The cyber threat to Canada’s oil and gas sector

Introduction

The oil and gas sector is a critical contributor to both Canada’s economy, and the security and well-being of Canadians. As a result, the cyber security of the oil and gas sector is important to Canada’s national security. The oil and gas sector employs about 600,000 Canadians and adds $120 billion dollars to Canada’s economy, or about 5% of the gross domestic product (GDP).^{Footnote 1} In Canada, oil and gas is used for energy to heat buildings, move people and goods, seed fields and harvest crops, generate electricity, and also serves as raw materials for many other manufactured products.

It is difficult to overstate the importance of the oil and gas sector to national security because much of our critical infrastructure depends on oil and gas products to operate. At the same time, critical infrastructure, and especially the energy sector, is increasingly at risk from cyber threat activity.^{Footnote 2} In the United States, for example, Colonial Pipeline garnered international attention in May 2021 when it was forced to shut down the operation of one of the largest gasoline, diesel, and jet fuel pipelines in the US due to a ransomware incident. Although the pipeline was restarted a few days later, the disruption in the fuel supply resulted in shortages that caused the rerouting of flights, panic buying, and short-term price spikes. It was estimated that, at the time that the pipeline was restarted, the Eastern US was only a few days away from experiencing food and other shortages from the disruption of fuel to other sectors such as truck transportation.^{Footnote 3}

Oil and gas sector primer

The organizations that participate directly in the oil and gas sector can be divided into three broad categories:

1. Upstream: the organizations involved in exploration, extraction, and production
2. Midstream: pipelines, transportation, and storage
3. Downstream: refining, distribution, and sales

The upstream oil and gas sector organizations are involved in the discovery and extraction of crude oil and natural gas from natural deposits. Activities start with environmental and geological research and planning, leading to extraction, including drilling and operating oil and gas wells, and mining oil sands.

Midstream activities include the storage, processing, and transportation of oil and gas products. Oil and gas can be transported by pipeline, train, truck, and marine tankers. Pipelines are the primary midstream delivery mechanism for moving oil and gas products from producers to consumers in North America. Canada is roughly 7,500 km from east to west. In that space, there are about 850,000 km of gathering, feeder, transmission, and distribution pipelines for oil and gas products. This includes just under 120,000 km of large-diameter transmission pipelines used to move larger volumes of oil and gas long distances, often across provincial and international borders.^{Footnote 4} Large storage facilities are connected to the pipeline network to counter changes in supply and demand so that pipelines are used efficiently. Natural gas is usually stored underground in large reservoirs above ground tanks are used for crude and refined oil, finished oil products, and natural gas.

The downstream part of the oil and gas sector is responsible for the refining of crude oil and raw natural gas into final products, as well as the distribution and sales of oil and gas products to clients. This includes refineries and chemical plants, and distribution and retail companies.

Cyber threats originating in the digital supply chain

We assess that medium- to high-sophistication cyber threat actors are likely to consider targeting organizations indirectly, by first targeting the supply chain.^{Footnote 8} Cyber threat actors target the supply chain for two general purposes: to obtain commercially valuable intellectual property and information from suppliers about the target organization’s networks and OT, and as an indirect route to access a target organization’s networks.^{Footnote 7} Large industrial asset operators, including those in oil and gas, depend on a diverse supply chain of products and services from laboratories, manufacturers, vendors, integrators, and contractors, as well as Internet, cloud, and managed service providers for daily operation, maintenance, modernization, and development of new capacity. Oil and gas OT asset operators’ dependence on the supply chain is a critical vulnerability that gives cyber actors inside information on, and opportunities for access to otherwise protected IT and OT systems. We assess that medium- and high-sophistication actors will almost certainly continue to target the supply chain for these purposes for the next 12 months and beyond.

The threat from the proliferation of cyber tools

The Cyber Centre notes that pre-built cyber tools and training in their use are becoming readily available via the Internet and we judge that there is an even chance that low sophistication actors with the intent to disrupt the oil and gas sector could adopt these tools to mount a future successful sabotage attack.

