JT Jeeraphun - stock.adobe.com
Petrol distribution facilities across Germany have been forced to shut off their operational technology (OT) systems in response to an apparent cyber attack of an undisclosed nature affecting Hamburg-based fuel logistics firm Oiltanking.
According to German newspapers Handelsblatt and Der Spiegel, which were among the first to report on the incident, the attack was carried out against Oiltanking’s systems and those of another subsidiary of the same parent group, Mabanaft. The firms supply numerous fuel companies in Germany, with larger customers including the likes of Shell.
It is understood that the incident has taken the automated systems responsible for filling and emptying its fuel storage tanks offline at 13 facilities in Germany that, between them, handle around 155 million tonnes of material every year. The filling of petrol tankers is being held up as a result.
A spokesperson for Germany’s independent tank storage association told Der Spiegel that in spite of the attack, other suppliers should be able to fill the gap in the meantime, meaning there is unlikely to be any immediate danger to fuel supplies to German consumers and businesses.
An Oiltanking spokesperson commented: “On Saturday 29 January 2022, Oiltanking GmbH Group and Mabanaft GmbH & Co. KG (Mabanaft) Group discovered we have been the victim of a cyber incident affecting our IT systems.
“Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes, and launched an investigation into the matter. We are working to solve this issue according to our contingency plans, as well as to understand the full scope of the incident.
“We are undertaking a thorough investigation, together with external specialists, and are collaborating closely with the relevant authorities. All terminals continue to operate safely.”
The spokesperson added that the firm’s terminals in markets outside of Germany were unaffected because they operate within a different business unit. They said all affected parties were working to restore normal operations as soon as possible.
“We are committed to resolving the issue and minimising the impact as quickly and effectively as possible. We will be keeping our customers and partners informed and will provide updates as soon as more information becomes available,” they said.
The organisation said it was unable to comment on the precise nature of the cyber attack at this stage of its investigation.
The attack will, for many, bear echoes of the May 2021 ransomware incident affecting the systems of US fuel distributor Colonial Pipeline, which put fuel supplies across the eastern US in jeopardy for a time and ultimately played a major role in subsequent operations against ransomware gangs by US authorities. It is important to note, however, that at the time of writing there was no suggestion that the cyber attack on Oiltanking was a ransomware attack.
The timing of the incident may also raise eyebrows, with those responsible targeting a component of Germany’s critical national infrastructure (CNI) during a period of heightened political tensions in Europe, and in the wake of warnings from multiple national security agencies about the possibility of Russia-backed cyber attacks. Again, it is important to remember there is no evidence at present to implicate any one group or country.
Piers Wilson, Huntsman Security
Nevertheless, the incident is potentially a serious one, as Tim Wade, technical director of Vectra’s CTO office, pointed out.
“Impacting elements of the fuel, heating and combustibles supply chain during the winter season potentially puts human safety and well-being in the crosshairs – these types of attacks underscore the very serious risks posed by criminals to foundational parts of essential services and infrastructure,” he said.
“We sincerely hope for minimal disruption even as we hope that organisations will invest in the resilience necessary to withstand and recover from such threats.”
Huntsman Security product management head Piers Wilson added: “Given the potential fragility of the fuel supply chain – as highlighted by recent shortages in the UK – disruptive cyber attacks can cause widespread disruption for consumers and businesses. Although the details and longer term impact of the attack on Oiltanking and its parent company are unclear, it’s vital that other organisations take effective steps to ensure they aren’t the next victims of a successful breach.
“Alongside the use of the latest cyber defence technologies, businesses must also frequently assess the level of risk they face from attacks. For instance, there’s little point in having the latest antivirus updates if your systems aren’t patched regularly or you have misconfigured admin accounts and unsupported software versions. Equally, staff must be trained on what to look out for when it comes to phishing emails.
“However, securing your own network is only a partial solution if your suppliers aren’t doing the same. As we’ve seen recently in the US and elsewhere, attacks originating from other organisations are becoming more common, as are those which might not actually spread but take a supplier you rely on offline,” said Wilson.
“Regularly assessing or monitoring your own, as well as partners’ and suppliers’ cyber security practices is critical. With luck, the attack on Oiltanking won’t see widespread disruption in Germany, but it must be seen as a wake-up call to organisations that still aren’t 100% confident in their own and their partners’ cyber defences,” he added.
Computer Weekly Security Think Tank talks CNI security
We asked our regular panel of cyber experts, the Computer Weekly Security Think Tank, to consider and highlight the risks posed to industrial control systems (ICS) and other elements of operational technology (OT), and advise on what steps CNI operators should be taking to address them. Download the e-guide here.