refineries are the main conversion point
where crude oil is transformed into different consumable
projects such as fuel oil, diesel oil, jet fuel etc.
Major step in supply chain is product distribution
which is distributed into many end consumers ranging from
industry to retail market to commercial markets. Main unified
oil companies only possess around 3 percent of retail stations.
Widely held branded stations are retained and functioned by
autonomous retailers who are authorized to represent that
brand. Because of that many people involved it faces classic
issue of demand and supply, input from end consumers derive
the demand on which all supply chain sets its timeline and
other main issue is the smooth transaction flow between
different parties, so all these concerns come under cyber
threats.
Below is a table showing most potential threats
possible to global oil supply chain and what can be the
immediate countermeasures.
Table 1: Potential Cyber-attacks & their countermeasures
Department
Potential cyber threats
Countermeasures
Exploration
Facility
1. Information
leakage
2. Social
engineering
3. Inference attacks
(sensitive
information
extracted from
non-sensitive
data)
4. Malicious insiders
1. Suitable Access
Control policy ,
2. Periodic Facility
monitoring,
3. Security training of
employees on
information sharing
Production
Facility
1. Infiltration through
infected device,
2. Confidentiality
breach of critical
information such as
power usage,
threshold
temperature and
voltage values etc.
1. Internal network
should be separated
form internet,
2. no remote flash or
hard drives in or out
of facility,
3. Periodic monitoring
of values,
4. Efficient & reliable
alert reporting
mechanism for
safety hazards
Crude pipelines,
Product pipelines
1. False information
regarding critical
threshold values of
oil, such as
thickness of pipes,
corrosion
information that
could lead to both
damage of oil and
pipelines possibly
1. Secure
communication
architecture
2. Secure broadcasting
1. Tracking info
(falsification of
GPS info),
2. Product
falsification
(mixing of products
could lead to
destruction), if
destroyed could
pollute air or water
life,
3. False reporting or
no reporting of an
anomaly,
4. Social engineering
1. RFID tags(checking
metrics of oil, like
hash of critical and
unique info),
2. Securing GPS info
3. Preventing
fraudulent tags
4. Regularly monitor,
inspect, & compare
outbound network
traffic against threat
intelligence
5. Regular system log
monitoring to
identify intrusion
attempts
6. Employee training
1. Compromised
communication
equipment,
2. Falsification of
database records
3. Falsification of
logging
information
1. Intrusion detection
system
2. Security event
analysis
3. Secure broadcasting,
4. Inventory
management and
control
1. inference attacks,
2. spear-phishing
3. Unauthorized
access through
Database
4. Falsification or
delay (right info
back form customer
companies about
quality and
consumption of
product),
5. Issues in financial
1. Process for
evaluating cyber
security of third
parties before doing
business with them
2. Firewalls, IDS,
antiviruses, VPNs
3. Conduct cyber threat
analysis
4. transaction security
5. Role based access
6. Efficient and secure
transactions
Customer relation
management system
Human Resource
Management
1. Social engineering
2. spear-phishing
3. default passwords
4. Unauthorized
access through
Database
1. Account/password-
management policies
2. Intrusion prevention
& detection system
3. Identity management
system
4. Technically enforced
segregation of duties
5. New employee
security training
6. Periodic security
education &
awareness programs
7. Employees required
to review & accept
written inappropriate
use policy on
periodic basis
Information and
Communication
Management
1. Data management
2. Protection of IP
3. Spear-phishing
4. Default passwords
5. Loss or falsification
of different kind of
Logs
1. Conduct cyber threat
analysis
2. Regular information
audits
3. Data Loss Prevention
technology
4. Secure Data
exchange
architecture
5. Business partners
evaluation systems
w.r.t. to secure
information sharing
Crisis
Management &
Disaster
Recovery
1. Inappropriate
Business continuity
plan
2. Irresponsive
Incident
management
3. Absence of data
loss prevention,
detection and
recovery
1. Penetration testing
2. Periodic risk
assessments
3. Incident response
team
4. Regular information
audits
5. Storage & review of
e-mail or computer
techniques
files
6. Onsite first
responders trained to
handle digital
evidence
Above mentioned countermeasures are aimed to
minimize the chances of successful cyber-attacks to minimal.
