Insecure SCADA Systems Blamed in Rash of Pipeline Data Network Attacks

After a cyberattack shut down numerous pipeline communication networks this week, experts are stressing the importance of securing third-party systems in supervisory control and data acquisition (SCADA) environments.

Over the past two days, various major U.S. pipelines across the country reported data system blackouts after a third-party electronic communication system was attacked. That electronic data interchange (EDI) system, which was identified as Energy Services Group’s Latitude Technologies Unit, controls computer-to-computer document exchanges with customers.

Latitude Technologies, which provides the system to more than 100 natural gas pipelines, energy marketers and utilities nationally, posted on Monday that it has restored its EDI services system and is working towards increasing performance. “While we believe things to be fully restored, we will continue to monitor for gaps in functionality,” said the company in a status update posted to its website. Latitude Technologies did not respond to a request for further comment.

The EDI cyberattack led to the shutdown of the communication systems for several pipelines utilizing those services, including that of Dallas, Tex.-based Energy Transfer Partners. A spokesperson for Energy Transfer told Threatpost that the attack did not impact pipeline operations.

“It was on a third-party service provider that a number of energy companies use, including us,” said the spokesperson. “Our operations were not impacted by their breach. We were back online with them [Monday] evening.”

On Tuesday, meanwhile, Tulsa, Oklahoma-based gas pipeline operator Oneok said in a statement that “as a purely precautionary step for its interstate natural gas pipelines that it has temporarily disabled service with a third-party electronic data interchange services provider utilized by some of its customers, which was a target of an apparent cyberattack.”

Oneok stressed that the attack was on the third-party EDI system, not its own system: “Media outlets misinterpreted the company’s notification to customers as a reaction to an attack on ONEOK’s system. There were no operational interruptions on ONEOK’s natural gas pipelines. Affected customers have been advised to use one of the alternative methods of communications available to them for gas scheduling purposes,” said the company’s statement.

Other pipeline operators reporting data system shutdowns this week and last week have included Boardwalk Pipeline Partners LP and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas, according to a report by Bloomberg.

The incident sheds light on the many vulnerabilities that utilities face. Pipelines usually have three ways to connect at any station, including a primary network, a backup network – such as GPRS, microwave, or satellite –  and an array of insecure devices such as modems that are used in pipelines due to the large geographic distance, Bryan Singer, director of security services at IOActive, said.

“There is a critical need that all supply chain network providers that connect to your assets be held to the same high security standards,” said Singer.

“You’ve got to audit those third parties regularly and ensure that all third parties take security as seriously as you do. I see third parties all the time that are not nearly as secure as the actual company themselves — they’re trusted connections but unfortunately, nobody is paying much attention to them,” he said.

Fred Kneip, CEO of CyberGRX, said that it doesn’t matter how well an organization protects its own perimeter if third parties with weak security controls create vulnerabilities that can be easily exploited.

“The attacks on gas pipelines through a third-party data system is another example that critical utilities the United States are being put at risk because of lapses in third-party risk management,” he said. “The strategy of honing in on trusted third parties as an attack vector should not come as a surprise. There is a good reason that hackers have been attacking weak links in targets’ digital ecosystems for years: it’s often the easiest path to accessing data or distributing malicious content.”

Singer said that pipeline providers need to hold integrated third party service providers to the same standards they hold themselves to. “In probably three-quarters of the cases where a hacker is targeting an industrial control system, a very common pattern we see is entrance through vulnerable, third party systems,” he said.