Today, the fundamentals of cybersecurity go further to include new methods of protection such as multifactor authentication. Security teams must enforce user-access control and educate their colleagues about their responsibilities in the context of the enterprise’s threat posture.
GCC nations may have embarked upon programmes of economic diversification designed to dilute their reliance on petrochemicals, but oil and gas industries in the region are a long way from twilight, or even dusk. Oil production continues to hover at around one sixth of GDP in the United Arab Emirates and some estimates put Saudi Arabia’s petrochemical activity at 46% of GDP. Having built their prosperous present on natural resources, Gulf countries will heavily rely on them for the foreseeable future. And this is not lost on their adversaries.
Critical infrastructure is by no means impervious to digital disruption. Cybersecurity professionals across the region are all too aware of the many high-profile attacks directed squarely at oil and gas majors. In 2012, Saudi Aramco and Qatar’s RasGas faced multimillion-dollar attacks from the Shamoon virus. And while Aramco’s latest cyber incident involved a data leak at a third-party contractor and did not disrupt operations, the event’s uncomfortable proximity to an economic fulcrum was bound to cause anxiety among CISOs of regional petrochemical companies.
A glance westward at, for example, the Colonial Pipeline incident in the US, shows just how vulnerable all digital systems are to ransomware, so this is where oil and gas CISOs will be focusing at least some of their efforts in the coming years. Ransomware 1.0 was a simple gambit for the threat actor – lock up business-critical data and wait for a payday, assuming the target organization had no backups or recovery solutions.
Ransomware 2.0 involved destroying backups. If successful, paydays were all but inevitable. Ransomware 3.0, however, not only encrypts data but exfiltrates it. If sensitive, it can be sold, or the threat of a sale can be used to further extort the target. So, the risk of Ransomware 3.0 goes beyond mere operational disruption to brand damage.
As every CISO now knows, prevention is now a relatively minor part of their job. Mitigation is now the central focus in cybersecurity, and while preventative measures are an absolutely vital part of this, security leaders must look beyond, to protection of data, detection of threats, and, in preparation for the worst-case scenario, business-recovery strategies. Security teams will, of course, continue to look to the perimeter and work to make it as robust as it can be. But the headlines often tell stories of a human error that allowed attackers to walk through the front door rather than having to penetrate defences.
Cybersecurity: Back to basics
Responding to new dynamics often involves taking a step back and reviewing the fundamentals. The threat landscape is always going to be on the move but responding to new techniques and attack vectors is difficult if the basics are not in place. First, security teams must know their environment, top to bottom – every asset, every file. On the basis of that knowledge, they must ensure that systems are sufficiently patched and that the network is appropriately segmented. This is of particular importance in organisations that deal with both OT and IT, such as those in the oil and gas industry.
Today, the fundamentals of cybersecurity go further to include new methods of protection such as multifactor authentication. Security teams must enforce user-access control and educate their colleagues about their responsibilities in the context of the enterprise’s
threat posture.
Other more recent fundamentals include disaster recovery. Regular drills must take place to ensure that everyone knows their role in a crisis. And in an era governed by the digital experience, DevOps must work with security to ensure the protection of employees and customers.
Beyond the fundamentals
Once the basics are addressed, cybersecurity teams can return to the issue of the current threat landscape. Ransomware 3.0 lurks in the shadows ready to strike. Addressing next-gen ransomware requires next-gen data management. Modern platforms protect and defend backups as well as production data, leveraging a range of technologies to deliver immutable snapshots of data, which means data becomes locked and cannot be moved or manipulated in any way without multifactor authentication. Strong encryption and off-site, cloud-based data isolation add extra layers of protection to make life exceedingly difficult for Ransomware 3.0 campaigns.
These data-management platforms are also adept at early detection of ransomware attacks, through advanced AI, and are capable of responding automatically with recovery-based actions based on predefined Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). This can be the difference between a prolonged (and hence, expensive) cybersecurity attack and downtime, and one that causes minimal disruption.
The fundamentals of prevention work well with a next-gen data-management platform that delivers protection, detection, and response as out-of-the-box standards. Organizations that operate critical infrastructure will reap a range of benefits from such solutions, but only if the teams responsible for securing, protecting, and managing data work together. IT normally backs up and protects data, while security focuses on preventing threats. Today, these teams must find ways of integrating one another’s practices to build greater cyber resilience and business continuity.
Completing the chain
This need brings us full circle to the fundamentals. Disaster-recovery drills must involve stakeholders from IT and security. Roles and responsibilities may have to change to ensure that a breach, exfiltration, or other negative event creates the minimum impact, and that critical infrastructure remains offline for the minimum possible period.
Cybersecurity is the responsibility of us all. Training, culture changes, and organizational redesigns may be necessary to get this message across, but it will be worth it. The regional oil and gas industry can ill afford a showdown with today’s threat actors without the strategies and weapons to fight them off efficiently.