In addition to this companies ought to visualize
systems and information security aspects of desired IT tools
and components before incorporation into their business and
assess the cyber needs of new global market [17]. Companies
need to be vigilant about current cyber scenarios and should
be responsive to new technologies such as access control,
collaboration protocols, RFID tags in their products to avoid
any loss [13]. Organizations should adopt security measures
such as virtual private networks, Intrusion detection systems,
antiviruses and other state-of-the-art technologies to create a
robust security infrastructure for their SC [25].Managers need
a mechanism to check the severity and possibility of any
potential attack so they require a framework that can compute
the probability of any potential [4]. SC leaders can achieve
enormously if they agree on a system that give them
information-sharing benefits but also protects the privacy
rights [22].
V. FUTURE RESEARCH DIRECTIONS
This paper presents the groundwork to build a
framework for identification and to minimize cyber risks in
global supply chain; next step is mitigation of identified
threats with customizable security policies and appropriate
measures for prevention of cyber-attacks from damaging as
less as possible.
VI. CONCLUSION
Currently the world is vulnerable to well organized and
continuously developing cyber threats which are too often
successful. Many present themselves in a harmless manner
which go unnoticed spawning a lot of damage. Since energy
sector is considered to be most nourishing for hackers for
different purposes, securing energy sector is a top priority as a
lot is at stake from environment to human lives, money to
political influences; needs to be handled very carefully.
Generally web-based systems in such organizations are
vulnerable at different points some because of negligence and
mostly because of cost-cutting practices. We identified
potential exposure points or attacks that can be made on an oil
supply chain and how they can be mitigated. It is very
necessary to assess and analyze cyber vulnerabilities at every
step of SC because of its ripple effect; if they are properly
identified they can be suitably dealt with. Our work puts
energy sector one step closer to cyber-attacks prevention
REFERENCES
[1] Albert Y. Ha, Shilu Tong; (2008), contracting and
Information Sharing Under Supply Chain Competition,
International journal of Management Science, vol. 74, pg.
701-715
[2] Bronk, C. (2014). Hacks on gas: Energy, cyber security,
and U.S. defense; Baker Institute for Public Policy.
Retrieved from: https://bakerinstitute.org/research/hacks-
gas-energy-cybersecurity-and-us-defense/
[3] Byers, E. (2013); Next generation cyber-attacks target oil
and gas SCADA. Pipeline & Gas Journal; Retrieved
from: http://www.pipelineandgasjournal.com/next-
generation-cyber-attacks-target-oil-and-gas-scada
[4] Christopher R. Moberg, Bob D. Cutler, Andrew
Gross, Thomas W. Speh, (2002) "Identifying antecedents
of information exchange within supply
chains", International Journal of Physical Distribution &
Logistics Management, Vol. 32 Iss: 9, pp.755 770
[5] Clayton, B. & Segal, A. (2013), addressing cyber threats
to oil and gas suppliers; Council on Foreign Relations.
Retrieved from: www.cfr.org
[6] KPMG; (2014), Energy at risk study of IT security in the
Energy and Natural Resources. Retrieved from:
http://www.kpmg.com/Global/en/IssuesAndInsights/Artic
lesPublications/Documents/energy-at-risk.pdf
[7] E. Smith, K. J. Watson, W. H. Baker & J. A. Pokorski II.;
(2007), A critical balance: collaboration and security in
the IT-enabled supply chain, International Journal of
Production Research Volume 45, Issue 11, 2007, Pg.
