.png){kind=small}
Cybersecurity Case Study: 2020 Chevron Oil Ransomware Hack
- Ben Golder
- Jan 2, 2024
- 5 min read
Energy production, refinement, and transfer operations are incredibly high demand, volume, and risk, relying heavily on a series of highly insecure embedded systems built on archaic technology, protocols, and operating systems. Due to the complexity and constant uptime required in the industry, it makes modernizing the technologies that underpin all of the operations a daunting task that is easy to push to the backburner.
But what happens when devices and technology critical to a company’s operations are left exposed to cybersecurity risks such as leaks, hacks, and other extortive practices?
In this case study, we examine a significant cybersecurity breach that impacted the world’s largest oil and gas producer and refiner. This event not only disrupted operations, but served as a wake-up call for the industry globally in regards to the danger of digital vulnerabilities.
We’ve broken down the analysis below into several components:
Now let’s dig in.
Not-so-Zero Day: What Happened?
In late 2020, Chevron faced a sophisticated cyber-attack known as Ekans[1][2]. The attackers infiltrated vulnerabilities in the company’s OT (Operational Technology) systems such as their ICS (Industrial Control Software), which are crucial for controlling and monitoring physical processes in oil extraction and refining. Once within the systems, the attackers seized data and locked them behind ransomware.
In response, Chevron was forced to temporarily shut down a number of their facilities, causing a cascading series of disruptions and costs across the supply chain in the effort to bring operations back online over the ensuing 3 months.
Aside from the tens of millions spent on the emergency response and resolution, there were additional tens of millions in costs incurred from lost production, stalled logistics, regulatory fines, and economic impact to downstream businesses and partners.
What Vulnerabilities?
Vulnerability is understandably a very nebulous sounding concept, just like things that are known to cause cancer. In this specific Chevron hack, the primary weak points were:
The myriad components of the OT Network’s lack of up to date security patches and activity logging measures provided attackers with a vast array of undetectable entry points into Chevron’s networks.
Outdated software built for, and operated on obsolete operating systems such as Windows XP, which received its final patch in 2014 - nearly an entire decade ago.
Inadequate segmentation of IT and OT networks, enabling attackers to move laterally within the system without any resistance or trace once they’ve entered it.
Non-standard operating procedures and education for nontechnical staff, leading to a high frequency of employees unintentionally enabling attackers through interacting with phishing links and other forms of baiting and social engineering.
Weapon of Choice: Ransomware
This attack utilized ransomware - a form of malware that places victims at the mercy of their attackers, with their data and systems held hostage through proprietary encryption and other software capable of detecting attempts to crack it. Ransomware attacks are fast becoming the new go-to for complex networked systems, showing a massive 95% jump in prevalence in 2023 compared to the previous year. And it’s easy to see why - a successful breach can quickly bring a global corporation to its knees, granting the bargaining power of a nation to a relatively minuscule adversary overnight.
As with any lucrative industry, technology and methodologies advance and democratize at the fastest pace possible. Hacking tools are no different. Effective malware is as off the shelf as Photoshop, which is what makes the investment in robust IT and security first software architecture priceless. User-friendly tools such as RaaS (Ransomware as a Service), cryptocurrency, anonymizers, obfuscators, and now LLMs (Large Language Models) have made it easy to anonymously invade and disrupt organizations once seen as impenetrable, emboldening everyone from digital arsonists to state governments to go after key pillars of society such as medical services, public utilities, and energy production and distribution.
Solution Response
The company’s response involved several key steps:
Immediate Isolation
The affected systems were promptly disconnected from the network to prevent further spread of the breach.
Engagement with Cybersecurity Experts
The company hired a cybersecurity firm which specialized in industrial control systems to identify the breach's source and extent after-the-fact. Due to the reactive engagement, systems remained down for an extended period of time as the scope of damage and resolution plan were assessed.
Patch and Upgrade
Critical software updates and patches were applied to all vulnerable systems, making sure they are up to date with the latest safeguards.
Effective patches and upgrades consist of four core components:
Definitions
Enables the software to understand what kind of data it’s receiving and handling
Permissions
Ensuring access is limited not just operationally, but technically, mitigating spread of a virus from one compromised system to another
Heuristics
How a system learns to catch malicious behavior
Communications
This includes notifications, messaging, alerts, and other means of flagging that there is risky activity occurring, where, and to what extent - crucial for the fastest possible and most comprehensive response
Network Segmentation
Enhanced segmentation, which is the work of compartmentalizing functional bodies of software that are each locked down behind a system of roles and permissions, was implemented between IT and OT networks to prevent similar lateral movements in the future. When done appropriately, segmentation prevents hackers from accessing more than the component they breached. Permission logic is a key component of this work and what makes a properly segmented network remain operationally friendly/scalable for employees.
Employee Training
Increased focus was placed on training employees in cybersecurity best practices. At the end of the day, no degree of technical sophistication will stop someone from clicking on a malicious file, link, or other attack vector that lets hackers immediately bypass many infrastructural security measures.
Resolution Timeline
To isolate and assess the situation at a high level took approximately 48 hours.
The complete resolution consisted of a multi-stage plan for security, including system upgrades, network segmentation, and comprehensive security audits. Implementation of this plan spanned at least 3 months.
Cost of the Event
The true cost of any security breach is always orders of magnitude greater than what’s publicly reported. That said, below is the breakdown of the $75,000,000 in losses we’re made privy to:
Direct Costs
Immediate costs of the cybersecurity firm, software upgrades, and operational downtime were estimated at around $25 million.
Indirect Costs
Longer-term costs, including enhanced security measures, training programs, and reputational damage, were estimated at an additional $50 million.
Regulatory Fines
The company faced fines for failing to adhere to industry-standard cybersecurity practices, amounting to $10 million.
Current Status
As of now, the impacted program has been significantly overhauled. Chevron has established a dedicated cybersecurity division responsible for continuously monitoring and updating security protocols. Investments in advanced threat detection systems have been made, and employee training programs are regularly conducted. The incident has led to a cultural shift within the company, placing cybersecurity at the forefront of its operational priorities.
Conclusion
While the highly tangible and unit based nature of Oil and Gas makes gauging performance and risk clear and easily visualizable, the nature of IT and cybersecurity work is not tangible - a successful day is one where everything is running smoothly and nothing bad happens. Because of this, it’s often a challenge to fully grasp the degree of urgency and care that needs to be placed on maintaining robust, efficient, and easily serviceable software-based infosystems.
The case study above underlines the need for continuous vigilance, regular updates, employee training, and the segregation of critical networks to safeguard against such breaches with the same degree of fervor used to optimize and grow the core profit generating pillars of the business. The hack and ensuing consequences demonstrate that while digital transformation offers numerous benefits, it can also introduce vulnerabilities that can have far-reaching impacts if not appropriately accounted for in the strategy, roadmap, and implementation phases.
(photo courtesy of maria lupan)
Коментари