Oil & Gas Companies: New targets for hackers

The next hacker playground: the open seas - and the oil tankers and container vessels that ship 90% of the goods moved around the planet.

In this internet age, as more devices are hooked up online, so they become more vulnerable to attack. As industries like maritime and energy connect ships, containers and rigs to computer networks, they expose weaknesses that hackers can exploit.

Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again; Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they're somewhere else; and hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.

While data on the extent of the maritime industry's exposure to cybercrime is hard to come by, a study of the related energy sector by insurance brokers Willis this month found that the industry "may be sitting on an uninsured time bomb".

Globally, it estimated that cyberattacks against oil and gas infrastructure will cost energy companies close to $1.9 billion by 2018. The British government reckons cyberattacks already cost UK oil and gas companies around 400 million pounds ($672 million) a year.

In the maritime industry, the number of known cases is low as attacks often remain invisible to the company, or businesses don't want to report them for fear of alarming investors, regulators or insurers, security experts say.

There are few reports that hackers have compromised maritime cybersecurity. But researchers say they have discovered significant holes in the three key technologies sailors use to navigate: GPS, marine Automatic Identification System (AIS), and a system for viewing digital nautical charts called Electronic Chart Display and Information System (ECDIS).

"Increasingly, the maritime domain and energy sector has turned to technology to improve production, cost and reduce delivery schedules," a NATO-accredited think-tank wrote in a recent report. "These technological changes have opened the door to emerging threats and vulnerabilities as equipment has become accessible to outside entities."

Tip of the iceberg

As crews get smaller and ships get bigger, they increasingly rely on automation and remote monitoring, meaning key components, including navigational systems, can be hacked.

A recent study by security company Rapid7 found more than 100,000 devices - from traffic signal equipment to oil and gas monitors - were connected to the internet using serial ports with poor security. "The lines get blurry, and all industries and all technologies need to focus more on security," said Mark Schloesser, one of the authors of the study.

Mark Gazit, CEO of ThetaRay, an internet security company, said an attacker managed to tilt a floating oil rig to one side off the coast of Africa, forcing it to shut down. It took a week to identify the cause and fix, he said, mainly because there were no cybersecurity professionals aboard. He declined to say more.

Lars Jensen, founder of CyberKeel, a maritime cybersecurity firm, said ships often switch off their AIS systems when passing through waters where Somali pirates are known to operate, or fake the data to make it seem they're somewhere else.

Shipping companies contacted by Reuters generally played down the potential threat from hackers. "Our only concern at this stage is the possible access to this information by pirates, and we have established appropriate countermeasures to handle this threat," said Ong Choo Kiat, president of U-Ming Marine Transport, Taiwan's second-largest listed shipping firm by market value. The company owns and operates 53 dry cargo ships and oil tankers.

A spokeswoman for Maersk Line, the world's top shipping container group, said: "Yes, we consider cyberrisk a threat, but vessels are no more vulnerable to such attacks than onshore systems and organizations. We are taking this risk seriously and ensuring that we are protected against such threats."

Virus riddled

A study last year by the Brookings Institution of six US ports found that only one had conducted an assessment of how vulnerable it was to a cyberattack, and none had developed any plan to response to any such attack. Of some $2.6 billion allocated to a federal program to beef up port security, less than 1% had been awarded for cybersecurity projects.

When CyberKeel probed the online defenses of the world's 20 largest container carriers this year it found 16 had serious security gaps. "When you look at the maritime industry there's extremely limited evidence of systems having been breached" compared to other sectors, said CyberKeel's Jensen. "That suggests to us that they've not yet been found out."

Michael Van Gemert, a security consultant to the oil and gas industry, said that on visits to rigs and ships he has found computers and control systems riddled with viruses. In one case, he said it took 19 days to rid a drilling rig en route from South Korea to Brazil of malware which had brought the vessel's systems to a standstill.

"The industry is massively in need of help, they have no idea what the risks are," he said.

The main ship navigation systems - GPS, AIS and ECDIS - are standards supported by bodies such as the International Maritime Organisation (IMO). Indeed, that body has made AIS and ECDIS mandatory on larger commercial and passenger vessels.