2595-2613
[8] Farwell, J. & Rohozinski, R. (2011).Stuxnet and the
future of cyber war; Survival, 53(1), 23-40. Doi:
10.1080/00396338.2011.555586
[9] ICS-CERT, (2013), Year in Review Industrial Control
Systems Cyber Emergency Response Team, retrieved
from: https://ics-cert.us-
cert.gov/sites/default/files/documents/Year_In_Review_F
Y2013_Final.pdf
[10] Marsh, (2014), Advanced energy attacks on global
energy facilities”, retrieved from:
http://spain.marsh.com/Portals/52/Documents/Cyber%20
Risk-%202014_Final.pdf
[11] Matthew Warren, William Hutchinson, (2000) "Cyber-
attacks against supply chain management systems: a short
note", International Journal of Physical Distribution &
Logistics Management, Vol. 30 Iss: 7/8, pp.710 716
[12] McFadden, F.E.; Arnold, R.D., (2010) "Supply chain risk
mitigation for IT electronics," Technologies for Homeland
Security (HST), 2010 IEEE International Conference on ,
vol., no., pp.49,55, 8-10. doi:
10.1109/THS.2010.5655094
[13] Meixell, M.J.; Norbis, M., (2011) "Assessing security risk
in global supply chains," Technology Management
Conference (ITMC), 2011 IEEE International, vol., no.,
pp.510,515, 27-30 June doi:
10.1109/ITMC.2011.5996020
[14] Nishat Faisal, Mohd and Banwet, D.K. and Shankar,
Ravi; (2007), Supply chain risk mitigation: modeling the
enablers, Business Process Management Journal vol. 12,
no. 4, pg. 535-552
[15] P. Fiala, (2005), Information sharing in supply chains,
Omega, Volume 33, Issue 5, , Pages 419-423
[16] Rob, R.; Tural, T.; McLorn, G.W.; Sheikh, A.; Hassan,
A., (2014)"Addressing cyber security for the oil, gas and
energy sector," North American Power Symposium
(NAPS), vol., no., pp.1, 8, 7-9 Sept. 2014
[17] Sanjay Jharkharia, Ravi Shankar, (2005) "ITenablement
of supply chains: understanding the barriers",Journal of
Enterprise Information Management, Vol. 18 Iss: 1, pp.11
- 27
[18] Stecke, K., & Kumar, S. (2009). Sources of Supply Chain
Disruptions, Factors That Breed Vulnerability, and
Mitigating Strategies Journal of Marketing Channels,
16 (3), 193-226 DOI:10.1080/10466690902932551
[19] Shauk, Z. (2013). Hackers hit energy companies more
than others. Fuel fix. Retrieved from:
http://fuelfix.com/blog/2013/03/25/electronic-attacks-hit-
two-thirds-of-energy-companies-in-study./
[20] U.S. Department of Homeland Security (2010), Pipeline
security and incident recovery protocol plan. Retrieved
from
http://www.tsa.gov/sites/default/files/assets/pdf/Intermod
al/pipeline_sec_incident_recvr_protocol_plan.pdf
[21] Yossi Sheffi, (2001) "Supply Chain Management under
the Threat of International Terrorism", The International
Journal of Logistics Management, Vol. 12 Iss: 2, pp.1 -
11
[22] Zhang, Chen and Li, Suhong, (2003). "Securing
Information Sharing in Internet-Based Supply Chain
Management Systems”, Computer Information Systems
Working Papers, Paper 8
[23] Zhioua, S., (2013) "The Middle East under Malware
Attack Dissecting Cyber Weapons," Distributed
Computing Systems Workshops (ICDCSW), IEEE 33rd
International Conference on, vol., no., pp.11, 16, 8-11
July 2013
[24] Z. Yu, H. Yan, T.C.E. Cheng ;( 2001), Benefits of
information sharing with supply chain partnerships,
Industrial Management & Data Systems, 101 pp. 114121
[25] M. Young, The Technical Writer's Handbook. Mill
Valley, CA: University Science, 1989.
... While data transmission in this stage used to be done with tapes and other physical means, it is currently conducted via digital networks, and therefore a higher level of security measures are required to avoid data leakage. Nevertheless, exploratory and appraisal drilling are more prone to cyber threats as they involve several devices and utilize SCADA systems for operational control (Nasir, et al., 2015). ...
... On top of that, ICS which is used for controlling each well within a reservoir (majors operate more than 25,000 wells worldwide) are also interconnected with the ERP systems of most companies. ICS are highly vulnerable and in case they are threatened by a cyber-attack they can subsequently cause damage to all the other systems they are interconnected with (Deloitte University Press, 2017) (Nasir, et al., 2015). From the above, we conclude that the most vulnerable operations to cyber threats in the upstream segment are development drilling and production. ...
... In the US, cyberattacks on pipeline infrastructure have been so widespread (e.g. the trans-Alaska pipeline faces 22 million cyberattacks per day) that Homeland Security launched the Pipeline Cybersecurity Initiative in 2018 (DHS, 2018). Regarding shipping, a heavy burden on cybersecurity is created by the lack of relevant frameworks and standards, in addition to the outdated security measures used by many operators (Nasir, et al., 2015) (Ridima, 2016). ...
