Stopping the Flow of Business: EDI as a Natural Gas Pipeline Attack Vector

In the not too-distant past I was involved in helping secure the information infrastructure of a major EDI “VAN”.

How’s that  for gibberish?   Some definitions are in order:

EDI = “Electronic Data Interchange”.  Effectively, a collection of standards for the encoding of documents such as invoices, purchase orders, bills of lading, medical information, and – it seems – information pertaining to the business of buying, selling and moving natural gas.

EDI dates from the 1970’s. It took advantage of pre-Internet communication mechanisms but quickly was adapted to the Internet and likely will be to blockchain.

EDI “trading partners” can communicate directly, but often they rely on  third-party EDI specialists to handle communication with their various trading partners.  These are the EDI “Value Added Networks” (VAN).

EDI is the unsung hero of modern commerce.

Everything we buy or sell has a secret life as an EDI document. Usually a number of them.

Not surprisingly, natural gas pipeline companies use EDI in the running of their business, communicating information about availability and pricing to their customers and government.  A few months ago,  the business of some natural gas pipeline companies was disrupted by the sudden unavailability of those EDI services.

The attack, in March 2018, was directed against a central provider of EDI services to several major natural gas pipeline operators. Although it did not affect actual in-field operations, it did stop all normal business traffic for several days, causing confusion and a fall-back to alternate communication mechanisms.

Of greater concern was the loss of potentially sensitive information about internal business structure, all of which can be inferred from the ebb and flow of EDI data.  Such information can be invaluable to an attacker and in this case can be an aid in eventually attacking actual pipeline operations.

The point here is that it is easy to view such operations as strictly an ICS security concern, and that with proper segmentation of business from ICS infrastructure all will be well.

I’ve had some experience in that ICS world over the last few years and know that segmentation is often incomplete at best. Even when segmentation is present, your business can still be vulnerable to attacks on exposed business systems that have process flow links to ICS.

What to do?

  • Know how you use EDI and what your supporting infrastructure is.
  • Know who your EDI providers are and what security measures they employ
  • Do a business impact analysis of your EDI environment. What happens if it goes away?
  • Ensure you really do have segmentation of your business and ICS worlds. Make sure the places they touch are known, secured, and monitored.

 


See:

EDI defined: 

https://www.edibasics.com/what-is-edi 

https://en.wikipedia.org/wiki/Electronic_data_interchange

https://www.edibasics.com/edi-resources/document-standards

Natural Gas Industry Usage of EDI:

http://latitudestatus.com/

https://www.naesb.org/pdf4/update031413w4.docx

Quote: “The NAESB wholesale natural gas cybersecurity standards facilitate an infrastructure of secure electronic communications under which the electronic transmission of data via EDI or browser based transactions is protected. There are more than fifty separate transactions identified for nominations, confirmations, scheduling of natural gas; flowing gas transactions including measurement, allocations, and imbalances; invoicing related transactions including invoices, remittances, statement of account; and capacity release transactions.”

https://www.edigas.org/faq/

http://www.rrc.texas.gov/oil-gas/applications-and-permits/oil-gas-edi-filing-deadlines/

The Attack:

https://www.eenews.net/stories/1060078327

http://securityaffairs.co/wordpress/71040/hacking/gas-pipeline-operators-hack.html

https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-system-shuts

EDI Security:

https://www.acsac.org/secshelf/book001/18.pdf

Quote:  “EDI security appears at several interrelated stages:

  • The user/application interface,
  • EDI applications and value added services,
  • The processing (both batch and interactive) and storage of EDI messages,
  • The communication of these messages in an open systems environment”

 

15AUG…Tomorrow’s Cyber SA Today…People’s Republic of Hacking…

Good morning Folks –

It’s Mid-August 2013 and the our news from cyber-land today the 15th of AUG 2013 is relentless – pay particular attention to the blossoming new of the People’s Republic of China’s Operation Middle Kingdom…

Look also for the Firewalls and Firefight article below – great stuff!

Of mot curious news is the firm Booz Allen Hamilton, who gave us the United States, our latest traitor, was awarded $6 B-EEE-LLION USD for a contract to secure our country – does anyone else think that is simply ridiculous….?

Enoy!

People’s Republic of China ~ 中華人民共和國

People’s Republic of China Asks: Who gave America the right to launch network assaults? – People’s Daily Online
http://english.peopledaily.com.cn/90777/8363341.html
谁给了美国网络攻击权?(望海楼)…Who gave the United States the right to cyber attacks?
http://paper.people.com.cn/rmrbhwb/html/2013-08/12/content_1281844.htm
Chinese Underground Creates Tool Exploiting Apache Struts Vulnerability | Security Intelligence Blog | Trend Micro
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apache-struts-vulnerability/?
People’s Republic of China Opposes Cyber Attacks
http://www.news.cn/english/special/wlaq/

USAF’s New Idea for Spying on People’s Republic of China: Swarms of Tiny Bug Drones
Prediction: AB Kadena experiences Massive DDos in next 30 days…

http://killerapps.foreignpolicy.com/posts/2013/08/13/the_air_forces_new_idea_to_spy_on_countries_like_china_swarms_of_tiny_bug_drones

