Beyond the Gas Station: Cybersecurity and Industrial Infrastructure

Industrial control systems (ICS) demand specific approaches to cybersecurity due to their complex structure, connected devices with different capabilities, software and operating systems and critical functions. And this isn’t just a theory. 

Something as common as a gas station has all the attributes of an ICS: Connected equipment including pumps and tanks, controllers, a management system and a payment system, not to mention connection to the corporate network, third-party service systems and the internet. Just like any industrial facility, the example gas station has cybersecurity issues that companies also should consider to avoid disruptions that may affect the business, its employees and the general public. This example was illustrated in real life recently when gas stations in Iran were shut down because of a targeted attack. 

This exploration of an ICS infrastructure is based on telemetry research carried out at the end of 2020. It included the analysis of a modern gas station’s automation software architecture, a typical infrastructure and the communications inside it that allowed researchers to classify potential attack vectors and their impact on the fuel station’s network. 

At the Gas Station

Imagine you’re driving your car and you need to fill it with fuel. You stop at a gas station, put the dispenser in the tank, go to the convenience store to pay for the fuel and then return to your vehicle. 

To deliver the fuel to your tank, several systems have to work: The back-office system and point of sale system are used for payments and management functions. They are connected to the forecourt controller (FCC). This is the area with pumps outside the convenience store where customers park their cars to fill up. It is equipped with many systems, including pump control, an automatic tank gauge (ATG), payment systems, etc. The FCC is the main device that controls fuel distribution, so when you pay through a cashier, the FCC commands the pump to supply gas to your car so you can continue your journey. 

Information about operations and the amount of fuel sold and available is transmitted to the management system locally and then to a central office that accumulates information from all stations. 

Where are the Problems? 

Through our research, we managed to identify several places things could go wrong in this process. There are several potential operational technologies (OT) and IT security issues that can affect the work of a gas station. 

The first group of risks involves potential remote access from external networks. Just like many industrial systems today, the gas station employs solutions that are connected to public services through the internet. These include cloud banking systems or specialized fleet management systems. Remote access to the fuel station could allow further malicious actions to occur inside the network. 

This is exactly what happened in a real case described in one of Kaspersky’s studies. At the gas station, fuel management software was used to track the amount stored, set the price and process payments. The system was connected to the internet and had vulnerabilities that allowed remote administrator access—even allowing actors the ability to change the fuel price. 

There are also suppliers and service companies that have access to some parts of the fuel infrastructure. Compromising these third parties may open doors to the target system for attackers. In fact, this type of threat is of great concern for companies of any size profile: Almost one-third (32%) of large organizations suffered attacks involving data shared with suppliers. What’s more, the financial impact of such incidents on enterprises is the highest across all types of attacks in 2021. 

Another set of risks involves network and device issues that may potentially lead to the disruption of fuel station services or direct financial impact. Attacks can come from remote networks or by attackers connecting to wireless networks or even wired network ports available on-site. 

If the network is not segmented, the attack can spread from these entry points—such as secondary equipment in a shop and/or office workstations—to critical components such as fuel management controls. The use of unencrypted protocols (HTTP, CDP, FTP, Telnet, etc.) in the gas station network may allow adversaries to disclose sensitive information for further attack development. 

Another critical but evergreen problem is vulnerabilities or security flaws in the fuel controller, POS terminals and network equipment, as well as vulnerabilities in corporate endpoints and applications. In 2015, 5,800 automatic tank gauges (ATGs) were found to be exposed to unauthorized access from the internet because of a lack of password protection on a serial port. ATG is an electronic component placed in the tank that monitors the level of fuel and checks if the tank is leaking fluid. The ATG can be programmed through this serial port. If the signal it transfers is not correct, the operator won’t get an alert about any deviation. Figures from 2015 suggested that, at the time, most systems of this kind were in gas stations in the U.S. and represented 3% of those used in the country. By compromising such critical systems as automatic tank gauges, criminals can unlock options for fraud or even physical damage. 

It is also important to verify all workstations used on the forecourt such as point of sale, back-office systems, fuel controllers or payment terminals, as well as their configuration and even access to USB ports. For example, a lack of encryption or lack of compliance with the PCI DSS standard in a payment system can contribute to the risk of an attack. For a fuel controller, it is also important to check industrial protocols. Lack of source authentication or integrity control may give adversaries the opportunity to intercept data via a man-in-the-middle attack and manipulate station controllers. 

Another vulnerable point to manage is wireless gateways and reader units. A security assessment should be performed to identify insecure industrial protocols and to measure the possibility of jamming and spoofing attacks. 

How ICS can be Improved

There are major security measures that should help increase the overall security level of operational technology infrastructure. This is applicable to fuel stations, yes, but they are no less relevant to any industrial network. 

Network security: Purpose-based network segmentation enhances overall security and minimizes the attack surface. The segment of the network that has access to untrusted parts of it, such as corporate IT, should also be separated and protected with appropriate enterprise-grade protection software. 

Passive OT network monitoring is essential for asset and communication inventory and detection of intrusions before they affect the technological process. Monitoring data also helps IT security teams to analyze events and consider hardening measures where appropriate. 

Access control: This should include restricting physical and logical access to the automation and control system. Security measures for remote access control for service companies will help to avoid third-party incidents. 

Endpoint protection: It is important to implement specialized industrial-grade security software for OT hosts and servers. Ensure that the software is approved by the automation vendor and compatible with its solutions. This should help to avoid a situation where the protection product affects operation functions. 

Security management: A system for centralized security event collection and protection software policy management should be implemented. It is also important that the solution allows vulnerability and patch management. If the system can be integrated with security information and event management (SIEM) solutions, that is a nice-to-have option for organizations that plan to upgrade their protection level. Real-time continuous monitoring and endpoint data collection with rules-based response and analysis capabilities will help to further improve protection from advanced attacks. 

A more fundamental approach that involves long-term measures is also important to improve overall cybersecurity posture. This means adhering to industry standards for information security controls such as IEC 62443, NIST, NERC CIP and so on. The organization should also conduct penetration testing or security analysis regularly to identify vulnerabilities and information security problems before they are exploited. And then, of course, follow all recommended measures to fix them properly. 

Going deeper, there are specific requirements for companies with different levels of protection. But the measures listed above are essential to fill most cybersecurity gaps. Be it a fuel station, refinery or a large car manufacturer, the basic principles of OT and IT protection should allow the company to build a reliable cybersecurity system and develop it according to their needs. This will provide a great foundation for satisfied business owners and happy clients. 

Randall Richard

Randall Richard

Randall Richard is Kaspersky's head of enterprise sales for the U.S. Randall has an extensive sales background with almost a decade of sales management and leadership experience, including at RSA.

randall-richard has 2 posts and counting.See all posts by randall-richard