Since the 2010 discovery of the Stuxnet worm, targeted at industrial programmable logic controllers, the Middle East has been central to the increased profile of cyber security threats facing industrial enterprises worldwide. The 2012 security breach of a leading oil and gas company in the region remains one of the most significant cyber attacks on a process plant to date.
It can be no surprise that the Middle East faces a particular challenge from cyber attacks, due to its status as a global centre for oil and gas production. The consequences of a successful attack on its key businesses would be profound.
So, while the threats have continued to evolve, this region remains a key target for attackers. In early 2015, for example, cyber security firm Symantec identified a new information-harvesting malware dubbed Trojan.Laziok, which targeted energy companies worldwide. The most frequent targets for these attacks, according to Symentec, were the UAE (25%), Saudi Arabia and Kuwait (10%), and Oman and Qatar (5%).
With attacks increasing in both number and sophistication, for most it is not a question of if they will be attacked, but when. Whether from enemy states, terrorists, “hacktivists”, criminals, or insiders, the risks facing oil and gas producers in the region are ever-changing and ever-growing.
A survey conducted for Honeywell by researcher Ipsos showed this message has got through: more than two thirds (69%) in the UAE, for example, fear cyber hackers breaching the defences of major sectors of the economy; oil and gas producers are vulnerable to attack according to 64%.
Increasing expectations
In response, there have been efforts from the industry to address cyber security. These efforts are driven in part by fear, particularly in the aftermath of previous attacks. Increasingly, they are also driven by regulation and the adoption of cyber security standards in the region.
Many regional governments have stepped up their requirements. Qatar published the third version of its National Standards for Security of Critical Industrial Automation and Control Systems in 2014, and last year outlined further developments in its National ICT Plan 2015. In 2014, the UAE’s National Electronic Security Authority also published new standards, drawing on international standards such ISO 27001 and the US National Institute of Standards & Technology. Saudi Arabia, meanwhile, has been developing its National Information Security Strategy (NISS), and has had tough anti-cybercrime laws in place since 2007.
Despite this, the evolving threats, increasing use of connected devices and systems, and continued weaknesses in security at some companies, mean further improvements in cyber security are needed. To achieve these, businesses must take a holistic approach: technological solutions to both detect and fend off attacks; processes that ensure technology is effectively applied; and training for staff, to prevent them becoming a weak link in the battle for cyber security.