Researchers from the University of Texas demonstrated last July that it was possible to change a ship's direction by faking a GPS signal to dupe its onboard navigation system.

Marco Balduzzi and colleagues at anti-virus vendor Trend Micro last month showed that an attacker with a $100 VHF radio could exploit weaknesses in AIS - which transmits data such as a vessel's identity, type, position, heading and speed to shore stations and other ships - and tamper with the data, impersonate a port authority's communications with a ship or effectively shut down communications between ships and with ports.

In January, a British cybersecurity research firm, NCC Group, found flaws in one vendor's ECDIS software that would allow an attacker to access and modify files, including charts. "If exploited in a real scenario," the company concluded, "these vulnerabilities could cause serious environmental and financial damage, and even loss of life."

When the USS Guardian ran aground off the Philippines last year, the US Navy in part blamed incorrect digital charts. A NATO-accredited think-tank said the case illustrated "the dangers of exclusive reliance upon electronic systems, particularly if they are found vulnerable to cyberattack."

"Most of these technologies were developed when bandwidth was very expensive or the internet didn't exist," said Vincent Berk, CEO of security company FlowTraq.

No quick fix

Fixing this will take time, and a change in attitude.

"Security and attack scenarios against these technologies and protocols have been ignored for quite some time in the maritime industry," said Rapid7's Schloesser.

Researchers like Fotios Katsilieris have offered ways to measure whether AIS data is being faked, though he declined to be interviewed, saying it remained a sensitive area. One Google researcher who has proposed changes to the AIS protocol wrote on his blog that he had been discouraged by the US Coastguard from talking publicly about its vulnerabilities.

Indeed, AIS is abused within the industry itself.

Windward, an Israeli firm that collects and analyses AIS data, found 100 ships transmitting incorrect locations via AIS in one day - often for security or financial reasons, such as fishing boats operating outside assigned waters, or smuggling.

In a UN report issued earlier this year on alleged efforts by North Korea to procure nuclear weapons, investigators wrote that one ship carrying concealed cargo turned off its AIS signals to disguise and conceal its trip to Cuba.

It's not clear how seriously the standards bodies treat the threat. Trend Micro's Balduzzi said he and his colleagues were working with standards organizations, which he said would meet next year to discuss his research into AIS vulnerabilities.

The core standard is maintained by the International Telecommunications Union (ITU) in association with the IMO. In a statement, the IMO said no such report of vulnerabilities had been brought to its attention. The ITU said no official body had contacted it about the vulnerabilities of AIS. It said it was studying the possibility of reallocating spectrum to reduce saturation of AIS applications.

Yevgen Dyryavyy, author of the NCC report on ECDIS, was skeptical that such bodies would solve the problems soon.

First, he said, they have to understand the IT security of shipboard networks, onboard linked equipment and software, and then push out new guidelines and certification.

Until then, he said, "nothing will be done about it."

www.games-casino.us

Qualcomm slapped with bribery allegations by US

Mobile chipmaker Qualcomm on Wednesday said it could face a civil action from US authorities over alleged bribery of officials associated with state-owned companies in China.

With smartphone sales tapering off in the United States, China is a major market for Qualcomm, but doing business there has included disagreements over royalties and an antitrust investigation.

In its fiscal second-quarter report, Qualcomm said it has received a notice from the Securities and Exchange Commission's Los Angeles office advising it of a preliminary determination to recommend an enforcement action against the company for violating the Foreign Corrupt Practices Act (FCPA). .

Qualcomm said the civil action could seek remedies including "disgorgement of profits, the retention of an independent compliance monitor to review the company's FCPA policies and procedures, an injunction, civil monetary penalties and prejudgment interest."

Qualcomm said it first learned of and disclosed the SEC investigation in 2012.

In its own investigation, Qualcomm said it found instances in which "special hiring consideration, gifts or other benefits were provided to several individuals associated with Chinese state-owned companies or agencies."

The chipmaker believes the total value of the benefits was less than $250,000.

Qualcomm said it received a from the SEC's Los Angeles office on March 13 advising it of the preliminary determination and warning it of . On April 4, the San Diego company submitted an explanation of why it believes it has not violated the FCPA.

