There is a theory that Industrial Control Systems (ICS) demands specific approaches to the cybersecurity, due to their complex structure, connected specialised devices, software (operating systems), and critical functions.
Something like a petrol pump has all the criteria of an ICS, it has connected specialised devices like the pump, tanks, controller, petrol management and payment systems. It is also connected to a corporate network with third party service systems and in some cases the internet.
Petrol stations, just like any other facility is vulnerable to cyberattacks. These attacks could cause disruptions that will affect both the company and its employees, not to mention the customers.
Forbes reported recently that Iran’s petrol stations were subjected to a hacking which disabled targeted stations in the country causing a lot of damage.
Kaspersky analysed the modern petrol station’s automation software architecture, infrastructure and communications which allowed them to label potential weak points and the impact it has on the network if an attack were to take place.
At a gas station
To deliver customers a full tank of petrol the back-office and point of sales (POS) system need to work in tandem through the forecourt controller or FCC, which functions as the brains in the whole operation; controlling fuel distribution so that the amount paid mirrors the amount of petrol pumped into the vehicle.
The area which pumps are located houses pump control system, automatic tank gauge, payment system and many others that help regulate the amount of fuel supplied to the customer.
Any and all operation information is relayed back to the local management system, then to the head office which stores all the data from all the stations.
Where are the problems?
Kaspersky’s research identified what could go wrong in this process which includes several operational technology (OT) and IT security gaps that can potentially impact the station.
First is the use of public services through the internet, it could grant remote access to malicious parties.
These services include cloud banking systems and specialised fleet management system which are vulnerable towards remote admin access.
A real life example of this vulnerability was chronicled by Vice in an article where security researchers found that any hacker could get into the fuel management software and change the price of fuel without a second thought.
Kaspersky’s Managing Director for Asia Pacific, Chris Connell also pointed out threats from compromised suppliers or service companies that have access to the infrastructure, they could open the doors for hackers making it easier to attack the system.
He also highlighted that 32% of large organisations have experienced data leaks with suppliers which caused the largest financial crash compared to other types of attacks in 2021.
Network and device issues could also pose as a risk to disruption of fuel service or financial impact, attacks could come remotely or wireless and wired network ports available onsite.
An unsegmented network can get attacked from secondary equipment in the shop or office and could affect the fuel management control.
Usage of unencrypted protocols like HTTP, CDP, FTP or Telnet on station network could allow sensitive data leaks.
Fuel controllers, POS terminals, network equipment, corporate endpoints and application flaws also serve as an entry point for hackers.
Threatpost recorded 5,800 automatic tank gauges (ATG) in 2015 were exposed to unauthorised access from the internet, this happened due to the lack of passwords on serial ports.
ATGs are components placed in the tank to monitor fuel level and check if there are any fuel leaks, the ATG is programmed through the serial port to not alert operators of any deviations.
Tampering the ATG allows criminals to engage in fraud and cause physical damage to property.
Connell also said it is important to verify POS and back-office system workstations, fuel controllers, payment terminals and configurations even USB ports onsite.
Financial service giants, Visa said a lack of compliance to the PCI DSS standard in payment could provide an avenue for an attack.
It is also important to check the fuel controller protocols, insufficient source authentication and integrity could result in data leaks and station controller manipulation.
Finally, a security assessment on wireless gateways and reader units should be done regularly to weed out weak protocols, jamming and spoofing attacks.
How to improve
These security measures should help increase the bolster the operational technology infrastructure and it can be applied to any industrial network.
Network Security
Purpose-based network segmentation will strengthen the security and decrease the possibility of an attack.
Keeping network that has third party access features like corporate IT separate and protected with enterprise grade security software will keep company interests safer.
It is also important to keep an eye on assets and communication inventory so intrusion can be detected before they inflict damage.
Through data monitoring, the IT security team can analyse and stay one step ahead of attacks.
Access Control
Access control includes physical and logical access restriction to the automation and control systems.
Remote access for third parties also needs extra security measures, keeping data leaks at a minimum.
Endpoint Protection
Connell urges companies to implement vendor-approved industrial-grade security software for their OT hosts and servers, which will prevent operation function disruptions.
Security Management
It is also suggested that companies should apply a centralised security event collection and protection software policy management system which allows system vulnerability and patch management.
Another option is to have the system integrate with the Security Information and Event Management (SIEM) which improved the security.
To further protect from advanced attacks, companies could implement live monitoring and endpoint data collection systems with rule-based response and analysis capabilities.
According to Connell, a long-term measure would mean adhering industry standard security protocols such as IEC 62443, NIST, NERC CIP to name a few.
Regular security testing is also important, companies can find weaknesses in their systems before they are exploited by unwanted trespassers.
The measures listed can be applied to any company across any industry to better protect their data and it is a strong foundation to create a better and more reliable cybersecurity system.
