Welcome to the Interactive Agenda for the 2016 ICS Cyber Security Conference! (View the full ICS Cyber Security Conference website here)  This agenda is currently a work in progress, please check back often as our team is making upates DAILY. (You can register for the conference here)
Thursday, October 27 • 12:00pm - 12:45pm
Practical Attacks on Oil and Gas industries

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The industries most plagued by cyber-attacks are Oil and Gas businessesSeveral attacks against the infrastructure of Oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major Oil companies. The Oil and Gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in Oil and Gas industries, and there are even specific SAP modules for Oil and Gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service and Oracle Enterprise Asset Management.

Cyber-attacks on SAP systems belonging to Oil and Gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices).

Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks.

For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.

This talk is based on a several case studies conducted during research and professional services will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to Oil and Gas companies as well as guidelines and processes on how to avoid them.


  • Understand specific risks related to Oil and Gas companies infrastructure from IT and OT perspective.
  • Learn what kind of enterprise applications are used in Oil and Gas industry and whit kind of security issues they have.
  • Learn how to secure these applications.
  • For pentesters, it will be helpful to learn how to analyze security of these specific systems. For information security specialists, it will be useful to know how to protect their systems.

avatar for Alexander Polyakov

Alexander Polyakov

ERPScan, CTO, Co-Founder
Founder of ERPScan, President of EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year. His expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions developed by enterprise software companies... Read More →

Thursday October 27, 2016 12:00pm - 12:45pm EDT
Grand Ballroom