Practical ICS Diagrams from Cyberattacks: Securing Oil, Gas, and Petrochemical OT Systems

Introduction

The oil, gas, and petrochemical industries have unique systems, from Safety Instrumented Systems (SIS) to centralized control platforms. Learning from past cyberattacks in your field is essential because tactics are often repeated. By studying these incidents, you can build stronger defenses and faster responses.

If you missed our earlier articles on Energy, Water attacks in other industries, check those out for more insights!

Today, we’re diving into real-life cyberattacks that targeted oil, gas, and petrochemical systems. We'll break down what happened, where defenses failed, and what you can do to strengthen your security. And of course, we’ll discuss how OT SIEM can help you stay ahead of these threats.

🟪 2017 Triton / Trisis Attack

Safety Instrumented Systems under the target

The Triton attack demonstrated the dangers of compromising safety systems in critical infrastructure. It targeted the Safety Instrumented Systems (SIS) of a petrochemical plant, aiming to disable safeguards designed to protect both personnel and equipment.

• Vector: compromised engineering workstation
• Target: Schneider Electric Triconex Safety Controllers
• Impact: attempted sabotage of the safety system, leading to process shutdown
• Lesson: safety systems are not inherently immune to cyberattacks, and their compromise can have catastrophic consequences

The Triton attack showcased the need for defense-in-depth strategies to protect safety systems, strict access controls and specialized monitoring solutions in OT environments.

[>] Chain of Attack

[1] Reconnaissance

• attackers researched facility with Triconex controllers
• focus on engineering workstations connected to the SIS network

[2] Weaponization

• "Triton / Trisis" was developed to manipulate Triconex SIS controllers
• the malware was crafted to reprogram the SIS logic
• potentially causing a loss of safety functions

[3] Delivery

• the initial vector was likely through phishing
• or exploiting vulnerabilities in the corporate IT network
• attackers pivoted to OT network
• delivered malware to an engineering workstation

[4] Exploitation

• malware exploited trusted communication channels to Triconex controllers
• attackers leveraged valid credentials & tools available on engineering workstation

[5] Installation

• Triton malware was installed on engineering workstation
• attackers used workstation to load payloads into SIS controllers

[6] Command & Control

• real-time control was achieved via the compromised engineering workstation
• attackers used the workstation to interact directly with SIS controllers
• without needing external C2 infrastructure

[7] Actions

• malware attempted to reprogram the safety logic of the SIS
• errors in execution triggered fail-safe mechanisms
• shut down the process and alerting operators

[>] How OT SIEM Can Detect Such an Attack

The Triton attack highlights the importance of monitoring safety systems alongside process control systems. OT SIEM can provide:

1. Behavioral Analysis: Detect unusual engineering workstation activity, such as unexpected logic changes or unauthorized access.
2. Anomaly Detection: Flag abnormal communication patterns between engineering workstations and SIS controllers.
3. Log Correlation: Combine SIS logs, engineering workstation logs, and network traffic to identify malicious activity.
4. Threat Intelligence Integration: Recognize indicators of compromise associated with Triton malware.
5. Real-Time Alerts: Provide operators with early warnings of potential sabotage.

By integrating OT SIEM with SIS monitoring, organizations can reduce the risk of future attacks on critical safety systems.

🟪 2021 Colonial Pipeline Ransomware Attack

be careful with IT

The Colonial Pipeline ransomware attack was one of the most impactful cyber incidents targeting critical infrastructure in recent years. The attack disrupted fuel supply along the U.S. East Coast, highlighting vulnerabilities in the oil and gas sector.

• Vector: compromised VPN credentials
• Target: IT systems of Colonial Pipeline Company
• Impact: shutdown of pipeline operations for several days, leading to fuel shortages
• Lesson: OT systems can suffer collateral damage from IT-targeted attacks, and response plans must include operational contingencies

This attack underscored the interconnectedness of IT and OT systems and the importance of securing both domains.