For example, there are OT-specific exploit modules in free cyber tools as well, such as the open source Metasploit framework developed and released by researchers and security professionals for testing OT network defences. These tools are widely available to actors of all sophistication levels and include documentation and tutorials in their use.^{Footnote 9} The Cyber Centre is also aware of high-impact crimeware such as Trickbot, Qakbot, Dridex, etc., using the leaked commercial cyber tool Cobalt Strike to target large organizations and critical infrastructure in Canada. Both Metasploit and Cobalt Strike are in wide use by states and criminal groups to facilitate cyber espionage and ransomware activity.^{Footnote 10} In addition, a large illegal marketplace for cyber tools and services is greatly reducing the start-up time for cybercriminals and potentially other actors by enabling them to conduct more complex and sophisticated campaigns. Many online marketplaces allow vendors to sell specialized cyber tools and services that users can purchase and use to commit cybercrime, including espionage, distributed denial of service (DDoS) attacks, and ransomware attacks, any of which could be used by actors intending to sabotage OT systems.

We assess that the wide availability of free, stolen, commercial, and criminal cyber capabilities and services is likely lowering the threshold of sophistication necessary to target and sabotage OT. In the National Cyber Threat Assessment 2020, the Cyber Centre assessed that the development of commercial markets for cyber tools and talent has reduced the time it takes for cyber actors to build cyber capabilities. Some vendors are developing OT-specific capabilities for sale to clients. As more cyber actors gain access to commercial cyber tools, actors that are interested in sabotaging OT, but previously lacked the capability, can now more readily attempt this type of cyber threat activity. The proliferation of commercial tools also makes it more difficult to identify, attribute, and defend against this cyber threat activity. We assess that although the threat to oil and gas from other actors is likely currently low, the inconsistent level of cyber security in connected OT devices, the global discoverability of devices on the Internet through OT-specific search engines, and the availability of free cyber tools will, in combination, likely increase the threat from low sophistication cyber actors in the near future.

The threat from cybercrime

We assess that cybercriminals motivated by financial gain, particularly criminals attempting business email compromise (BEC) and ransomware, are the top cyber threats facing the oil and gas sector. Although BEC is very likely more common and more costly than ransomware to victims, we assess that ransomware is almost certainly the main threat to the supply of oil and gas to customers. The underground cybercriminal ecosystem is continuously evolving to maximize profits and increase the payouts extracted from targets.^{Footnote 11} For example, the adaptation of ransomware to a service model (ransomware-as-a-service, or RaaS) and the widespread adoption of stealing and leaking of sensitive data to increase the pressure to pay are two of the main drivers of the recent increase in successful incidents.^{Footnote 12}

The oil and gas sector, like other parts of the energy sector, reportedly attracts more than its share of attention from financially motivated cyber threat actors due to the high value of the industry’s assets and the degree of customer dependence on the industry’s products.^{Footnote 13} Other assets of value in the oil and gas sector targeted by cybercriminals include intellectual property and business plans, and stores of client information.

Since oil and gas organizations are part of Canadian critical infrastructure (CI), they are attractive targets for extortion because of the importance of these products and services to Canadians. Cybercriminal activity has the potential to disrupt operations and critical delivery of products by limiting a company’s access to essential business data in the IT network or by preventing safe control of industrial processes in the OT network. The disruption or sabotage of OT systems in Canadian CI poses a costly threat to owner-operators of large OT assets and could conceivably jeopardize national security, public and environmental safety, and the economy.

In early May 2021, for example, Colonial Pipeline suffered an incident attributed to DarkSide, a Russia-based ransomware group. Although the activity was reported to be restricted to the IT systems, the company chose to shut down its operations for business reasons, leading to panic-buying and shortages, and elevating the event to a national security issue. Later, it was reported that the Russia’s Federal Security Service (FSB) investigated and arrested members of the group allegedly responsible for the Colonial incident at the request of US officials.^{Footnote 14}

The high profile of the Colonial incident and the resulting attention from law enforcement likely motivated some groups to make public statements about altering their targeting patterns away from some CI, and some criminal forums to ban ransomware completely.^{Footnote 15} However, similar statements about the health sector have not resulted in decreased overall targeting.^{Footnote 16} We assess that these statements and activities are largely theatre and do not lower the threat to oil and gas organizations substantially over the long term.

Cybercriminals are opportunistic and will not hesitate to exacerbate a crisis for profit. For example, in late January 2022, incidents at two subsidiaries of the German oil transportation company Marquard and Bahls and an unrelated ransomware incident at Amsterdam-Rotterdam-Antwerp (ARA) caused significant disruption in the delivery of oil products in parts of continental Europe, potentially worsening the existing energy crisis caused by Russia’s imminent invasion of Ukraine.^{Footnote 17}We assess that cybercriminals will almost certainly continue to target high-value organizations in the oil and gas sector in Canada and globally.

