Alarm bells in the global energy market rang in May when a cyberattack forced a six-day shutdown of Colonial Pipeline – a critical infrastructure in the US, which is the world’s biggest oil consumer and producer.
The rising impact and effectiveness of cybercrime is the flipside to the widely lauded and strengthening adoption of digitalization in an increasingly globalized energy market. Cybercrime costs are expected to climb by 15 per cent per year over the next five years, reaching $10.5 trillion per year by 2025, according to Cybersecurity Ventures. This could represent the greatest transfer of economic wealth in history.
The threat has only intensified amid the surge in remote working and decentralized systems amid COVID-19. When the UAE announced movement restrictions in March 2020, the total number of brute force attacks against remote desktop protocols (RDP) jumped from 467,115 in February 2020 to 1.3 million in March 2020, Kaspersky revealed.
Digital tools are one of the vital keys to unlocking the greatest puzzle in today’s energy markets: How to affordably meet rising energy demand while increasing environmental protection? This means the growing risk of cybercrime cannot translate into a retreat from digitalization. It just means being a lot smarter about protection.
Consider this viable scenario; a wave of simultaneous attacks on energy infrastructure essentially holds swathes of energy security hostage, impacting billions of people and millions of businesses. Clearly, cybersecurity demands more serious and significant action.
State-owned energy companies – those acting as social champions as well as commercial ventures – can face particular risk. Attacks on such entities can trigger security and economic dislocation and throw healthy competition between operators into array.
Cyber criminals can also leverage the often-siloed nature of companies’ physical and cyber operations. This is exacerbated by energy companies changing their portfolios to support decarbonization, such as exploring renewable energy markets. These upheavals only make it easier for cybercriminals to expose down vulnerabilities.
Some energy companies’ antiquated security systems – perhaps borne in the ‘easy cash’ era of $100 a barrel plus oil prices – need urgent reviews. It is excellent progress to see that 59 per cent of Middle East CEOs plan to double digit investments in digital transformation, according to PwC’s 24th CEO Survey.
But that just 41 per cent of Middle East CEOs are extremely concerned about cyber threats is more surprising considering the red flags. The number of users of Kaspersky software worldwide in 2019-2020 who encountered targeted ransomware – malware used to extort money from high-profile targets – soared 767 per cent.
Still, the good news is that awareness and measures are improving – and investments are flowing. The post-COVID-19 market size for the Middle East’s cybersecurity market is projected to grow from $15.6 billion in 2020 to $29.9 billion by 2025, according to MarketsandMarkets.com. Plus, the UAE recently established a Cybersecurity Council, and Saudi Aramco, Siemens Energy, and the World Economic Forum (WEF) have launched a co-lead report on cyber resilience in the oil and gas industry.
Based on IBM and Ponemon Institute’s 2020 analysis, the cost of all data breaches – not just energy-related ones – in Saudi Arabia and the UAE climbed by 9.4 per cent over the last year. These incidents cost companies studied in the region up to $6.53 million per breach on average – 70 per cent higher than the global average of $3.86 million.
Notably, the average time for companies in Saudi Arabia and the UAE to first identify a data breach has only decreased by just 10 days, from 279 to 269 days, not including the 100 days to contain the it.
Winning the power play
Right now, cyber criminals largely have the upper hand. For example, some common criminal businesses can be operated for as little as $34 month with a $25,000 return. Others may routinely require $3,800 a month yet reap up to $1 million per month, detailed Deloitte.
How to shift the balance so that energy companies have the ruling hand? Aside from raising awareness and education, keen investors also need to be involved. They can support the implementation of much-needed state-of-the-art digital protection systems, as well as supporting more sophisticated research and development (R&D) to outsmart cyber attackers.
Equally, financiers need signals from the industry that the right steps are being taken to not only keep their operations as safe as possible, but also investors’ money. Whatever route energy companies opt to take, they must act soon and collaboratively. Together, we can build stronger digital defenses – brick by brick.