By Slavka Atanasova
Experts have put the vital industry on high alert as the threat from online criminals increases
On 15th of August 2012, Saudi Aramco, the largest oil producing company in the world, fell victim to one of the most notorious cyber attacks in the region’s history. A self-replicating virus struck as many as 30,000 of Aramco’s Windows-based machines causing damage, that took the oil giant as many as two weeks to recover from.
“Saudi Aramco has long been one of the leaders in information security but mismanagement, underestimating and not conducting proper risk assessments could all be reasons why they got attacked,” said Tariq Rayyan of BSI, MEA.
More than two years later, the incident is still fresh in the industry’s mind, and very rightly so, as the threat of cyber espionage has never been greater.
According to a study by PwC, the number of reported cyber attacks carried out on oil and gas companies last year soared above 6,500 cases - a 179 percent increase from the year before. Frost & Sullivan has also reported that cyber security uptake is expected to surge and become “the highest-priority area for oil and gas companies”.
Experts define cyber attacks as “an intrusion on a network infrastructure that will first analyse an environment in order to exploit existing vulnerabilities within a system or an organisation”.
There are generally two types of cyber attacks: passive or active. If the purpose of attack is only to learn and obtain information from a system without altering or disabling any resources, it is classed as a passive attack. Active attacks occur where the perpetrator accesses and either alters, disables or destroys the existing resources or data.
According to Diego Arrabal of F5 Networks, cyber attacks come in various shapes and forms. “The oil and gas industry cyber-attack playbook could include anything from distributed denial of service (DDoS) attacks and phishing/spear-phishing emails to data theft, ‘zero-day’ software assaults, web application exploits, and website defacement,” he said.
While some of these might sound harmless, they could cause damage varying from embarrassing reputations, disruption of supply to millions of dollars in damage, or even health and safety incidents if critical equipment fails or is led astray by faulty data. As the industry is increasingly becoming more automated and technologically advanced, its vulnerability increases.
“With all these megatrends - the digital oilfields, industrial internet and internet of things - there is more data being generated by sensors rather than people,” said Simon Goldsmith of BAE Systems.
“All of those physical measures, whether it is temperatures, pressures or drill speeds, can be manipulated. This could disrupt or damage the operations or have potentially more devastating consequences on the safety of those who work with hazardous equipment or processes. What marks this industry out is that something that starts as a cyber attack can have a very devastating physical impact,” he added.
On the question of what should companies do to protect themselves from cyber evil-doers, Gert Thoonen of Rockwell Automation says: “Funnily enough, the best protection is disconnecting from the internet and, even then, we are not fully protected.
Having or getting access to the system is creating a risk so everyone who has access is a potential risk. There is not one single thing that can protect us from attacks. The common approach in all standard groups is an in-depth approach; a layered approach where each part takes a specific risk away.”
Practical advice includes disabling none unused USB ports, using secured flash instead of open flash, implementing strong passwords, and blocking unused switch ports. Companies should also avoid standardisation which, Thoonen says, is a big risk enabler.
“Standard means open specification, everyone can buy or get a standard specification and can see how it works. The good user will use it to standardise and integrate his product to connect to the network but the hacker will use it to find out where the weaknesses and open holes are to attack these systems.”
However, the hurdles to ensuring good cyber safety do not stop at choosing the right technical protection. It is the organisational structure of the companies itself that holds a whole new set of challenges, as Goldsmith explains.
“There is a difficulty in oil and gas from an awareness point of view. You tend to have two organisations within an oil and gas company: the IT organisation that is traditionally responsible for security and the engineering organisation, which is responsible for all the operational technology. Those two organisations need to be able to work together and they do not normally speak the same language.
“The IT organisation is used to the concept of cyber security and building security into their solutions. Whereas, the engineering organisation will be all about the reliability and availability of their plants.
The chief engineer will make sure that the plants are operational and available, and that they are as productive and as efficient as possible, so they are not incentivised to worry about cyber security. Getting those two organisations to understand each other and understand how they can collaborate from a cyber security perspective is really important.”
While general awareness can vary between companies, normally, organisations need to have experienced an attack to learn their lesson.
“If I go to an engineer in a company that has suffered from a cyber attack, I tend to get a better level of awareness, and a better understanding of the importance of building security into my systems, than if I went to a company that is not aware it has been attacked,” said Goldsmith.
However, because of the complex nature of some of the attacks, some companies do get targeted but never find out about it.
“We are talking about some very sophisticated attacks here. They are able to evade all the monitoring systems and get through all the defences. Because they are using the kind of exploits that have not been published yet, or they are hiding in the massive amounts of security data that is in the organisation and they become very difficult to spot. That is where you need to start using more sophisticated techniques,” said Goldsmith.
By more “sophisticated techniques”, many companies understand buying more high-end technology. It turns out, however, that there is much more to it than that.
Rayyan, of BSI Systems, said: “Technology is not the main protector of an organisation. Some people think “we will buy as much technology as possible and that will keep us safe” but that is not the experience that we have.”
According to Rayyan, managing your risk assessment properly can often make the difference between suffering millions of dollars in damages and keeping your assets safe.
“You need to understand the actual elements of security and understand what your risks are. People, culture and location are a big part of it. It is also important to understand what the motives for a potential attacker would be, who is looking at you. Once you understand those factors and incorporate them into your risk assessment, then you will be able to manage the risk assessment properly.”
The GCC countries started taking cyber security on board not so long ago, in 2006, and have been investing more heavily in the past couple of years. In the first months of 2014, the National Electronic Security Authority (NESA) published key policies and standards for dealing with cyber threats in the UAE. However, a lack of set laws against cyber criminals is what is deterring the industry from making more solid progress.
What has really been missing to this day is a set of laws or legal procedures on cyber crimes, as Rayyan explains: “In the entire region we lack cyber security regulations. We do not have a legal regulatory part to enforce laws and support us unlike countries such as the UK and the US, which have regulations that empower authorities and organisations. I think this is one of our weaknesses in the area.”
A recent report by Trend Micro on the Middle East suggests that 24 million adware attacks took place in the third quarter of 2014. Of these, 14 million were in Saudi Arabia, making the kingdom once again the region’s first, and the world’s third, most desired country for cyber criminals. The UAE was second in the list with the staggering 8mn.
By comparison, security threats in the rest of the Middle East appeared relatively low – a total of just 2mn.
Thanks to its rise in publicity, cyber attacks have become more known to both citizens and authorities in the emirates, which makes Rayyan hopeful that progress will continue.
“I think the UAE government has been very supportive of efforts to push for a standardised approach towards security, emergency and risk management crisis. They are aware of what is happening and want to improve, and I believe they are taking one step at a time to make it happen.”
Some experts believe that the region does deserve credit if not for action, at least for general awareness of the threat of cyber espionage.
“From our interaction with the market, we’ve seen that the Middle East is determined and prepared to set an example on a global scale when it comes to cyber-attacks in the oil and gas industry,” Arrabal said.
“However, while awareness-levels and technological capabilities to cope are at an all-time high, the region’s oil and gas industry needs to be extremely cautious about ever-evolving and increasingly complex risks. Looking ahead, we need to do everything we can to raise industry knowledge of the complexity and nuances of the problems, and ensure industry players, governments, as well as software and hardware vendors, are all on the same page,” he added.