[>] Chain of Attack

[1] Reconnaissance

• attackers likely identified the pipeline company's use of a VPN for remote access
• no MFA was in place, making credentials the single point of failure

[2] Weaponization

• DarkSide ransomware was customized to encrypt Colonial Pipeline’s IT systems
• ransomware included features to exfiltrate sensitive data for extortion purposes

[3] Delivery

• attackers used compromised VPN credentials to gain access to the network
• credentials were obtained via phishing or purchased from the dark web

[4] Exploitation

• after gaining access, attackers moved laterally through the network
• weak network segmentation allowed them to spread ransomware across IT systems

[5] Installation

• ransomware was deployed on IT systems, encrypting critical business files
• OT systems were not directly targeted but were shut down as a precaution

[6] Command & Control

• ransomware communicated with DarkSide's servers
• ransom demand of 75 Bitcoin (approximately $4.4 million) was issued

[7] Actions

• Colonial Pipeline halted operations to prevent the ransomware from spreading to OT systems
• shutdown caused widespread fuel shortages
• with panic buying and price spikes across the U.S. East Coast

[>] How OT SIEM Can Detect Such an Attack

While the Colonial attack primarily targeted IT, it disrupted OT operations, showcasing the need for integrated monitoring and response capabilities across both environments. OT SIEM can help by:

1. Monitoring Remote Access: Detect unauthorized VPN connections and enforce MFA policies.
2. Correlating IT-OT Activity: Identify unusual patterns, such as lateral movement from IT to #ICS networks.
3. Anomaly Detection: Alert on unexpected file encryption or large data transfers.
4. Network Segmentation Audits: Ensure clear boundaries between IT & ICS networks.
5. Incident Response Integration: Provide insights to rapidly isolate and contain threats before they impact OT operations.

By leveraging OT SIEM and implementing strong IT-OT security measures, organizations can better defend against ransomware and its ripple effects on critical infrastructure.

🟪 2012 2016 2019 Saudi Aramco Cyberattack

Shamoon 1, 2, 3

The 2019 Saudi Aramco attack, attributed to the Shamoon malware, was a continuation of cyber aggression targeting the oil and gas industry. This campaign focused on disrupting operations and destroying data, leveraging lessons learned from previous iterations of the Shamoon malware.

Vector: phishing emails and supply chain compromise

Target: Saudi Aramco’s IT infrastructure

Impact: widespread data deletion on IT systems, operational disruption, potential spillover to OT environments

Lesson: even indirect attacks on IT systems can have cascading effects on critical OT operations in the oil and gas industry

This attack emphasized the necessity of integrating IT and OT monitoring while maintaining segmentation to prevent cross-domain contamination.

[>] Chain of Attack

[1] Reconnaissance

• attackers likely gathered intelligence about Saudi Aramco’s IT systems, vendors, and employee behaviors
• focus on vulnerabilities in third-party vendors and endpoints with OT connectivity

[2] Weaponization

• Shamoon malware was equipped with destructive capabilities to overwrite hard drives
• payload included a wiper module and fake bootloader to render systems inoperable

[3] Delivery

• phishing emails were used to target employees, leading to credential theft and initial foothold
• compromise of third-party suppliers provided additional vectors for infiltration

[4] Exploitation

• attackers used stolen credentials to gain access to internal IT systems
• poor segmentation allowed lateral movement within the network

[5] Installation

• Shamoon malware was deployed across multiple IT endpoints
• no direct evidence of OT system infection, but IT disruption caused operational delays

[6] Command & Control

• real-time coordination wasn’t necessary due to the destructive nature of Shamoon
• malware was pre-programmed to execute its payload on a specific date and time

[7] Actions

• data on IT systems was overwritten, paralyzing business operations
• while OT systems were not directly affected, IT disruptions hindered overall operations and logistics

[>] How OT SIEM Can Detect Such an Attack

While the primary impact was on IT systems, the potential spillover into OT highlights the importance of integrated monitoring. OT SIEM can help by:

1. Supply Chain Monitoring: Detect anomalies in vendor systems connected to the network.
2. Endpoint Protection Correlation: Identify early signs of wiper malware activity.
3. Network Traffic Analysis: Detect lateral movement and unauthorized access within IT and OT environments.
4. Segmentation Audits: Ensure strict separation between IT and OT networks.
5. Event Correlation: Integrate logs from both IT and OT to detect cross-domain threats.