The state-sponsored cyber threat to oil and gas

State-sponsored cyber activity against the oil and gas sector has become a regular feature of global cyber threat activity, especially in times of rising geopolitical tensions.^{Footnote 5} Politically motivated state-sponsored cyber threat actors, including Russia, China, and Iran, have targeted the global energy sector for both espionage and disruption/destruction. State-sponsored actors typically conduct espionage on oil and gas targets for foreign intelligence (to obtain oil and gas sector data of economic or foreign relations intelligence value) or for commercial reasons (to obtain business plans or valuable intellectual property to deploy for national competitive advantage). We assess that state-sponsored actors are almost certainly the most sophisticated cyber actors and that some very likely have the capability to launch coordinated effects and target more than one CI component at a time. In addition, state-sponsored actors use a variety of tactics to work covertly and are often difficult to identify and attribute with confidence.

Commercial espionage

We assess that the oil and gas sector in Canada will very likely continue to be targeted by states for commercial or economic reasons. This could include organizations at any level of the oil and gas value chain. Oil and natural gas digital assets of value to adversarial states include an organization’s proprietary trade secrets, research, client data, and business and production plans. Examples of these assets might include oilfield development plans or research and development on equipment or techniques, which, if stolen, could result in competitive disadvantage from lost investment, lost revenue, and damaged reputations. For example, in 2020 the Norwegian counterintelligence service reported that Russia, China and other countries were using cyber espionage to discover petroleum industry trade secrets and production plans.^{Footnote 18}

Pre-positioning and capability development

The Cyber Centre assesses that critical infrastructure, and especially the network-connected OT in critical infrastructure, is a strategic target for disruption or destruction by state-sponsored cyber actors in times of rising hostilities between states.^{Footnote 7} Energy, water, government, telecommunications, and finance sectors have been targeted over geopolitical disputes. Offensive cyber activity against oil and gas OT to deny essential products to a target country could be used to send intimidating messages about power and capability, delegitimize target governments, demoralize leaders and the public, degrade defences, and threaten a population’s health and safety. We assess that it is very unlikely that a state-sponsored cyber actor would intentionally disrupt or damage the oil and gas infrastructure in Canada outside of hostilities.

Some large OT asset owner-operators, such as the utilities, pipelines, and refineries in the oil and gas sector, are not likely targets for commercial espionage because most of the commercially valuable IP in use and in development resides in the supply chain. We judge that the intent of most state-sponsored cyber activity against oil and gas sector OT asset owners is likely to collect information and pre-position cyber tools as a contingency for possible future sabotage, or as a form of intimidation from a demonstration of state cyber power. These early stages of potential future cyber sabotage tend to resemble commercial espionage.^{Footnote 19}We assess that it is very likely that state actors are using the information gathered from cyber reconnaissance and espionage to develop access and additional capabilities that would allow them to sabotage the OT used in Canada’s CI sectors, including oil and gas.

The Cyber Centre assesses that state-sponsored cyber threat actors are almost certainly continually improving their capability to conduct destructive or debilitating cyber activity against CI. They do this by locating and prioritizing systems of interest, identifying vulnerabilities, developing access to and pre-positioning in those systems, conducting espionage on the OT in use, and developing techniques and tools to disrupt or destroy the OT.^{Footnote 20} In early 2022, Pipedream (aka Incontroller) malware was uncovered, with modules for exploiting OT supervisory workstations and affecting industrial OT automation and safety controllers typically found in liquefied natural gas and electric power facilities.^{Footnote 21} The heightened level of technical sophistication level of PIPEDREAM over earlier malware such as TRITON points to both a state-sponsored author, and the effort that these actors are willing to commit to the development of OT-specific offensive cyber capabilities.^{Footnote 22}

We assess that the state-sponsored actors intending to disrupt the supply of oil and gas in Canada are likely to target supply bottlenecks in the product transmission and processing stages to maximize the effect. Potential targets for this activity could include large-diameter pipelines, marine terminals, and major refining facilities.

