An international oil exploration company selected SecQuest to execute testing against their wide-area satellite and TETRA radio networks; as they had just completed upgrades of hardware and the Board were concerned that any compromise of these networks could have a direct impact on their brand, revenue and exploration / extraction sites.
SecQuest provided a ‘Black-box’ Penetration Testing Service (where limited target information is provided), checking with the client at each major phase to ensure we remained within the agreed project scope.
The Penetration Testing Service was delivered in two phases. ‘Phase One’ was against the satellite ‘VSAT’ network, and ‘Phase Two’ against the TETRA network.
Specialist RF equipment was deployed to analyse the traffic, via the leased satellite transponder, in order to validate the operating security controls.
The team identified that although the majority of traffic sent via satellite was encrypted, the management of the ‘VSAT’ modems and infrastructure was undertaken via an ‘out-of-band’ service. This enabled the team to identify user credentials from ‘plain-text’ network traffic.
The team used the credentials to login and turn off ‘over-the-air-encryption’, allowing all production network traffic to be intercepted and read – hence, confidentiality had now been fully breached.
For the TETRA assessment, the team used RF sniffing equipment to examine the ‘over-the-air data-streams’.
The team identified that the network was operating with ‘Security Level 1’, static key encryption, and low-rate data used for tele-command and remote site monitoring was also operating in plain-text. Therefore, it was possible to intercept basic health information for remote drilling sites.
The Penetration Testing Service demonstrated that a cyber attack would compromise various elements of the wide area satellite network, intercept traffic and credentials to impact the availability and integrity of equipment operating the oil extraction / exploration sites. This would impact on the company brand and potentially lead to financial losses.
The Penetration Testing Service enabled a change programme to be activated to manage configuration updates to both the satellite and TETRA networks, such as the TETRA devices that were changed to ‘Security Mode 2’, per-packet keying, for all traffic – this resolved the issue of being able to intercept low speed data.
All management information was migrated to secure encrypted channels and ‘out-of-band’ services were updated to use a unique, very strong password for configuration access.
As SecQuest offers a free re-test as part of their service(s), a retest was conducted against areas of concern and it was found that identified security vulnerabilities had been appropriately resolved.