The protection of commercially sensitive data has long been a top challenge and priority for most oil and gas companies. The issue has gained even more importance over the last three years following a series of high-profile cyber attacks that have specifically targeted the oil and gas industry since 2011.
The attacks on Saudi Aramco and RasGas in August 2012 attracted a lot of public attention across the GCC to the vulnerability of major oil companies to highly sophisticated attacks. The raids on these two organisations can be added to a wider list of incidents that have recently targeted this crucial industry: Operation Night Dragon, Project Tarmeggedon, and Operation Save the Arctic have all targeted and, in some cases, successfully affected the operations of some of the largest oil companies in the world. Similarly, between July and September 2011, 29 chemical companies were targeted by hackers in an effort to steal industrial secrets.
While concerns around sophisticated cyberattacks are bound to remain a top priority for oil companies operating in the UAE, IDC Energy Insights believes that the questions relating to security in the industry will go beyond ‘traditional’ IT vulnerabilities and will start to impact industrial control systems (ICS), which control electromechanical devices, such as valves or switches, on many critical oil assets.
Attacks on such systems are likely to increase significantly in the coming years, with the oil sector and Middle East region in general both being prime targets for hackers. Formally considered as a purely theoretical risk, the reality of the threat was illustrated by the notorious Stuxnet attacks on Iran in 2010, which specifically targeted the control systems of a nuclear facility, in this case, Siemens’ SCADA networks. Although vendors have been able to release a set of solutions to detect and remove Stuxnet’s infections, revamped versions of the worm have been released on several occasions since the original attacks: Duqu, Flame, and Gauss all share some common characteristics with Stuxnet.
The vulnerability of many industrial control systems used in the UAE’s oil industry lie in two key weaknesses:
Firstly, a lot of these systems were implemented 10–20 years ago at a time when the risk of a sophisticated attack on ICS was considered very low. Security was essentially granted by the fact that ICS communications were managed through proprietary, vendor-specific protocols. The standardisation of communication protocols at the end of the 90s made the concept of ‘security through obscurity’ obsolete, thereby increasing the vulnerability of these systems.
Secondly, industrial control systems have gone through a significant period of architecture evolution during the past 10 years in order to enable additional functionalities and more flexible processes. One of the main evolutions was to enable remote access for maintenance or operational purposes. Similarly, industrial control systems have been progressively connected to various business systems in order to allow the automatic exchange of information. Both of these evolutions have made ICS such as SCADA systems much more user friendly, but also easier to access from the outside and, therefore, more vulnerable to external attacks.
The increased convergence between ICS and IT systems is expected to be a crucial factor in the increase of the number of security incidents involving oil industry control systems in the UAE. IDC Energy Insights believes that the protection of industrial control systems will become a key area of investment for most of the countries’ oil companies in the near future, as they are becoming increasingly aware of the exponential growth in ICS threats targeting the sector, as well as the vulnerable nature of legacy industrial control systems and, more importantly, the disastrous effects of potential incidents involving, for example, the SCADA networks of critical upstream infrastructures. Even though the fraudulent override of a SCADA network is not believed to be the most likely result of an ICS attack at this point in time, experts agree that such attacks could result in the freezing of industrial operations, causing millions of dollars’ worth of financial losses per day due to inactivity.
There are several key action points for oil companies working to mitigate ICS security risks. The first step is to carry out a regular assessment of the potential vulnerabilities within the control systems of their most critical infrastructures: this implies a thorough analysis of the level of protection afforded to each different access point, as well as a review of the impact of IT and ICS integration on the organisation’s vulnerability status. Oil companies will also need to update their identity and access rights strategies as they attempt to secure such systems.
It is absolutely critical that they implement state-of-the-art protection systems for their control networks; the available tools include role-based access control software, business continuity applications, and patching and risk monitoring solutions. Lastly, and most importantly, the teams in charge of ICS security and human resources within these firms will need to converge in order to better educate the workforce at large and increase awareness of the organisation’s security policies.
The columnist is group vice president and regional managing director for the Middle East, Africa, and Turkey at global ICT market intelligence and advisory firm International Data Corporation (IDC).