Thesis
Full-text available
Energy systems around the globe nowadays are undergoing a rapid transformation in their conventional structures that are vital from an environmental, economic, and social perspective. The driving forces behind the shift to the new era of the energy, also known as Energy 4.0, are the so-called 3 D’s: Decarbonization, Digitalization, and Decentralization. The blockchain technology, which comes as a result of digitalization, is considered by many experts a transformative force for the energy sector. More specifically, it is believed that it can be a direct driver for the decentralization of energy systems as well as an indirect one for their decarbonization and further digitalization. This is due to the technology’s most prominent technical capacities, namely, transparency, security, and decentralization. All these combined have provided practical use cases, with the most widely-known being peer-to-peer power trading. On this occasion, consumers are enabled to trade the surplus amount of the energy they produce (e.g. with photovoltaics) with other consumers in decentralized energy networks. Such a solution can contribute to the decentralization of energy systems and make them more democratic and inclusive. Most of the blockchain applications in the energy sector today have been directed towards the electric power industry, with more than half of them focusing on decentralized energy trading and energy projects financing. In contrast, the application of blockchain in the oil and gas industry is still in its infancy. In the O&G sector, new technologies have to pass through several phases before mass adoption occurs, due to high costs and increased probability of component failures. Another deterrent is the particular nature of operations in the industry. For instance, oil is traded as a commodity on a global level and is impacted by external factors such as geopolitics, while electricity is specific to a regional level. Despite the sluggish adaptability of the industry, more recently, a number of blockchain initiatives from oil and gas majors have been launched. Regardless of those advances and the fact that there is a growing number of startup companies developing similar solutions, blockchain is still in an exploratory phase of development. That is the main reason for it not being widely adopted by large industry players or in large-scale applications, which could otherwise help it grow faster and be established as a standard technology for particular applications. It will only become apparent in the next five to ten years, at a time when blockchain is expected to reach maturity from a technical standpoint, whether it will be a revolutionary technology that will bring about a revolution in the structure and processes of the energy industry. This thesis aims at reviewing the main characteristics of blockchain technology, and based on its technical advantages, analyze the role it has played up to this day in the transformation of the energy industry and, more specifically, in the electric power and oil & gas sectors. In addition, a case study is presented that aims at showing how blockchain can provide solutions for the Greek energy ecosystem.
... [7]-də təchizat zəncirinin hər hansı bir elementinə edilmiş kiberhücumun digər bütün qovşaqlarda öz təsirini göstərdiyi vurğulanır.V. NEFT-QAZ SƏNAYESİNDƏ KİBERTƏHLÜKƏSİZLİK İNSİDENTLƏRİNeft-qaz sənayesində proqram təminatı vasitəsilə həyata keçirilən insidentlərin tarixi 1980-ci illərə gedib çıxır. ABŞ-ın yüksək rütbəli milli təhlükəsizlik rəsmisi Tomas Reed özünün "At the abyss" kitabında ABŞ-ın SSRI-yə boru kəmərinə nəzarət proqramının kodlarını Kanada şirkətindən oğurlamasına necə şərait yaratdığını qeyd etmişdir. ...
Chapter
As the digitalization of supply chains accelerates and the importance of cyber risk management across the supply chain is recognized, both academics and practitioners are paying much more attention to the topic. However, there is a lack of theoretical foundations and practical solutions to underpin and sustain the effective management of supply chain cyber security. This chapter provides a holistic definition for supply chain cyber security and conducts a thorough review of both nonacademic industry sources and the academic literature. Through analysis of industry sources, 18 common best practice principles are identified. These are classified hierarchically—strategic (e.g., supply chain cyber vulnerability and threat identification), tactical (e.g., cyber security education of employees), and operational (e.g., real-time cyber security monitoring). The review of the academic literature complements existing reviews by including the most recent studies, identifying the most significant, and classifying the research. The most common research topics are noted, the main quantitative methodologies deployed are identified, and technology-specific supply chain security research is highlighted. Lastly, 19 key questions for supply chain cyber security research are posed under four categories—modeling and theoretical foundations, implementation of security strategies, interactions between theory and practice, and the analysis of real-world cases.
