Dubai: Concerns about cybersecurity are particularly high within the oil and gas industry, which faces a far wider spectrum of threats that are potentially more severe in comparison to other key industries.
According to Repository of Industrial Security Incidents (RISI) data, cyberattacks against oil and gas organisations in the Middle East make up more than half of the recorded instances. In parallel, in the US or other Western countries, they make up less than 30 per cent of the recorded instances.
Katharina Rick, partner and managing director at Boston Consulting Group (BCG), said that the rate of cyberattacks targeting companies in the regional oil and gas sector is notably high, especially compared to global figures.
In recent years, there has been a growing prevalence of cyberattacks in the region.
Cybersecurity firm Symantec reported that Trojan Laziok, an aggressive malware program, had attempted to steal data from energy companies around the world, some based in the Middle East last year. Remarkably, 25 per cent of the attempted cyberattacks targeted companies in the UAE versus 10 per cent in both Saudi Arabia and Kuwait and five per cent in both Oman and Qatar.
The dangers posed by large-scale threats are significant, given the physically expansive infrastructure of oil and gas production and distribution. For instance, the ramifications of a successful cyberattack on an oil and gas company in the Middle East could carry grave implications on national security. In most countries in the region, the oil and gas sector is the main source of income for the government and accounts for 60 to 70 per cent of fiscal spending resources.
This, of course, raises three pivotal questions — Why are oil and gas companies in the Middle East more vulnerable to attacks? How can organisations that have fallen victim to cyberattacks ensure a quick recovery? And what can they do to fend off future attackers?
The reality is, she said that in recent years, companies in the region have invested heavily in newer IT infrastructure and solutions — including multiple mobile devices connected to the oil and gas companies’ networks.
According to Jebin George, senior research analyst at research firm International Data Corporation, IT spending by Middle East oil and gas sector is expected to grow to $1.83 billion in 2016 compared to $1.77 billion in 2015.
“Given their widespread popularity and ability to store sensitive or confidential data, mobile devices are increasingly turning into an open frontier for cyberattacks. In the Middle East and Africa, the situation is especially dire considering the region’s high mobile phone penetration rates,” Rick said.
Independent market research company eMarketer predicts that over 789 million people in the Middle East and Africa will own at least one mobile phone in 2019 — and it is fair to assume that they will be bringing their device to work.
“In this day and age, inadequate boundary protection is a strong point of vulnerability. It can make it difficult to detect nefarious activity and can create avenues that allow outside parties to interface with systems and devices that directly support a company’s control processes. It can also provide an easy access route to industrial control systems — as most communication protocols for measuring and control devices are not as well encrypted as those for business communication systems,” she said.
Another critical point of vulnerability is information flow enforcement. If false data is fed into the system or information is “siphoned off”, most companies would likely never know that for a fact — it could even go completely undetected. There is wide speculation that the colossal malware attack on oil giant Saudi Aramco’s systems in 2012 was actually a cover-up for earlier information flow breaches.
“Insufficient control of information flows can allow attackers to establish unsanctioned and damaging commands and controls with potentially severe consequences for the physical infrastructure, the value of national assets and personal safety and health,” Rick said.
The potential points of attack are plenty. Transactions in the oil and gas arena are broad in scope and range from sensitive information on well sites to end-user consumption at the pumps.
She said that governments in the region, including those of Saudi Arabia and Qatar, have crafted multi-phased national cyber security strategies and developed related policies and frameworks, focusing specific attention on critical infrastructure and national interests.
A risk-based approach centred on three steps
Developing an understanding of the precise risk to the company’s assets and the effort and resources necessary to mitigate them
Building and sustaining a multilayered defence system
Managing cybersecurity risk on a consistent basis