Cybersecurity experts are warning the oil and gas industry to be on high alert for an escalation in cyber threats due to the ongoing conflict involving Iran, the US, and Israel. The sector is identified as a primary target, with operational technology (OT) systems facing increased risk of potentially damaging incursions.

Heightened Threat Environment

Following the outbreak of hostilities, cybersecurity firm SentinelOne warned customers of an intensification in cyber-attacks by groups backed by the Iranian government. These actors are assessed as likely to target organizations in Israel, the US, and allied nations, particularly within critical infrastructure sectors like energy. Iranian hackers employ diverse tools, including targeted phishing to steal credentials, damaging malware, ransomware, and impersonating "hacktivists." While Iran itself is also a target of cyberattacks, retaliation by Iranian groups is considered likely. This pattern aligns with historical trends where cyber incidents increase during major geopolitical events, as seen when Iranian-based groups targeted Israeli critical infrastructure during a conflict last year.

Targeting of Operational Technology

The warnings coincide with a growing industry trend of connecting field OT systems to networks for remote monitoring, thereby increasing their exposure. Attacks on OT equipment have shown steady annual growth, with the energy sector consistently targeted. Experts note a shift from simple website defacements to more frequent and sophisticated efforts to access industrial operational controls. The consulting firm Dragos reported that attackers last year "crossed a line" by infiltrating control systems more deeply and for longer durations, actively mapping control loops to identify where they could inflict maximum damage.

Sophisticated Attack Methods

Attack methodologies are evolving. There is a rising use of artificial intelligence to craft more convincing and effective phishing campaigns via email and LinkedIn. Furthermore, attackers increasingly use "living off the land" techniques, where they infiltrate systems by masquerading as employees using legitimate credentials obtained through phishing. Once inside, they perform reconnaissance, escalate privileges, and move laterally until they gain access to impactful systems. While ransomware remains common, OT-focused attacks are becoming harder to detect.

Specific Vulnerabilities and Precedents

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned that vulnerabilities in industrial control systems, like SCADA software used for pumps and compressors, could be exploited by threat actors linked to Iran. CISA identified 12 such vulnerable systems, noting the risk of attackers gaining remote control over operational equipment and advising companies to minimize these systems' internet exposure. A precedent exists from last year, where threat actors from Iran attempted to install malware on IT platforms critical to OT equipment in Israel, with malware capable of wiping systems clean.

Industry Concerns and Preparedness

Industry insiders have expressed concern over the cyber risks inherent in connecting OT to IT systems. Experts advise that companies should have fortified their cyber defenses in anticipation of the current escalation, comparing the need for preparation to battening down before a hurricane. Proactive defense measures are crucial to potentially mitigate the severity of damage from anticipated attacks.