Chapter
High-fidelity cyber-physical testbeds that mimic the cyber and physical responses of real-world systems are required to investigate the vulnerabilities of industrial control systems. This chapter describes the construction of a large, virtual, high-fidelity testbed that models a midstream oil terminal. The testbed models interconnected tank farms, a tanker truck gantry, a shipping terminal and a 150 km pipeline connection to a refinery. The virtual midstream oil terminal helps experiment with cyber attacks, explore the impacts of cyber attacks in order to prototype and evaluate security controls, and support education and training efforts. The virtual midstream oil terminal is constructed using a novel modular modeling technique that segments the overall system into the physical system, cyber-physical link, distributed controllers, communications network and human-machine interface. Simulation results involving normal operations and cyber attack scenarios are presented. The midstream oil terminal testbed demonstrates that large-scale models of industrial control systems for cyber security research are feasible and valuable.
Article
Full-text available
Integration of information flows facilitated by advances in information technology (IT) has increased collaboration across supply chains. However, benefits of interconnectivity are not gained without risk, as IT has removed protective barriers around assets and processes. Thus, supply chains are better able to satisfy customer needs yet are potentially more vulnerable to disruption due to an array of IT-specific threats. Highly interconnected supply chains would appear to be especially prone to these hazards. Although supply chain risk and information technology risk have been studied in isolation, little has been done to define the impact of information security on supply chain management. This exploratory investigation addresses this deficiency in the literature by defining information security risk in the context of supply chain management. It identifies, categorizes, and validates information technology threats as sources of risk in the supply chain. It then establishes a conceptual framework for further study into supply chain information security risk. Finally, it discusses the implications of information security risk in the supply chain. It is suggested that supply chain risk is affected by IT threats and therefore the benefits of collaboration facilitated by IT integration must exceed the increase in risk due to IT security threats.
Article
Anyone working with SCADA or industrial control systems (ICS) in the oil and gas industry is aware of the pressure to increase productivity and reduce costs through network integration. The demand for remote support has made many pipeline control systems accessible via Internet-based technologies. At the same time, SCADA systems themselves have changed radically. Proprietary networks were replaced with equipment using Ethernet technology. Single-purpose operator stations were replaced with computers running Windows™ and IT software, e.g., PDF readers and web browsers, are installed in every station or control center. These new technologies are enabling companies to implement agile, cost-effective business practices. Unfortunately, they also come at a cost. Pipeline control systems are now exposed to cyber-security threats they were never designed for. Cyber attacks on automation systems were considered by many to be a theoretical problem until the discovery of the Stuxnet worm in July 2010. At that moment the world changed, not only for oil and gas companies, but also for automation vendors, hackers, criminals and even governments. Stuxnet also showed the world the power of a well-designed ICS worm. It could steal corporate secrets, destroy equipment, and shut down critical systems. It is suggested that security practices must improve significantly. First, industry needs to accept the idea that complete prevention of SCADA system infection is impossible. Implementing changes will improve the defense-in-depth posture for any pipeline ICS/SCADA system and help protect operation from cyber espionage. Better SCADA security is needed urgently.
Conference Paper
The Middle East is currently the target of an unprecedented campaign of cyber attacks carried out by unknown parties. The energy industry is particularly targeted. The attacks are carried out by deploying extremely sophisticated malware. The campaign opened by the Stuxnet malware in 2010 and then continued through Duqu, Flame, Gauss, and Shamoon malware. This paper is a technical survey of the attacking vectors utilized by the three most famous malware, namely, Stuxnet, Flame, and Shamoon. We describe their main modules, their sophisticated spreading capabilities, and we discuss what it sets them apart from typical malware. The main purpose of the paper is to point out the recent trends infused by this new breed of malware into cyber attacks.
Conference Paper
Supply Chain Risk Management (SCRM) is one of the 12 Comprehensive National Cybersecurity Inititiatives (CNCI), but the range of supply chain problems has not been defined rigorously, and effective defenses have not yet been developed. Risks range from the increased unreliability of counterfeits to data exfiltration and adversary control enabled by hardware Trojan horses embedded in chips. Risks are different for military vs. non-military Government vs. civilian organizations. We cite cases that underscore the reality of supply chain risk, and analyze the structure of supply chains that affect different part of the market for IT electronics, in order to provide a better understanding of attack methods. We discuss techniques for defending against the range of threats, and propose a practical solution based on a suite of simple, inexpensive test procedures that could be used to build an "80% solution" for detection of counterfeits and embedded malicious implants before they are deployed. Tests we have prototyped include power signatures and of IR thermographic signatures of boot events. Deployment of such a test suite would change the SCRM game by making it significantly more difficult for supply chain exploits to succeed.