Notable state-sponsored cyber activity against the oil and gas sector

• In late 2019 and early 2020, Iranian state-sponsored actors deployed Shamoon variant Zerocleare^{Footnote 23} and Dustman^{Footnote 24} wiper malware onto the networks of unidentified Saudi Arabian energy sector targets and Bapco, Bahrain's national oil company, causing an unreported amount of business disruption.^{Footnote 25}
• In 2018 a variant of Iranian Shamoon malware destroyed about 10 percent of the Italian oil and gas company Saipem’s network. Saipem is major Saudi Aramco contractor.^{Footnote 26}
• In 2017, Russian cyber threat actors tested a capability called Triton (aka Trisis) to modify the performance of a Safety Instrumented System (SIS) at a Middle Eastern oil and gas facility. An SIS is a specialized OT device designed to independently detect out-of-range conditions in an industrial process and, if needed, initiate a safe shutdown of the equipment. The actors gained remote access for the facility and reprogrammed the SIS controllers, inadvertently causing them to enter a failed state, resulting in an automatic shutdown of the industrial process and subsequent investigation.^{Footnote 27} Later, in 2018 and 2019, the same actors probed the networks of energy sector utilities in the US.^{Footnote 28}
• From 2011 to 2018, Russian state-sponsored cyber actors conducted an extensive cyber espionage campaign against US and European energy sector companies, employing Havex malware to search for OT components and extract OT-related information.^{Footnote 29}
• In 2012, state-sponsored Iranian cyber actors deploy Shamoon wiper malware to IT networks of Saudi Aramco and RasGas in Saudi Arabia and Qatar, deleting data on roughly 30,000 computers and forcing the shutdown of numerous internal networks.^{Footnote 30}
• From 2011 to 2013 Chinese state-sponsored actors conducted a spear phishing and intrusion campaign against US oil and natural gas pipeline companies.^{Footnote 31}

Current geopolitical context: The Russian invasion of Ukraine

In April 2022, the Cyber Centre, along with our partner cyber security agencies in Australia, New Zealand, the UK, and the US, warned critical infrastructure providers of the potential for activity by both Russian state-sponsored and Russian-aligned, non-state criminal-hacktivist groups in support of the Russian invasion of Ukraine.^{Footnote 32} In July 2023, the Cyber Centre expanded on the role of these actors both within and beyond Ukraine in its “Cyber threat bulletin: Cyber threat activity related to the Russian invasion of Ukraine”.^{Footnote 33}

Russia has repeatedly deployed destructive cyber attacks against strategic critical infrastructure (CI) targets to project power when geopolitical crises escalate to armed conflict. In 2022, in support of the invasion of Ukraine, Russia conducted a large-scale cyber campaign targeting Ukrainian CI including government, energy, telecommunications, and financial sectors.^{Footnote 33} This campaign used denial of service and various forms of destructive malware to cause widespread disruption, often coordinated with kinetic attacks. For example, on February 24, Russian state-sponsored hackers conducted destructive cyber threat activity targeting Viasat KA-SAT satellite Internet service in Ukraine as Russian forces invaded Ukraine, rendering CI for Internet and communications inoperable and disrupting Internet access to Viasat customers across Europe.^{Footnote 34}

Threat to Canada: State-sponsored actors

We judge that Russian state-sponsored cyber actors are almost certainly conducting reconnaissance activity against Canadian CI and that Russian cyber activity with the goal of pre-positioning on industrial OT networks will very likely continue. We assess that it is very unlikely that Russian state-sponsored actors would choose to conduct a destructive attack against Canadian or allied-state oil and gas infrastructure outside of perceived imminent armed conflict between Canada and Russia.

Threat to Canada: State-aligned actors

Cyber activity supporting Russia’s invasion of Ukraine by Russian-aligned groups such as Killnet, Xaknet, and others has very likely increased substantially over the last 12 months.^{Footnote 35} These groups typically either gain access to networks to deploy ransomware and encrypt data, potentially causing significant disruption to operations, or conduct DDoS attacks (often with extortion) or defacement activity against websites.^{Footnote 32} Targets within a sector are likely chosen opportunistically, based on searches for exposed services with known vulnerabilities, rather than strategically for maximum effect. These attacks often respond to news that the targeted state is providing support to Ukraine.^{Footnote 36}

The Cyber Center is aware of efforts by Russia-aligned threat actors to compromise and establish persistence on the networks of Canadian and US CI providers, including organizations in the oil and gas sector. We assess that the intent of this activity is to disrupt critical services for psychological impact, ultimately to weaken Canadian support for Ukraine. We assess that this activity will almost certainly continue for the duration of the war and will likely increase as Russia’s invasion efforts falter, or new support for Ukraine is announced. Although Russia-aligned non-state actors almost certainly have a lower overall sophistication and technical capability than Russian state-sponsored actors, we assess there is an even chance of a disruptive incident in the oil and gas sector in Canada caused by Russia-aligned actors, due to their higher tolerance for risk, the increase in their numbers and activity, as well as the number of vulnerable targets in the sector overall.