By enhancing visibility and applying defense-in-depth strategies, the oil and gas industry can mitigate the risks of future destructive cyberattacks.

🟪 2021 Cyberattack on the Iran Fuel Distribution System

paralyzed centralization

In 2021, a sophisticated cyberattack targeted Iran's national fuel distribution network, crippling gas stations across the country. The attack disrupted fuel pumps, rendered payment systems inoperable, and caused widespread panic as drivers were unable to purchase fuel. This attack directly impacted OT systems controlling critical infrastructure.

• Vector: Exploitation of software vulnerabilities in the fuel distribution system
• Target: National automated fuel management system
• Impact: Gas stations nationwide were disabled for days, causing significant disruption to fuel supply and public services
• Lesson: Centralized OT systems are high-value targets, and their compromise can result in widespread operational paralysis

This attack highlighted the risks of centralization and the need for robust security and redundancy in critical OT infrastructure.

[>] Chain of Attack

[1] Reconnaissance

• Attackers likely studied the architecture of the automated fuel management system.
• Focus was on vulnerabilities in centralized systems and their connectivity to fuel dispensers.

[2] Weaponization

• Malware was designed to disrupt communication between fuel pumps and the central management system.
• The payload also targeted authentication systems, blocking fuel subsidies for citizens.

[3] Delivery

• Attackers exploited vulnerabilities in the network or administrative systems connected to OT.
• Possible use of phishing, supply chain compromise, or direct exploitation of exposed systems.

[4] Exploitation

• Malicious code was executed within the fuel management software, disabling pump control systems.
• Attackers also manipulated digital payment and subsidy authorization mechanisms.

[5] Installation

• Malware was installed on critical servers that managed fuel distribution operations.
• The attackers ensured the malware propagated to connected fuel dispensers across the country.

[6] Command & Control

• Real-time control wasn’t required as the attack was designed to cause immediate disruption.
• The malware acted autonomously after deployment.

[7] Actions

• Fuel pumps displayed error messages, and digital payment systems failed.
• Widespread chaos ensued, with long queues and operational downtime lasting several days.

[>] How OT SIEM Can Detect Such an Attack

The Iran fuel distribution attack underscores the critical need for enhanced monitoring and proactive defense strategies for OT systems. OT SIEM can help by:

1. Centralized Log Monitoring: Detect unusual activity in fuel management servers and endpoints.
2. Threat Intelligence Integration: Correlate attack patterns with known indicators of compromise (IOCs).
3. Anomaly Detection: Identify deviations in pump control commands and payment authorization traffic.
4. Network Segmentation: Enforce separation between central management systems and field devices.
5. Redundancy Checks: Monitor failover mechanisms and alternative systems for abnormalities.

By deploying OT SIEM with comprehensive monitoring and anomaly detection, organizations can mitigate risks to critical fuel and energy infrastructure.

Conclusion

The attacks on the oil, gas, and petrochemical sectors highlight critical vulnerabilities in OT environments:

🟣 compromised engineering workstations

🟣 weak segmentation between IT and OT networks

🟣 centralized systems as single points of failure

These systems been exploited to sabotage safety systems, disrupt operations, or paralyze infrastructure.

To protect against these threats, focus on defense-in-depth strategies, strict access controls, network segmentation, and proactive monitoring through #OTSIEM

Understanding past attacks is the first step toward defending your industry. By applying these lessons, you can better secure critical systems and maintain resilience in the face of evolving cyber threats.

You are at Level 2 Documentation Tree - Attacks 3/5 Skill

Don't forget to check your main Leveling Guide

And put 💬 comments or 👍 likes, it helps a lot to get your feedback!

Yours, Zakhar