Earlier this month, Hewlett-Packard said it would pay $108 million to settle potential violations of the FCPA in Russia, Poland and other countries. They include allegations that an HP executive paid bribes worth over $500,000 in exchange for help winning contracts to supply computer equipment to Polish police headquarters.

China's anti-monopoly regulator is also investigating Qualcomm, which it suspects of overcharging and abusing its market position. Those allegations could lead to fines of more than $1 billion.

In a quarterly conference call with analysts on Wednesday, Qualcomm executives repeatedly denied the company had broken the law but declined to provide more details on the SEC allegations.

Scrutiny of Qualcomm's practices in China come at a key moment in its transformation from a smartphone manufacturing hub to a major consumer market in its own right.

China Mobile, the world's largest telecom carrier, is set to roll out a new network this year using 4G technology that Qualcomm dominates.

"China is an important part of their story. It's where all their unit growth is coming from," said FBR analyst Chris Rolland. "I think the (bribery investigation) will have limited financial impact by the time it's all said and done, but it certainly isn't good."

Infosys begins CEO search process, looks at external candidates too

Infosys will look at both internal and external candidates to succeed CEO & MD SD Shibulal, who is due to retire in March next year. 

The company on Friday said its nominations committee had begun the search to select the successor. 

"The nominations committee will short list and evaluate an internal slate of candidates with the assistance of Development Dimensions International (DDI), a company specializing in corporate executive evaluations. The Board has also appointed Egon Zehnder, an executive search firm, to assist the nominations committee in identifying an external slate of candidates," a release from the company said. 

The company said Shibulal had expressed his desire to retire as the CEO and MD and as a member of the Board of Directors either on the date of the last board meeting before his superannuation — January 9, 2015 — or when his successor is ready to assume office, whichever date is earlier. 

Infosys so far has had a tradition of promoting internal candidates to top positions, and prides itself in building leaders. The CEO position has till now been held by its co-founders — starting with NR Naryana Murthy, followed by Nandan Nilekani, Kris Gopalakrishnan and now Shibulal. 

This will be the first time that a non-founder will occupy the post. Among internal candidates, the choice is likely to narrow down to the two presidents of the company — BG Srinivas and UB Pravin Rao.

India to review value addition targets of telecom gear

India will shortly review value addition targets, or the extent to which network gear vendors need to customise 23 security-sensitive telecom products using Indian resources, in order to pitch for government contracts. The telecom department (DoT) will "examine whether network vendors — both local companies and Indian units of global suppliers — can meet current value addition targets in the absence of a mature local manufacturing ecosystem", according to an internal note seen by ET.

Local value addition (VA) is the degree of customisation that will go into a piece of imported telecom gear using Indian resources before it is tagged 'Made in India'. Such VA targets are at the heart of the preferential market access (PMA) policy that progressively calls for 100% local sourcing of "security sensitive" telecom gear for government contracts.

DoT's decision to review local VA rules for telecom products comes amid skepticism from leading international trade bodies across the US, Europe and Japan that the current requirements are stiff and a tad unrealistic.

"India's manufacturing ecosystem is still developing for certain components and sub-components, which limits the ability of companies to meet domestic value addition requirements under the PMA policy," said five global trade bodies — Digital Europe, Telecommunications Industry Association US-India Business Council, Information Technology Industry Council and Japan Electronics & IT Industry Association — in an internal joint communique to the Department of Electronics & IT (DeiTY), which had originally notified the PMA rules in October 2012.

Under current rules, network gear makers must meet 45% and 65% of their local value addition targets by 2017 and 2020, respectively. But DoT will shortly submit a revised list of domestic VA requirements for telecom equipment after "examining feasibility issues" to the newly constituted National Planning & Monitoring Council for Electronic Products (NPMC-EP ).

The NPMC-EP , which will have a top representative from the telecom department, was formed by DeiTY to enforce local electronics sourcing rules for government contracts. In the run-up to the VA targets review, the five global trade bodies have also noted that "many international ICT companies with extensive operations in India had invested heavily in conducting R&D, developing software" and performing related services.