The digital age has refashioned the business landscape; it has enabled better decision making, reduced costs and reinvented business models, while destroying others.
But the almost ubiquitous nature of the internet has also brought with it some very serious threats. Networks can be hacked, viruses can be triggered and critical business information stolen.
Within the upstream oil and gas sector the implications of a serious security breech are far reaching, whether it is shutting down production, causing an onsite accident, stealing data, or impacting on the global price of oil (a particularly unwelcome side effect given the current pricing crisis).
“Worldwide, energy firms are delivering unprecedented benefits in leveraging the Internet of Everything to connect people, processes, data, and things to networks,” Rabih Dabboussi, general manager, Cisco UAE, tells Oil & Gas Middle East.
“This enhanced connectivity connects global operations, drives efficiency, automates dangerous tasks, and manages complex supply chains. However, this increase in connectivity is also exposing a wider network surface area to an increasing number of more and more complex cyber-security threats.”
Indeed, the increase in in connectivity is also exposing a wider network surface area to an increasing number of more and more complex cyber-security threats. Global security threats reached their highest-ever levels in 2013, according to our 2014 Cisco Annual Security Report, with the energy sector one of the most at-risk industry verticals.
The advancement of personal devices, such as smartphones or tablets, over the last six or seven years (Apple’s first-generation iPhone was launched in 2007 – a game changer in the world of smart devices) has been staggering, allowing a previously unseen level of mobility and connectivity.
“Mobility brings a lot of value and advantages for the company, especially when the employees are spread around various locations, and sometimes harsh environments where quick decisions need to be made,” comments Asfar Zaidi, principal consultant at Huawei. “So they want to enable their workforce and create a collaborative environment, but that requires a really sophisticated level of security.”
But figures suggest that some oil and gas companies are playing catch-up when it comes to the potential effects of Bring Your Own Device (BYOD). A study conducted by Cisco found that 46% of Middle East employees bring at least one personal device to work. However, only 55% of companies have a BYOD plan in place, and 65% of employees do not realise the dangers of BYOD.
“In general, Middle East organisations and employees do not realise the potential dangers of BYOD, and are unprepared to manage their security,” says Dabboussi.
“In the energy sector, mobile devices can get more easily infected and can lead to malware spreading faster. Among the most effective cyber-attacks are phishing, social media “jacking” that tricks users into clicking different pages, forcible re-directs to websites other than expected, adware, and spyware.”
Part of the problem comes from the number of different types of software that data and information are being viewed upon. For example, the Android operating system is a notoriously fractured one, with multiple different versions and updates for different devices, and – in cases of older devices – developers ceasing to offer new updates, leading to an increasingly buggy and more easily hacked system.
Article continues on next page …
Zaidi believes that the nature of this environment means that oil and gas companies are taking a cautious approach.
“Most oil and gas organisations know the value of mobility and a collaborative network, but they are making changes in stages so they can understand the loopholes and threats at each stage of their work. That means they are looking at all different devices, whether that’s smartphones, iOS devices or Huawei devices for example and finding the best and most secure way to use them.
They are managing those devices and concentrating on where the corporate data sits.
“Oil and gas companies know that will be operating in a heterogeneous environment, in terms of devices and manufacturers, so it’s important they understand the threat of each device or operating system. What are the loopholes and threats and how can attackers get information?
“They understand there is no way they can go with uniform operating systems so they consider how to use a heterogeneous environments, so they are working with vendors to design infrastructure that is secure and can be used by their staff – those connections need to be supported.”
Such an approach is understandable given the risk operators face. While the energy oil and gas sector is one of the most technologically advanced industries, figure show the threat of malware attacks on oil and gas firms is more than 300% higher than the median industry. It means that that the chances of cyber-attack are real and acute.
“All Middle East organisations should assume they have been hacked. It is no longer if they will be targeted by cyber-attacks, but rather when and for how long,” states Dabboussi. “Using methods ranging from the socially-engineered theft of passwords and credentials, to stealthy, hidden-in-plain-sight infiltrations that execute in minutes, malicious actors continue to exploit public trust for harmful consequences.
“Energy firms realise that malware can cripple an energy company’s IT infrastructure and halt business operations, and potentially disrupt the world’s energy supplies.”
Recent attacks are also fresh in the mind of the industry, and with critical data and billions of dollars at risk, the stakes are extremely high.
“On the minds of many Chief Information Security Officers (CISOs) is the Shamoon malware attack against a large oil and gas company in 2012, when hacktivists aimed to destroy information, steal intellectual property, and cause political consequences,” says Dabboussi.
“Energy, oil, and gas firms are concerned about “watering hole” attacks that infect websites that target employees visit. The global energy sector ranks second in the world in watering hole attacks, according to the 2014 Cisco Annual Security Report.”
Zaidi agrees that oil and gas companies have not forgotten previous incidents. “They know how important security is for a network and the steps they need to take. But still, they are taking cautious steps towards adoption, as they are learning from the past, when some have suffered significant losses of data. We are meeting with companies and educating them as much as we can to make their networks more secure,” he says.
But companies will also have to keep pace with a rapidly changing landscape. It is predicted that there will be 50bn connected devices by 2020 and 500bn by 2030, as the demand for oil and gas increases over the next 20 years.
Cloud technology will also continue to advance, while at the same time making organisations that have not got the proper infrastructure and processes in place more vulnerable to cyber-attack.
Dabboussi believes that a more collaborative approach to security will be needed.
“As the region embraces the era of the ‘Internet of Everything’, companies must realise that security is no longer the responsibility of IT professionals alone. Mobile operators, device manufacturers, software developers, and businesses need to be on high alert for potential cyber spill over, especially with mobile malware.
“With cybersecurity threats continuing to grow and becoming increasingly complex, energy-related organisations will need to protect the ‘weak links’ in their networks, and adopt a business-oriented cyber security approach.”