The IT Nerd

We are now in day six of the Petro Canada/Suncor cyberattack. The app is still down, and stations are still only accepting cash. While the company admits that there has been attack, few details beyond what I have had outlined are available. Though there are rumours that it is worse than what we know. Whatever is going on, it’s going to cost them a lot in multiple ways:

• It will cost them in terms of their reputation: Petro Canada is the nation’s largest gas station. And people not being able to fill up in their stations because of this cyberattack will negatively affect their reputation the longer this goes on. And many will likely going to think twice about using Petro Canada after this situation is resolved. Whenever that is. On top of that, many will be wondering if their personal information is safe. At this time it isn’t clear if their customer’s personal information is at risk or not. That’s really bad from a reputation standpoint.
• It will cost them in lost sales: You have to wonder how many people did what I did which is to go elsewhere because Petro Canada doesn’t accept credit and debit cards? The longer that this goes on, people will get used to going to a gas station other than Petro Canada. And the harder it will be for Petro Canada to get them to return to their stations and spend their gas money there.
• It will cost them in terms of spending to fix this: IBM put out a study that says that the global average cost to companies of a data breach hit an all-time high in 2022 of US$4.35-million. And in the United States, the average cost of a data breach in 2022 was US$9.44-million. That’s not cheap. The same report said that in 2022, it took an average of 277 days for companies to identify and contain a breach. The bottom line is that this is going to get expensive in a hurry.

Another question that has surfaced in recent days is who is behind this and what is their motivation. To give you some views on this question, I sought the commentary of a variety of experts:

Mike Hamilton, Former CISO of the City of Seattle and former Vice-Chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) and CISO of Critical Insight

This is not the first time a Canadian energy sector company has been recently compromised. A pipeline company was compromised earlier this year, and a recent intelligence report stated that Russian actors are actively seeking to disrupt Canada’s energy infrastructure. Rather than being victims of opportunity, these events seem to be strategic acts of nation-state actors and not cyber criminals looking for a score.

About a year ago Canada announced that it would boost oil and gas production to assist the European Union cut its use of Russian energy. Notably, and in at least one of the incidents, actors were able to manipulate the operational technologies (OT) and did so. This suggests that the tools and tactics being used were more sophisticated, making these events significantly different than the ransomware attack against the IT (not OT) network of Colonial Pipeline.

According to the intelligence report, these events will likely continue for the duration of the war in Ukraine and are intended to produce psychological impacts in the population and yes, the United States is also a target for this activity. Whereas the actual destruction or permanent disruption of this infrastructure would constitute an act of war, temporary disruptions to energy generation and transmission are likely to proliferate and insofar as possible create the perception that it’s a criminal act. (Note that disrupting distribution is the domain of domestic nutjobs.)

Ron Brash, VP of Research and critical infrastructure software security firm, aDolus Technology

In the respect of comparing Suncor and Colonial, they are not the same and are not really in the same business.  Had Suncor been Enbridge, this would have been a vastly different story, but based on POS outages, rewards programs and corporate AD/credentials – it appears again to be more of a Honda-like event and some operations affected. Given the size and nature of Suncor/Petroncan,  it’s more likely that cardlocks, volume tracking and maybe metering/pos on pumps were affected. Some warehouse activities such as product management and shipping may have been stalled or degraded, but like downstream retail – they can often be run with a clipboard, measuring stick, calculator and an alternative form of payment (all except cardlock of course).

This could be a focused event because of Canada and other allies’ stance on the war in Ukraine, but evidence points to more of an inconvenience vs being a major incident or an organization such as a significant pipeline.   It may have been entirely opportunistic, and dressed up under a guise. However, more accurate details are needed before a true impact assessment can be surmised. 

Ron Fabela, field CTO at cybersecurity firm XONA Systems

It’s incredibly difficult to tie any intention to the Suncor cyber event with geopolitical actions or threats.  This very loose hypothesis comes from reports of “A pro-Russia hacktivist group claims to have breached the network of a Canadian gas pipeline company in February and caused damage that resulted in loss of profits, according to a document found among a tranche of US classified intelligence assessments leaked online recently.” (source Kim Zetter https://zetter.substack.com/p/leaked-pentagon-document-claims-russian).  Note that at the time, this breach and impact was communicated in the past tense, meaning an event that already occurred earlier this year.Even so, impacts reported by Petro-Canada (and parent Suncor Energy) indicate a potential standard ransomware attack against point of sale systems and supporting backend systems  (Nothing close to the reported “[…]show their access to the Canadian facility and indicating that they had the ability to increase valve pressure, disable alarms, and initiate an emergency shutdown of the facility” (source again from Kim Zetter).)At this time, there’s no indication that this event is having Colonial Pipeline-like impacts on Canadian infrastructure or customer confidence. However any cyber event, whether a direct APT attack or opportunistic ransomware, that affects critical infrastructure operations should be taken seriously and as a recipe for what’s ahead. The prevalence of ransomware targeting remote access services like with Colonial Pipeline or exposed vulnerable technologies such as MoveIT is only going to continue to have secondary impact on the safe and reliable operations of critical systems. Regardless of geopolitical intent this continues to be a concern for not just the US, but critical infrastructure organizations around the world. My advice: create plans around incident response, implement technologies that support visibility and zero trust architectures, take those first concrete steps into preventing future attacks instead of waiting for them to strike close to home.

For the sake of Petro Canada and Suncor, I hope that they’re making every effort to address this because the longer it goes on, the more likely that it won’t end well for them. On top of that, I hope that there’s a focused effort to find who did this and bring them to justice.

This entry was posted on June 28, 2023 at 12:52 pm and is filed under Commentary with tags Petro Canada. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.