Conference Paper
Supply chain security has become a primary concern for supply chain practitioners, and especially so for global supply chains where security related risk is a particular concern. The challenges of security-related risk may be viewed through the lens of the risk management process, which involves identifying, assessing, mitigating and controlling the vulnerabilities that are faced by supply chain managers in practice. The main purpose of this paper is to develop a methodology for the second step of the process, assessing security risk in global supply chains. The two-part assessment methodology reported here includes a scoring system for evaluating each of the participants in the supply chain in turn, and an aggregation mechanism based on graphic modeling that results in a single supply chain risk index value for a specific supply chain of interest. The main premise of this paper is that pairing these mechanisms provides a useful framework for measuring the potential threat resulting from a combination of individual risk and element interactions. We demonstrate the usefulness of this approach with an example involving two risk intensive stages of supply chains - loading port and ocean carrier.
Although information exchange among trading partners is consistently mentioned as a key requirement of successful supply chain management implementation, research on information exchange is scarce. This lack of research provides little guidance and support for those managers interested in improving their logistics operations through increased information exchange. The main goal of this paper is to identify potential antecedents of information exchange. Questionnaires were sent to logistics managers at manufacturing firms in several industries. The results of this exploratory study are detailed and the implications for logistics managers discussed.
Supply chain management (SCM) is increasingly dependent on electronic systems. At the same time, the vulnerability of these systems to attack from malicious individuals or groups is growing. This paper examines some of the forms such attacks can take, and their relevance to the supply function. Provides examples of attacks. Concludes that companies should consider the security aspects of electronic commerce before developing their systems.
Article
Purpose – Supply chain risk management assumes importance in the wake of organizations understanding that their risk susceptibility is dependent on other constituents of their supply chain. The purpose of this paper is to present an approach to effective supply chain risk mitigation by understanding the dynamics between various enablers that help to mitigate risk in a supply chain. Design/methodology/approach – Using interpretive structural modeling the research presents a hierarchy-based model and the mutual relationships among the enablers of risk mitigation. Findings – The research shows that there exists a group of enablers having a high driving power and low dependence requiring maximum attention and of strategic importance while another group consists of those variables which have high dependence and are the resultant actions. Practical implications – This classification provides a useful tool to supply chain managers to differentiate between independent and dependent variables and their mutual relationships which would help them to focus on those key variables that are most important for effective risk minimization in a supply chain. Originality/value – Presentation of enablers in a hierarchy and the classification into driver and dependent categories is unique effort in the area of supply chain risk management.
Article
The discovery in June 2010 that a cyber worm dubbed `Stuxnet' had struck the Iranian nuclear facility at Natanz suggested that, for cyber war, the future is now. Yet more important is the political and strategic context in which new cyber threats are emerging, and the effects the worm has generated in this respect. Perhaps most striking is the confluence between cyber crime and state action. States are capitalising on technology whose development is driven by cyber crime, and perhaps outsourcing cyber attacks to non-attributable third parties, including criminal organisations. Cyber offers great potential for striking at enemies with less risk than using traditional military means. It is unclear how much the Stuxnet program cost, but it was almost certainly less than the cost of single fighter-bomber. Yet if damage from cyber attacks can be quickly repaired, careful strategic thought is required in comparing the cost and benefits of cyber versus traditional military attack. One important benefit of cyber attack may be its greater opportunity to achieve goals such as retarding the Iranian nuclear programme without causing the loss of life or injury to innocent civilians that air strikes would seem more likely to inflict. Nevertheless, cyber attacks do carry a risk of collateral damage, with a risk of political blowback if the attacking parties are identified. Difficulty in identifying a cyber attacker presents multiple headaches for responding. A key strategic risk in cyber attack, finally, lies in potential escalatory responses. Strategies for using cyber weapons like Stuxnet need to take into account that adversaries may attempt to turn them back against us.