Posted inNews

Middle East oil producers and cybersecurity: Too big to fail?

Cybersecurity

Once dominating global headlines, cyber-attacks on oil majors across the GCC became less common in recent years, but not because hacker attacks became less. An agile, diversified investment into cyber defence is key to keeping e-viruses and trojan horses out.

The “Masque of the Red Death” by American writer Edgar Allan Poe describes the desperate struggle of a high society to seal themselves off from a plaque, only to discover at the end of the short story that the lethal virus is already among them.

Phillip Lord, Co-founder, Pimlico Partners

Like the main protagonists in the masterpiece of US literature, energy corporations in the GCC and elsewhere are keen on securing their valuable assets from dangers on the external front but also internally.

It is of no surprise that, according to a recently published article by the Financial Times, investment into defence startups (this includes young firms focusing on cybersecurity) rose to almost $3 billion in 2022, up from just $1.1 billion in the previous year.

While geopolitical developments in Eastern Europe played a role, AI, machine learning, cloud computing, web3, IoT, and the rise of drones and intelligent robots made SMEs in that domain more agile and attractive. Times are over when public and private institutions relied solely on the big boys in the industry.

“Governments have to adapt to the fourth industrial revolution,” said Mohamed Al-Gergawi, Minister of Cabinet Affairs of the UAE. 

Not all quiet on the Eastern Front

External attacks hit the headlines especially in the years following the Great Recession when tensions flared up in the Middle East. Viruses like Stuxnet, Flame, and Mini-Flame were allegedly created to disrupt critical infrastructure in some states of the Middle East. Saudi Aramco was confronted with a cyber attack in 2012 through a virus called Shamoon when 30,000 Aramco workstations malfunctioned for over a week until the company managed to restore the workstations to normal. In May 2020, Israel confirmed a virus attack on its already distressed water systems.

Saudi Aramco, the world’s biggest oil producer in relation to the daily production of crude, has for example developed a Third-Party Cybersecurity Compliance Certificate. “The cybersecurity compliance certification (CCC) program has been introduced to ensure that all third parties obtain a cybersecurity compliance certificate from the authorised audit firm, to confirm their adherence to the cybersecurity requirements, as mandated in the Third Party Cybersecurity Standard (SACS-002), to conduct business with Saudi Aramco,” says the stock-listed firm on its website.

The example of Saudi Aramco highlights two aspects:

  • There is no room for complacency even as cyber defence advances all fronts
  • Oil companies must have a conventional cyber defence for their white-collar office workers and a specified cyber defence for their oil rigs as most of the industry’s critical infrastructure

On the office level, oil companies shall do regular background checks on their workstations’ activities, change passwords, and do random check-ups on saved files and files sent via email, social media, and messenger apps. In March 2021, a U. S. citizen from Nebraska was sentenced to two years after he was found guilty of stealing his employer’s confidential data for commercial exploitation, the Digital Guardian has reported.

Upstream protection

Every oil rig has a digital twin. According to Swedish tech and telecom giant Ericsson, a digital twin “provides a virtual copy of your actual plant. They are the digital representation of the physical assets that keep your production facilities operating.”

Disrupting one element of the chain could mean the total failure of the entire portfolio of oil rigs and pipelines. Saudi Arabia alone has an oil rig count of 42,000, up from 32,000 a year ago.

Conclusion

Cyber defence is no longer dedicated to the “big boys” alone. It is a global phenomenon that includes startups, and young innovators alike.

Diversification is key to protection. The UAE’s inclusion of multiple nations such as Austria, Japan, Malaysia, and Canada to mention a few into their oil exploration protects the country against adversaries and amplifies the highest standards of cybersecurity. ADNOC, for instance, has signed deals worth $9.52 billion with 25 leading domestic and international players for multiple oil and gas industry products to be manufactured within the emirate of Abu Dhabi.

Only a permanent up-to-date approach guarantees that the Masque of the Red Death will not enter the treasury of black gold in the Gulf Arab region.