Operation Middle Kingdom is alive and motivated…Ignore the doomsayers: Beijing is playing the long game to win | Bangkok Post: business
http://www.bangkokpost.com/business/news/364563/ignore-the-doomsayers-beijing-is-playing-the-long-game-to-win
Australia-China scientific collaboration benefits each other: chief scientist – Xinhua |
People’s Republic of China succeeds in Phase V Operation Middle Kingdom ~ colonizing Australia…

http://news.xinhuanet.com/english/china/2013-08/14/c_132631141.htm
Chinese Dream – Special Report – English.news.cn
http://www.xinhuanet.com/english/special/chinesedream/

Electromagnetic catapult touted for People’s Republic of China’s next aircraft carrier|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130814000008&cid=1101
Chinese national appointed UN assistant secretary-general|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?cid=1101&MainCatID=11&id=20130814000128

People’s Republic of China ‘hacking websites in hunt for Tibetan dissidents’ – Telegraph
http://www.telegraph.co.uk/news/worldnews/asia/china/10240404/China-hacking-websites-in-hunt-for-Tibetan-dissidents.html
India: Hackers Attack Web Site of Tibetan Government in Exile
http://www.nytimes.com/2013/08/14/world/asia/india-hackers-attack-web-site-of-tibetan-government-in-exile.html?
Chinese Internet Celebrities Agree to Self-Censor
http://www.techinasia.com/chinese-internet-celebrities-agree-selfcensor/?
People’s Republic of China’s Huawei begins colonization of Myanmar…
Myanmar Telecom War: Huawei Main Supplier For Telenor And Other Myanmar Telecom Operators

Norway’s Telenor also doormat for China as Huawei helps colonize Norwegina market for the homeland…
http://www.ibtimes.com/myanmar-telecom-war-huawei-main-supplier-telenor-other-myanmar-telecom-operators-1383503?ft=a73y7

People’s Republic of China to launch fresh pharmaceutical bribery probe: Xinhua
http://www.reuters.com/article/2013/08/14/us-china-bribery-probe-idUSBRE97D0BW20130814
What does the ‘world’s best China strategist’ say about the place now?
http://www.globalpost.com/dispatch/news/regions/asia-pacific/china/130812/jing-ulrich-jp-morgan-china-investment-opportunities
Carmakers Get A Taste Of China’s Changing Business Climate
http://chinabystander.wordpress.com/2013/08/13/carmakers-get-a-taste-of-chinas-changing-business-climate/
Does China’s crackdown on corporate wrongdoing mark the arrival of CSR?
Following a series of accusations against global companies such as Apple and BMW, Simon Zadek argues China’s CSR moment is here

http://www.theguardian.com/sustainable-business/china-corporate-social-responsibility

China’s Review of Multinational Pharma Companies 跨国药企游说政府能力强大:高薪吸高干子弟Powerful multinational pharmaceutical companies in the People’s Republic of China
http://finance.sina.com.cn/chanjing/cyxw/20130812/142616419768.shtml

Islamic Republic of Iran

The cyber capabilities of Iran can hit US
http://securityaffairs.co/wordpress/17064/cyber-warfare-2/the-cyber-capabilities-of-iran-can-hit-us.html?

Global Cyber Activity…yes other countries have cyber capabilities….

August 2013 global threats
http://www.scmagazine.com/august-2013-global-threats/slideshow/1502/#0
Friend or Foe? When IoT Helps You Get Hacked by Your Security
http://blogs.cisco.com/ioe/friend-or-foe-when-iot-helps-you-get-hacked-by-your-security

From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers and DIY spamming tools
http://blog.webroot.com/2013/08/14/from-vietnam-with-tens-of-millions-of-harvested-emails-spam-ready-smtp-servers-and-diy-spamming-tools/

JAPAN: “LNK” Attacks are Back Again | Symantec Connect Community
http://www.symantec.com/connect/blogs/lnk-attacks-are-back-again

Codefellas: North Korea Targets Dubstep With Nasty Computer Virus | Threat Level | Wired.com
http://www.wired.com/threatlevel/2013/08/codefellas-north-koreas-computer-virus/
North Korea ‘behind hacking attack’
http://www.bbc.co.uk/news/world-asia-23324172
South Korea blames North for cyber attack
http://www.presstv.com/detail/2013/07/16/314049/s-korea-blames-north-for-cyber-attack/

The Snowden Revelations and Cybersecurity
http://www.lawfareblog.com/2013/08/the-snowden-revelations-and-cybersecurity/
N.S.A. Leaks Make Plan for Cyberdefense Unlikely
http://www.nytimes.com/2013/08/13/us/nsa-leaks-make-plan-for-cyberdefense-unlikely.html?&pagewanted=all
Don’t Get Hacked — Tools to Fight Cyber Attacks
http://www.entrepreneur.com/article/227815
Firewalls & Firefights….
http://www.economist.com/news/business/21583251-new-breed-internet-security-firms-are-encouraging-companies-fight-back-against-computer
Stop Thinking That Tech Hacks Will Fix Our Surveillance Problems |
http://www.wired.com/opinion/2013/08/yah-surveillance-sucks-but-technology-isnt-the-only-solution/

