Robert M. Lee said in a blog post that some stories about the fire had linked it to an October 16 report from the US, which quoted government sources as saying that a cyber attack had been carried out against Iran.
The report about the fire said it was was in a canal carrying waste from the oil refinery and was at that time under control.
"Various posts on social media took advantage of the claim to spread the information about the cyber attack and claim that it was “probably” a result of the alleged Iranian attacks on Saudi Aramco," Lee said.
|
In June, Dragos issued a warning about a threat group it baptised Xenotime, which it said had expanded its field of operations from the oil and gas industry to now also target electricity utilities in the US.
The Xenotime group was claimed to be behind an attack in August 2017 on an oil facility owned by Saudi Arabia's Aramco; the attack was outlined by another security firm, FireEye, in December that year without naming the company or the country.
In Sunday's post. Lee said: "While personnel are still trying to get the fire under control it is very unlikely that anyone is performing root cause analysis of the event to include a cyber component.
"Proper root cause analysis, including cyber forensics, is one of the most difficult tasks to achieve in industrial control systems networks. The ICS cyber security community is maturing rapidly but still very far from being able to perform this level of a task reliably."
He said only a small subset of the community was gaining visibility into ICS networks, though progress was encouraging and a hallmark of increasing maturity.
"A smaller subset of that community though is pursuing a collection and detection strategy factored in to the products, process, and training they implement. A much smaller subset is tying this into what types of events they want to be able to respond to and gain root cause analysis.
"Even if Abadan’s oil refinery was world leading in this regard it is unlikely enough time has passed for anyone to properly analyse the information collected.
"For this reason, I would assess that any claims of a cyber attack are immature at this point and unlikely to be founded in proper evidence. Should cyber be considered though? Absolutely, especially with the increasing tension and demonstration of adversaries. But today the larger industry lives closer to Schrödinger’s ICS than we do to organisations’ reliably achieving root cause analysis."
He advised the ICS cyber security community not to "hype up such events but instead look inward and determine if we could answer similar questions of 'was it a cyber attack?' in our own industrial and operations networks".