The Oil Minister of Iran Mr Javad Owji on Monday (18 Dec 2023) confirmed that a nationwide disruption to petrol stations was caused by a cyberattack which has been targeted on his country. Mr Reza Navar, a spokesperson for Iran’s petrol stations association told the semi-official Fars news agency “A software problem with the fuel system has been confirmed in some stations across the country and experts are currently fixing the issue,”. He also assured the public that there will be no serious problems of distribution/supplies and called upon consumers not go resort to panic buying.
As per the statement issued by the Oil Minister of Iran there are over 33,000 gas stations throughout the country. And the infection to the software that operate the pumps have been affected in over 70% of them. The infection in the software is due to a probable cyber sabotage, a reference to cyberattacks was also made by the Iranian official television. The pumps in Iran have been operating manually since the incident had occurred.
There have been reports by different media houses that the cyberattack may have been carried out by a hacking organisation known as “Gonjeshke Darande,” or predatory sparrow. The quoted hacking group that Iran accuses of having links to Israel claimed it carried out the attack which disrupted services at petrol stations across the country on Monday, Iranian state TV and Israeli local media reported.
The speculated layout of the IT backbone of Iran’s Petrol Pump setup
The infection seems to be an insertion of virus into the ERP Software that manages the supply chain management of the pumps. The ERP also hosts a POS system software, probably customised for Iranian requirements/use. The solution is speculated to have been hosted on a Private Cloud with the modules of Logistics and Transport hosted by the Petrol Distribution arm of the government of Iran. The PoS component is accessed by the retail pump agencies and are both operated on a private/PPP model in the about 33,000 gas pumps. The PoS can control a maximum of 32 fuel dispenser sides (fuelling places in one location). Connection of fuel dispensers and Automatic Tank Gauging (ATG) systems is made through a PTS controller over fuel dispensers and ATG systems. The software also offers price boards, car washes and others. The software being hosted on the cloud, is thus vulnerable to exposure, if the security overlay is left with gaps. the security on cloud compute is seen to be in the graph of progression, and hence the innovation by the security team, can only evade the perpetrators, who are continuously aiming to target the codes and inject with infections.
Lessons for India
As per latest statistics available at the Ministry of Petroleum and Natural Gas, Govt of India, India currently has 87,000 operational fuel pumps of fossil fuel dispensation. These pumps are either company owned or outsourced by Government of India Oil Marketing Companies, namely, Indian Oil Corporation (IOC), Hindustan Petroleum Corporation (HPCL) and Bharat Petroleum Corporation (BPCL). apart from these there are other private players like Reliance-BP, Nayara, Total, etc.
The solution used by these Oil Marketing Companies are centrally hosted and based on the business and type, the central ERP hosted on a Private Cloud is made available through access control to the users. The PoS application is also co-hosted on the Cloud, with linkages to the ERP. The present integration of the varied application used in this Fuel Retail and Distribution Ecosystem is majorly based on SAP. The integration of these is done over API provided.
The weakest point of a Gas Station supply chain IT Solution is the PoS outlet. There have been large number of attacks on this ecosystem in the recent past and most of the exploits have been targeted on the list mile. A recent cyberattack had disrupted the activities in Germany of fuel supplier. Oiltanking Deutschland GmbH & Co. KG. ERP-SCM was then targeted. In the Summer of 2019, the American gas stations were attacked, in which the objective of the hackers was to simply scrape the credit and debit card info from the black strips of the VISA payment cards. This attack resulted in corruption of the back-end solution, and had caused havoc in the US.
In many of the Indian pumps, there are no cyber security to ensure security of the end points. The solution in many of the pumps are based on the Public WiFi or Internet, and are not based on a secured connectivity like Leased Line (LL) or MPLS (Multiprotocol Label Switching). Also, it is alarming to report that may of the last mile operators and terminals are on unencrypted channels. The Cyber Security awareness among the last mile operators is also a lacking point. The Security Solutions that protect the Oil Marketing Solution Provider in India is also speculated to be on an outsourced model with large reliance on Cloud Infra.
The fuel that is provided to our vehicles at the gas-stations in India, have actually passed through a large chain from the arrival of crude at the seaport to the Pump. It is not only the PoS application but the reliance is on large IT and ICT Systems, ranging from the back-office system, the Supply Chain System, the payments and management functions, etc. The Pumping and Refinery is based on OT Systems including SCADA and ICS Apparatus. The SCADA and ICS demand specific attention for Cyber Security Process and Infra, due to their complex structure. The fact that there is large and also interdependencies on different devices with different capabilities, software and operating systems, and critical functions. The last mile ecosytem is connected to the Forecourt Controller (FCC). This is the area with pumps outside the convenience store where customers park their cars to fill up. It is equipped with many systems such as a pump control, an ATG, payment systems, etc. The FCC is the main device that controls fuel distribution, so when you pay through a cashier, the FCC commands the pump to supply it to your car so you can continue your journey. The other infra alongside the pump also includes the surveillance and Security System including CCTV Grid) and the IT/ICT based Fire Safety measures. all this and more are susceptible to Cyber Attacks. Hence, the need for a wholistic review and arriving at a strategy in this changing cyber threat perspective is the need of the hour.