Eric Eifert, SVP, DarkMatter LLC
Cyber security for energy companies within the Middle East is extremely important. For example, the security breach incident at Aramco and RasGas highlighted the fact that oil and gas companies are a target of cyber attacks, which if successful can have a significant negative impact on organisations. The energy sector has the added challenge of needing to provide cyber security across a more diversified environment, which includes industrial control systems, communications systems with remote facilities, sub-contractors/suppliers and its own corporate network.
Previously, the biggest threat energy companies used to face was the loss of sensitive and proprietary information to competitors. This information could be as simple as a list of customers, to more complex data such as the chemical formula for a gasoline additive or the organisation’s mineral exploration investment strategy. While different areas are of interest to different types of threat actors they generally share a single characteristic; the information is held on corporate servers in headquarters and regional offices. Information loss could be significant, having far-reaching implications for the profitability and reputation of the firms attacked.
However, such attacks rarely affected the day-to-day operations of the targeted firms; commercial damage is real, but it would unfold over months and years as executives realised their rivals had stolen a competitive advantage on them. It rarely caused processes to be shut down and certainly didn’t involve disruption to supply and production. Threats were best countered by robust information protection measures including encryption of data in transit and at rest, and access controls to ensure that information was only disseminated to those who genuinely needed it.
While traditional threat actors; rivals, criminals and environmental activists persist, today we’re seeing a dangerous trend of energy companies being targeted by state actors with far more ambitious and dangerous intentions. As more systems go online and become interconnected, they can be targeted by a hostile state looking to attack the underpinning infrastructure of the nations in which they operate.
The malware programme nicknamed Stuxnet (discovered in 2010), for example, targeted computers that controlled centrifuges in a nuclear enrichment programme in country in the Middle East, altering their rotation speeds, causing the centrifuges to tear themselves apart and producing a cascade of second order effects. More recently, Ukraine suffered a multi-tiered attack on its energy facilities. The Ukrainian computer emergency response team (CERT) reported that in total eight facilities were attacked, ultimately leading to a loss of power for hundreds of thousands of people in the middle of winter. Although most recovered their power within three hours, after-shocks continued for days with Power Company employees having to travel along ice-covered roads to remote sub-stations to manually close breakers the hackers had opened remotely. Most sinisterly, the attack was multi-pronged; opening of breakers was accompanied by spoofing of monitoring systems, a distributed telephonic denial of service attack on help lines, and destructive attacks against corporate systems, all designed to systematically prevent the Ukrainian authorities from resuming control.
The Middle East is rapidly increasing its cyber security capabilities; however, it takes time to build mature processes and procedures, upgrade technology, collaborate on threat intelligence, and develop a workforce that can tackle the current and future cyber threats. We are starting to see cyber security policy, information sharing laws, education programmes, and cyber security technology companies focus on the region. There is an increased understanding of the cyber risks that face the region and investments to mitigate those risks.
We believe that energy companies and governments need to adopt an outlook on cyber security in which they assume breach, and establish the necessary protocols and defences to such.
We also believe that underpinning this outlook should be a commitment to a cyber security life-cycle, which is a four-stage approach encompassing planning, detection, protection, and recovery.
Energy companies need to focus on:
How and why cyber security is at the forefront of national security
Why having additional connectivity / IoT / smart cities exposes additional threat vectors
How the current geo-political turmoil is intertwined with cyber