High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies

[DeepFriendLettuce]

This is a High-severity issue for anyone working in the Oil and Gas industry. This can prevent companies from properly billing their customers since they would not accurately be able to confirm how much fuel has been provided. It could cause technicians to damage valves by improperly regulating the gas flow for multiple valves which potentially could take down an entire platform. 

Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at a specific point in time.

 

Summary

 High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies

 

Quotes

Quote

"Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code."

Quote

"A malicious actor could potentially exploit this issue, bypass authentication, and could seize control of the devices and prevent the system's ability to properly record oil and gas flow rates."

Quote

“An update is available that resolves the vulnerability in the product versions listed in the advisory. Mitigation can be accomplished by proper network segmentation.”

Quote

"Flow meters read raw data from attached sensors that measure the volume of a substance in a number of ways, depending on if a gas or a liquid is being measured. The vulnerability could impede a company’s ability to bill customers – an issue that came to light during the headline-grabbing ransomware attack on Colonial Pipeline last year."

My thoughts

 ABB Totalflow is used on almost every location in the Gulf of Mexico. This could potentially greatly effect any company compromised by this vulnerability and ultimately could be comparable to the Colonial Pipeline ransomeware attach back in 2021. Given that many of these flow control systems are remotely monitored over cellular and VSAT, a compromised platform could potentially spread across an entire network of platforms. It isn't uncommon to have two VSAT connections on separate platforms and have 8 or more platforms chained through wireless bridges. 

 

Sources

https://thehackernews.com/2022/11/high-severity-flaw-reported-in-critical.html#email-outer

https://therecord.media/high-severity-vulnerability-found-in-computers-used-by-large-oil-and-gas-utilities/

 

[Sauron]

Unfortunately security in many industrial applications is abysmal and very little is being done to address it. Many of these systems are sold as black boxes which can't be easily audited by integrators. Many are based on ancient operating systems or software that hasn't been updated in decades.

[Fasterthannothing]

Why would they put this out before a fix is confirmed to be in place on all systems! Are they trying to get our systems taken offline?? Terrible security procedure by these researchers shame on them. This isn't like a normal computer exploit where this can be used to pressure updates instead they are possibly causing harm to an entire infrastructure by not confirming fixes are in place.

[CTR640]

They do everything to cheap out on security so they had it coming.

[wanderingfool2]

Maybe I'm miss-remembering...but does anyone else remember this problem already occurring like 3-4 years ago (where a pipeline was actually shutdown due to them not being able to figure out how to bill the customer).

 

If I find the old article I'll edit my post with the link, but I'm fairly certain it was an oil pipeline.  Either way, it's eventually going to happen where one day the vulnerable energy sector actually gets hit by a massive nation state attack.

[tim0901]

4 hours ago, Fasterthannothing said:

Why would they put this out before a fix is confirmed to be in place on all systems! Are they trying to get our systems taken offline?? Terrible security procedure by these researchers shame on them. This isn't like a normal computer exploit where this can be used to pressure updates instead they are possibly causing harm to an entire infrastructure by not confirming fixes are in place.

1. How do you know the fix hasn't been applied everywhere? There's nothing in any of the articles attached suggesting it hasn't been fully rolled out?

 

2. The patch was issued in July. If you haven't applied such a critical security update so such an important system after 4 months, then frankly you shouldn't be in charge of the security for that type of system. That's incompetency at its finest as there's zero reason why an update like this would take so long.

[Salv8 (sam)]

 

[Sauron]

19 hours ago, Fasterthannothing said:

Why would they put this out before a fix is confirmed to be in place on all systems!

They waited for the fix to be out but if it's never made public a lot of their customers will never bother to update. This lights a fire under their butts, so to speak. Even though in reality this was probably already known by malicious actors anyway.

[wanderingfool2]

Ah yes, I knew this kind of tail sounded familiar

 

https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack

 

I wonder if it actually was this vulnerability that hit them. (The attack happened in mid 2021)