Booz Allen to Lockheed Win Part of $6 Billion Cyber Award
Yeah – this makes sense … NOT.
http://www.bloomberg.com/news/2013-08-13/booz-allen-to-lockheed-win-part-of-6-billion-cyber-award.html

GCHQ Launches Twin-Track Approach to Cyber Incident Response Scheme
http://www.infosecurity-us.com/view/33979/gchq-launches-twintrack-approach-to-cyber-incident-response-scheme/?

London Police Commissioner’s cyber-crime open letter laughed at by industry
http://www.computerworlduk.com/in-depth/security/3463524/london-police-commissioners-cyber-crime-open-letter-laughed-at-by-industry/

A Framework for Aviation Cybersecurity
http://www.aiaa.org/uploadedFiles/Issues_and_Advocacy/AIAA-Cyber-Framework-Final.pdf

Enjoy!

Semper Fi,

謝謝
紅龍

8/8…八/八 Cyber Situation Awareness…People’s Republic of Hacking…

Good day Folks;

Today is usually considered an auspicious day in the People’s Republic of China…八八…8/8 ~ the number 8 being lucky, auspicious while the eight day of the eighth month doubles your good fortune…unfortunately for a couple of our favorite state owned enterprises (SOE), Huawei and Sinovel are in today’s issue of Chinese Cyber SA as they have been linked to economic cyber espionage … naughty, naughty…

People’s Republic of China’s Sinovel charged with cyber espionage in US…|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130808000097&cid=1206
Chinese inaction gives technology thieves a shield…FACT: People’s Republic of China supports commercial economic cyber espionage
http://www.seattlepi.com/business/technology/article/Chinese-inaction-gives-technology-thieves-a-shield-4716698.php
Breaking Down the China Chopper Web Shell – Part I – 推酷
http://www.tuicool.com/articles/zURZnm
Report: Joint U.S.-China Aviation Ventures Are More Prone to Cyber Intrusions than U.S. Firms
Hey – infosec boyz @ Boeing in Seattle – you paying attention to this….!?

http://www.nextgov.com/cybersecurity/2013/08/report-joint-us-china-aviation-ventures-are-more-prone-cyber-intrusions-us-firms/68225/?oref=ng-skybox
People’s Republic of China has a massive Windows XP problem
How do you say ‘cyber target rich environment’? Outdated OS in China….

http://www.computerworld.com/s/article/9241429/China_has_a_massive_Windows_XP_problem
NSA spy server in Chongqing could be used to bury Bo Xilai: Duowei
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130808000136&cid=1101

People’s Republic of China’s Huawei: We’re not a security threat, we’re just a pawn | Digital Trends
http://www.digitaltrends.com/mobile/huawei-were-not-a-security-threat-were-just-a-pawn/
People’s Republic of China’s Huawei Seeks Foothold in Enterprise Market
http://blogs.wsj.com/digits/2013/08/08/huawei-seeks-foothold-in-enterprise-market/
People’s Republic of China’s Huawei unveils SDN programmable switch, taking aim at Cisco | PCWorld
http://www.pcworld.com/article/2046185/chinas-huawei-unveils-sdn-programmable-switch-taking-aim-at-cisco.html#tk.rss_all
Taiwan’s animators ridicule People’s Republic of China over cozy SOE relationships…ZTE & Huawei
http://appleinsider.com/articles/13/08/08/taiwans-animators-ridicule-china-over-pr-smear-campaign-against-apple-inc

Rumor: Apple planning development center in Taiwan for future iPhones…Bye-Bye People’s Republic of China…
http://appleinsider.com/articles/13/08/08/rumor-apple-planning-development-center-in-taiwan-for-future-iphones

Time to break the hegemony of western discourse – People’s Daily Online
From News of the Communist Party of China…
http://english.cpc.people.com.cn/206972/206977/8353120.html
Reflections on “The China Threat”
http://www.strategicstudiesinstitute.army.mil/index.cfm/articles/Reflections-on-The-China-Threat/2013/08/01
Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up
http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/

DNS Servers of 3 Dutch Hosting Firms Hijacked, Thousands of Sites Serve Malware
http://news.softpedia.com/news/DNS-Servers-of-3-Dutch-Hosting-Firms-Hijacked-Thousands-of-Sites-Serve-Malware-373308.shtml

Special Ops Mined Social Media for Data to Advance Mission
http://www.nextgov.com/defense/whats-brewin/2013/08/special-ops-mined-social-media-data-advance-mission/68216/

U.S. Cybersecurity Policy: Problems and Principles
http://heartland.org/sites/default/files/08-01-13_titch_policy_brief_cybersecurity.pdf

Enjoy!

Semper Fi,

謝謝

紅龍