Security Market Segment LS
Monday, 21 October 2019 11:17

Dragos chief dismisses claims of cyber links to Iran oil fire

Dragos chief dismisses claims of cyber links to Iran oil fire Image by Gerd Altmann from Pixabay

The head of the cyber security firm Dragos has played down reports of a cyber attack being behind a fire at the Abadan Oil Refinery in Iran, which were published by Reuters on Sunday.

Robert M. Lee said in a blog post that some stories about the fire had linked it to an October 16 report from the US, which quoted government sources as saying that a cyber attack had been carried out against Iran.

The report about the fire said it was was in a canal carrying waste from the oil refinery and was at that time under control.

"Various posts on social media took advantage of the claim to spread the information about the cyber attack and claim that it was “probably” a result of the alleged Iranian attacks on Saudi Aramco," Lee said.

Lee, a former NSA hacker, said he thought it necessary to issue this post, "to add some context to such events for the purpose of avoiding hype, but to clearly point out a gap in the industrial cyber security community that we have around root cause analysis and the importance of setting forth a strategy across collection, visibility, and detection to ever get to the point where response scenarios can account for such processes".

In June, Dragos issued a warning about a threat group it baptised Xenotime, which it said had expanded its field of operations from the oil and gas industry to now also target electricity utilities in the US.

The Xenotime group was claimed to be behind an attack in August 2017 on an oil facility owned by Saudi Arabia's Aramco; the attack was outlined by another security firm, FireEye, in December that year without naming the company or the country.

In Sunday's post. Lee said: "While personnel are still trying to get the fire under control it is very unlikely that anyone is performing root cause analysis of the event to include a cyber component.

"Proper root cause analysis, including cyber forensics, is one of the most difficult tasks to achieve in industrial control systems networks. The ICS cyber security community is maturing rapidly but still very far from being able to perform this level of a task reliably."

He said only a small subset of the community was gaining visibility into ICS networks, though progress was encouraging and a hallmark of increasing maturity.

"A smaller subset of that community though is pursuing a collection and detection strategy factored in to the products, process, and training they implement. A much smaller subset is tying this into what types of events they want to be able to respond to and gain root cause analysis.

"Even if Abadan’s oil refinery was world leading in this regard it is unlikely enough time has passed for anyone to properly analyse the information collected.

"For this reason, I would assess that any claims of a cyber attack are immature at this point and unlikely to be founded in proper evidence. Should cyber be considered though? Absolutely, especially with the increasing tension and demonstration of adversaries. But today the larger industry lives closer to Schrödinger’s ICS than we do to organisations’ reliably achieving root cause analysis."

He advised the ICS cyber security community not to "hype up such events but instead look inward and determine if we could answer similar questions of 'was it a cyber attack?' in our own industrial and operations networks".


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments