The energy wealth of the region has certainly attracted a lot of attention – including the undesired kind. Technological innovations, coupled with the drive towards ‘smartification’ and complex geopolitics, have made the oil and gas sector susceptible to an increasing wave of cyberattacks – a sector that forms the bedrock for most economies in the region.
An essential component of this sector is critical infrastructure, supported by industrial control systems (ICS). Once predominantly manual, many of the tasks in the energy supply chain, from exploratory drilling, to production, refining and distribution, are now monitored and controlled by ICS.
However, as control systems and other devices that were previously not connected come online, their attack surface increases, thus presenting new risks. FireEye iSight Intelligence has identified nearly 1,600 publicly disclosed ICS vulnerabilities since 2000. The pace of technological innovation, which encompasses the Internet of Things, cloud computing, smart cities, mobility and unprecedented levels of connectivity, means that hackers now have more channels to launch attacks.
Take away this vital pillar of operations and you take away the ability of the organisation in question to function.
Critical infrastructure is only as good as the security systems and protocols in place to ensure its protection. Many of the cyber defences used by regional organisations and critical infrastructure operators to ward off attacks are outdated and ineffective, remaining highly vulnerable to hackers – and as evidenced by headlines in recent years. Cyberthreat actors are not blind to this fact.
In 2012, cyberattackers targeted Saudi Aramco, infecting 30,000 computers with malware and taking them offline. Within a matter of weeks, an attack on LNG producer RasGas resulted in the shutdown of its computer network. In another instance, the US Justice Department indicted seven hackers this year for staging a coordinated cyberattack that targeted a dam near New York City. Needless to say, there have been a worrying number of attacks on critical infrastructure, with no signs of them abating anytime soon.
The motivations behind these attacks are varied. Actions in cyberspace are merely a reflection of real-world politics and conflict – and in this region, the lines of conflict are highly complex, to say the least. For the financially motivated or the ideologically driven, the local energy sector presents an alluring target. Advanced Persistent Threat (APT) groups may attempt to steal information that can assist their sponsoring government in ensuring national and economic security.
Data theft will likely involve information related to natural resource exploration and energy deals. APT groups may also engage in destructive and disruptive actions against an adversary’s energy industry in the event of conflict.
Continued innovations in fossil fuel development and alternative energy production will also lead to increased cyber espionage as APT groups try to obtain related intellectual property and proprietary data for the benefit of state-owned companies. Growing global demand for energy and dwindling natural resources will likely result in increased cyberespionage against the sector as nation-states seek intelligence that would afford them a competitive advantage when vying for energy security.
Simply put, the threat to the energy industry has never been greater.
According to IDC, 80% of regional firms lack the tools to detect and assess threats, while 42% say that cybersecurity solutions are not enough to manage cyber risks. With few regulations in place, it has become increasingly important for these industries to assess their environments and cybersecurity risk.
One way to do that is through compromise assessments or ICS assessments. These tests search the environment to identify whether or not a hacker is currently in the system. If a breach is identified, the organisation can work to stop it and secure their system before any valuable information is taken.
Security assessments may spell the difference between being compromised and conducting business as usual. These ICS assessments can bolster cyber defenses by analysing the network to verify traffic patterns and gauge severe risks.
Organisations could also perform “red team” operations. In this assessment, a team of experts attempts to hack into an environment and, if successful, they can then reverse-engineer security features to make sure that a real hacker cannot gain access to the system. Additionally, pre-planning and incident response preparedness are both excellent ways to stay ahead of the breaches that typically catch organisations flatfooted.
What is encouraging to note is that GCC states, such as Saudi Arabia, the UAE and Qatar, have – in response to these challenges – started taking the first steps towards instituting comprehensive cybersecurity policies, with an emphasis on critical infrastructure. This is a move in the right direction and indicates their understanding of a key fact: protecting the oil and gas sector’s critical infrastructure isn’t just an issue of national security; it’s something that future growth prospects invariably hinge on.
In the end, the best way to address this challenge is collaboration. A firm alignment of people, process and technology will ensure the protection of the organisation’s critical infrastructure and ICS. This entails the involvement of employees across all levels of an organisation. The fallout from a successful breach is not just the loss of operational control and financial resources, but also a reputational backlash, compromising the company in the long-term.
Greater cooperation between firms can also prove to be instrumental in turning the tide, safeguarding critical infrastructure and stopping malicious actors dead in their tracks. A good example is the mutual exchange of information between central banks in the Far East, which allowed Bank Indonesia and the Bank of Korea to foil a recent DDoS attack. Taking note of this, the energy sector would be well-advised to follow suit.
According to a report by the World Energy Council, spending on cybersecurity by the energy industry is slated to hit $2bn by 2018. Given the geopolitical context of the region and its importance in energy economics, oil firms will remain an enticing target for threat actors in the foreseeable future. As industrial control systems are foundational to the continued success of those firms and national economies, we anticipate they will come under increasing attack. Those who fail to prepare and collaborate may find themselves unable to fill up the tank.
