Security Experts:

Iran Took Systems Offline After Cyber Attack Hit Oil Industry

Multiple Targets Hit During Cyber Attack Targeting Iranian Oil Industry

Iran disconnected computer systems at a number of its oil facilities in response to a cyber attack during the weekend, according to reports.

A source at the National Iranian Oil Company (NIOC) reportedly told Reuters that a virus was detected inside the control systems of Kharg Island oil terminal, which handles the majority of Iran’s crude oil exports. In addition, computer systems at Iran’s Oil Ministry and its national oil company were hit.

Oil Ministry spokesman Ali Reza Nikzad-Rahbar told Mehr News Agency on Monday that the attack had not caused significant damage and the worm had been detected before it could infect systems.

Iran Oil Ministry Hit By Cyber AttackThere has been no word on the details of the malware found, but computer systems controlling several of Iran's oil facilities were disconnected from the Internet as a precaution.

Back in 2010, Iran was discovered to be the main target of the infamous Stuxnet worm, which targeted the country’s uranium enrichment program. The country was also hit by Duqu, believed by many to be related to Stuxnet. Since then, the country has bolstered its cyber defenses, with Iran's Police Chief Brigadier General Esmayeel Ahmadi Moqaddam stating in February that Iran has developed its cyber army not for offensive goals but for defensive purposes. However, BBC claimed in March that its website had been the victim of a cyber-attack following a campaign of intimidation by Iranian authorities. Though the BBC did not blame Iran for the attack, BBC Director General Mark Thompson called the situation “self-evidently suspicious.”

“Iran's Revolutionary Guard claims to have created a "hack-proof" network for all sensitive data,” blogged Chester Wisniewski, senior security advisor at Sophos Canada. “I have yet to see a hack-proof network and if they have convinced themselves it's true, perhaps that is part of the problem…One thing is clear, whether you are an oppressive regime, or simply an average small business, anyone who depends upon the internet will face malware threats and hacking attempts.”

To many in the security industry, the news comes hardly as a surprise. “Attacks on critical infrastructure are more common than many think. Because of a lack of disclosure in these industries many incidents ranging from sabotage and intellectual property theft to extortion go unreported,” Brian Contos, security director & consumer security strategist at McAfee told SecurityWeek.

“There is a strong expectation that we are going to see more attacks targeting critical infrastructure around the world,” Contos added. “Most organizations within critical infrastructure operate with a mix of legacy and modern equipment leveraging applications and protocols that facilitate both. This duality makes their assets vulnerable to a wider range of attacks than organizations in industries like retail and finance.”

“The real news here is that this type of campaign could clearly have a serious and detrimental impact- both financially and socio-politically,” said Dr. Parveen Jain, president and CEO of RedSeal Networks, who also holds a Ph.D. in Nuclear Engineering. “The reality is that many of the SCADA systems used through industries such as oil, electric and water systems are based on legacy computing technologies that were deployed before concerns of cyber threats were a reality. These systems cannot be ripped and replaced, and won’t be. It’s not feasible. Neither is the idea of removing some of the Internet-based management controls that have put them at greater risk, because they’re much needed tools for smarter management of distributed power systems, etc.”

“The only solution for this problem is for infrastructure providers to do everything that they can to ensure that their systems are protected effectively at all times," Jain added. "They have to know that the defenses they’ve put in place are indeed functioning properly and that they cannot be easily hacked. As with critical data, or any other mission critical computing systems, the answer is the same in every scenario. Companies, and the industry regulators that oversee them, need to make sure that the security systems that they’ve already invested in are actually effectively working. It’s not about fear-mongering over cataclysmic implications, as big of an attention getter as that may be. It’s about making sure that basic controls are in place, that segmentation is enforced, that policies are enforced, which in itself is hard without automation, given today’s complexity and rate of business-driven change.”

Related: Are Industrial Control Systems Secure?

Related: Industrial Control Systems are 10 Years Behind Enterprise IT on Security, Say Experts