We assess that both Russian state-sponsored and Russia-aligned cyber threat actors very likely view Ukraine, the US, and leading European NATO members as higher priority targets than Canada. However, if the US is targeted, we assess that there is an even chance that Canada would be affected, due to the interconnectedness of US and Canadian oil and gas infrastructure.

Notable Russian cyber activity

• The first state-sponsored cyber activity to sabotage critical infrastructure occurred in 2015 and 2016 against the electricity grid in Ukraine, conducted by Russia’s military intelligence agency, the Main Intelligence Directorate of the General Staff (GRU), also known as the Sandworm Team. In 2015, Russia was able to de-energize seven substations from three Ukrainian regional distribution companies for three hours, causing a power outage that affected 225,000 customers. A year later, a cyber incident at Ukraine's national power company, Ukrenergo, caused a one-hour outage in northern Kyiv. These incidents, conducted in the context of the Russia invasion of Ukraine, were a turning point in the history of cyber activity against the energy sector, demonstrating the impact of a cyber attack against critical infrastructure and its use during international hostilities.^{Footnote 20}
• In June 2017, the NotPetya malware infected tens of thousands of devices, including those on critical infrastructure networks in Ukraine and around the world,^{Footnote 37} likely in an attempt by Russia to disrupt Ukraine’s financial systems.
• In 2018, the GRU disabled over 15,000 Georgian government websites and media outlets as part of efforts to destabilize the country.^{Footnote 38}

Other actors

We assess that low-sophistication actors such as terrorists, hacktivists, thrill seekers, and disgruntled individuals, motivated to attract attention by embarrassing or harming the sector through public incidents are currently more likely to engage in noisy, nuisance-level cyber activity, such as website defacement, than to attempt direct OT disruption. Since Russia’s full-scale invasion of Ukraine began in February 2022, we assess that the operational tempo and engagement of pro-Russian non-state cyber groups has likely increased.^{Footnote 35} The Cyber Centre is aware that Russia’s long-standing practice has been to coordinate with non-state groups, such as cybercriminals and hacktivists, to conduct cyber threat activity against Ukrainian and allies’ CI. For example, pro-Russian hacktivist group Killnet has conducted DDoS attacks against critical infrastructure operators’ websites, including those of energy sector providers.^{Footnote 32}

Outlook

The cyber security of Canada’s critical infrastructure is also national security. The oil and gas sector in Canada have a major role in the economy, both as a contributor to the GDP and as an energy provider to other parts of the Canadian economy, critical infrastructure, and Canadians. The importance and high profile of the oil and gas sector, along with its expanding threat surface from digital transformation makes it a target for cyber actors intent on maximum disruption.

The Cyber Centre encourages all critical infrastructure network owners, including those in the oil and gas sector, to take appropriate measures to protect your systems against the cyber threats detailed in this assessment, in particular those related to geopolitical events surrounding the Russian invasion of Ukraine.^{Footnote 39} The Cyber Centre joins our partners in the US^{Footnote 40} and the UK^{Footnote 41} in recommending proactive network monitoring and mitigations. The US Cybersecurity and Infrastructure Security Agency's (CISA) advisory “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure” helpfully highlights vulnerabilities known to have been exploited by Russian cyber threat actors, their tactics, techniques and procedures, and potential defence actions.

Useful resources

Threat detection and mitigation

• An introduction to the cyber threat environment
• Cyber security guidance for heightened threat levels
• Ransomware resources
• Baseline cyber security controls for small and medium organizations
• Top 10 IT security actions for Internet-connected systems
• IoT security for small and medium organizations
• Cyber Centre’s advice on mobile security
• Cyber security considerations for contracting with managed service providers
• Top 10 IT security action items: No.2 patch operating systems and applications
• Joint report on publicly available hacking tools
• Malicious cyber activity targeting managed service providers

Threat assessments

• Cyber threat bulletin: Cyber threat activity related to the Russian invasion of Ukraine
• Cyber threat bulletin: Cyber threat to operational technology
• The cyber threat from supply chains
• National Cyber Threat Assessment 2023-2024
• Cyber threat bulletin: The cyber threat to Canada's electricity sector
• Cyber threat bulletin: The ransomware threat in 2021

Services

• Security review program fact sheet