back to article Mixing ERP and production systems: Oil industry at risk, say infosec bods

Hackers might be able to bridge the gap between supposedly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless …

  1. Gotno iShit Wantno iShit

    I wrote a long post knocking holes in the ERPScan claims. While they clearly know a great deal about SAP they know close to squat about control and automation in oil & gas. Then I decided to check the linked pdf and found this:

    "It is the first Oil and Gas Cybersecurity research ever so far."

    That is so epically untrue I just cannot be arsed to read any further.

    1. asdf

      no worries

      I am sure oil and gas will eventually be unable to avoid COTS IoT stuff somewhere so the vulnerabilities are coming soon enough regardless.

    2. Anonymous Coward
      Anonymous Coward

      Got to agree. My experience is that separation of application levels as defined by ISA-99 (Purdue Model for Control Hierarchy - reference ISBN 1-55617-265-6) is widely implemented. This article assumes non of this background. Also all of the research performed by the various Oil and Chemical companies, originally with the framework of the Chemical Industry Data Exchange (CIDX) organisation, that defined an approach to cybersecurity must be considered relevant in this area.

  2. thames


    SAP and OPC are full of security holes. Who would have guessed?

    I can't offer advice about SAP, but on the PLC/RTU/meter side the biggest problem is the huge dog's breakfast of proprietary protocols, which OPC tries to paper over.

    Someone (Tofino) does a firewall appliance for Modbus/TCP which can let you control which registers and commands you want to allow through. Stick it in your control panel next to the PLC, configure it, and you're done. Someone did an open source Modbus/TCP firewall which I think is based on the standard Linux packet filtering (I think Tofino just packages that up and adds a front end). That pretty much deals with the issue of accessing arbitrary memory addresses.

    That is only for Modbus/TCP though, as it's an open protocol. You're pretty much screwed so far as the proprietary protocols are concerned, since the industrial control vendors have no clue about security, and third parties can't come and play in their proprietary protocol playpens since the proprietary aspect is there for vendor lock-in and no other reason.

  3. Pascal Monett Silver badge

    "up to field devices and smart meters"

    Smart meters, hmm. Where have I heard about those things already ?

    Ah, right : the UK energy meters that have been rolled out almost by force in the UK.

    Well, looking forward to hearing about how some blackhats turned SAP around on that. Should be an interesting read.

    If it ever happens, that is.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020