So …last week I was in Lagos – Nigeria at the recently concluded CyberXchange 2016 Annual conference, where West Africa gathered to speak cybersecurity for one sole purpose: Protecting National Cyber Assets.
The basic story of how Nigeria’s crude goes missing has been told for years. To steal oil, Thieves/Sabotage groups physically tap into pipelines and other infrastructure in the Niger Delta. They then pump the oil onto waiting barges and boats. Some of it is refined locally while larger vessels carry the rest abroad. According to reports, this theft accounts for an almost $6Billion USD loss yearly. In the past, we could derive two fundamental issues.
- The government could not actually transparently account for actual capacity as there were no systems in place to do this (howbeit, estimates were fine to work with, thereby, further encouraging the corruption theft)
- The government had to employ Naval forces as a military boots-on-the-ground model to try to combat this theft (Physical theft demanded such physical response)
Over the last decade, the Nigerian government in partnership with its trade partners, theoretically deployed systems like SAP Business Solutions, SCADA systems for the sole purpose of resolving issue 1 above, and capture actual production capacity and volumes. Issue 2 still remains as there are still a number of sabotage groups in the Niger Delta still destroying pipelines for not just theft alone but vandalism ploys against the government. Whilst the army fights back, this has remained very challenging battle to win although the government has recorded some success in this “war” by also taking a diplomatic approach and instituting Stakeholders committees.
Corruption as they say will always fight back and in most instances, is always a step ahead of the system. Our talk at the CyberXchange examined use of cybersecurity as non-physical way for the saboteurs to steal Nigeria’s oil without warlike interventions/Gun battles in the creeks by simply exploiting vulnerabilities in the SAP applications that power the Nigerian Oil and Gas economy.
As it were, the Nigerian Oil and Gas processes (Upstream, Midstream and Downstream operations) should operate safely and securely without interference, but perhaps, NOT for too long. Even to assume that there were no insider attacks, which is not the case with Nigeria, with IOT, SCADA connectivity, exposure of systems over the internet, the war against theft of oil has only just begun; as possible hackers from organizations like MEND, Niger Delta Avengers could potentially plot sophisticated attacks in the form of DDOS Attacks or escalating privileges using vulnerabilities that affect the applications that power this Industry – SAP, to either execute malicious codes remotely or mask the theft of Oil without any need for any Authentication. A situation where Naval boots-on-the-ground model counts for nought.
In our talk: Cyber security for Oil and Gas – How hackers can steal oil, we demonstrated how exploiting a vulnerability on SAP xMII and relying on trusted connections, SCADA and connections to Tank Gauge systems, a benefit of IOT at its very base, could be used to trick SAP application to not detect Oil theft (Based on security research work originally conducted by ERPScan team).
Today, it is estimated that almost 82% of SAP systems implementations in Africa are vulnerable to these sort of attacks regardless of Industry for a few reasons which could range from:
- Most Z programs being susceptible to SQL injections, verb tampering or leave backdoors for hackers to get in,
- The configuration checks have high failure machining security settings, and some services or RFC, SAP routers, ICF leave open gaps (albeit functional configurations come pretty much nicely done)
Maximising IOT in Nigeria’s oil and Gas Industry could be a positive accelerator to realising a more transparent and efficient way of maintaining Nigeria’s Oil and Gas revenue lines. However, this may just be the hacker’s dream come true because Applications (e.g. SAP) and associated technologies are being implemented on a rapid and massive scale, with little oversight, no real rules, and rolled out in many cases by companies with little or no history in cybersecurity. Ultimately, the risk with this implementation approach could give rise to more avenues to Saboteurs like MEND or Niger Delta Avengers to wage full scale war against Nigeria’s already badly hit Oil revenue stream using the already exposed attack surfaces on the applications that power this ecosystem.
To find out how to mitigate these cybersecurity risks, feel free to reach out to DeltaGRiC Consulting, the ONLY consultancy within the SAP Africa ecosystem focused on and helping organizations running SAP mitigate their cybersecurity risk and compliance violations using the industry’s most respected methodologies and tool – ERPScan Monitoring tool. To schedule a cybersecurity, check on your landscape, please contact us on firstname.lastname@example.org