Aberdeen, Scotland: Saudi Aramco knows only too well the importance of safety and security. “Stronger than ever” was the message its CEO Amin Nasser delivered this week following the September 14 attacks on its oil facilities.
The fires that were intended to destroy Saudi Aramco had an unintended consequence, he insisted. “They galvanised 70,000 of us around a mission to rebound quickly and confidently.”
Nasser added that the attacks “cemented to the world the great importance of Saudi Arabia and its oil industry.”
Risks beyond drones
But it’s not just missiles or drones that Saudi Aramco needs to watch out for. The health of a major company’s cyber security is imperative for keeping safe.
Saudi Aramco has an online cyber security course that’s mandatory for all employees. “People investment”, is how Raed Al-Shaikh, the EXPEC information security division head at the Saudi company, described it during the Offshore Europe conference held in Aberdeen, Scotland earlier this month.
“They are the first line of defence,” said Al-Shaikh. “We have KPIs of all employees taking this course and the plan is to have it at least once per year.”
In the Middle East, when it comes to cyber security, “most of the attacks we are getting are coming from phishing practices”, Al-Shaikh admits.
“It only takes one hit of an employee in the company, say a virus or ransomware, just one hit.”
No let-up in attacks
Phishing is a tactic used by hackers to trick employees into giving away private or sensitive data. But things are looking bright when it comes to impaling phishing attempts on Saudi Aramco, Al-Shaikh said, pointing to the results of a recent employee test.
“Our numbers came up recently and we were amazed how people were becoming phishing aware,” Al-Shaikh said at the panel discussion. “Based on the context — examining the email address or the language of the email — people can now really identify if it’s a phishing email.”
“Awful” is the word he uses to describe the results when Saudi Aramco began testing employees’ cyber security skills with a controlled phishing campaign.
“I mean, the numbers we saw were just amazing,” Al-Shaikh said. “People took the phishing emails easily. And that was very, very dangerous.”
It was imperative something was done — so controlled phishing campaigns were implemented once a month. “If you are caught by one of the controlled phishing campaigns that we do, you will get a message saying “Okay, you got caught there”,” said Al-Shaikh.
“If you are caught three times in a calendar year, it will affect your appraisal. And if you reach five in a year, there is a very big chance you will be dismissed from the company.
“Phishing campaigns are really important and this is how serious we take it in the company.”
However, it has not been all stick and no carrot at Saudi Aramco, which employs more than 65,000 worldwide. And education certainly seems to be bearing fruit.
“If you catch and report a real phishing campaign, we give employees an online certificate right away, which they can add to their profile,” Al-Shaikh said.
Mario Chiock, who works as a Fellow for IT Security at Schlumberger, told the Offshore Europe conference that, like Saudi Aramco, his company “phish employees”.
“We don’t do it every month, we do it every quarter, but it’s eye-opening how much information we get,” confessed Chiock.
“One of the similar things that we do is that if we have people fail this five times, then they are in big trouble. However, we do encourage them to report every time they suspect phishing. We have found a lot of very targeted attacks by people reporting (them).”
Degrees of action
Emilie Hudson, a project manager at BP, and also based in Houston, said that her company “tend not to take quite as punitive an approach” as Saudi Aramco or Schlumberger.
“Only because we’re looking for that information — our security centre evaluates about four billion events a day,” she said. “What we have found very effective is those phishing campaigns coupled with the education campaigns as well.”
But when it comes to partner companies or joint ventures, collaboration can be crucial in cyber security, Al-Shaikh said.
“We are as strong as the weakest partner that’s connected to us,” the Saudi official said. “If they are hit or are in trouble, we will be in trouble.
“Sometimes we even share threat intelligences. I think we have more than 20 or 25 partners for this platform for sharing cyber security intelligence information.”
Duncan Hare is a journalist based in Scotland.