Saudi Aramco oil facility in Jeddah
An Aramco oil facility in Jeddah. It’s not just missiles or drones that Saudi Aramco needs to watch out for. The company’s cyber security is imperative for keeping safe. Image Credit: AP

Aberdeen, Scotland: Raed Al-Shaikh is based in Dhahran at Saudi Aramco’s Exploration and Petroleum Engineering Centre (EXPEC), the dedicated data centre for the upstream side of the business.

His background was in data centre management and IT operations until “someone decided to promote me to cyber security”.

“Though I don’t know if this was a torture or a promotion …” Al-Shaikh, who has a PhD in Computer Engineering from King Fahd University of Petroleum and Minerals, quipped.

“Every day we manipulate or analyse more than 60 potential offences coming to our data centre — just to give you (an idea) how much we suffer in our data centre.”

The company has been hit by a number of cyber-attacks in the past. In 2012, Saudi Aramco suffered an attack that left, in a matter of hours, 35,000 computers partially wiped or destroyed, CNN had reported.

The hack came after one of the computer technicians on Saudi Aramco’s information technology team opened a scam (phishing) email and clicked on a bad link.

“One of the most valuable companies on Earth was propelled back into 1970s technology, using typewriters and faxes,” CNN said at the time.

In January 2017, there was a cyber incident at the Sadara Chemical Company, a joint venture between Saudi Aramco and Dow Chemical, which saw computers crash.

Living with hacking threats

Al-Shaikh did not address either of those incidents at the Offshore Europe conference, but was frank on the topic of hacking. Everybody in the oil and gas industry, will, at some point, suffer from being hacked, he insisted.

“The first point and the most important point we focus on in our EXPEC data centre is business continuity,” he said.

“I have bad news for you — everybody will be hacked. This is the way we see it. So if you are not hacked already, you will be hacked.

“If you think about the 1980s, people were doing it for the fun of it — students or enthusiasts trying to make a virus. But now it’s being developed to be more damaging, more lucrative for some organisations. It’s growing exponentially in terms of the damage it can do.

“There is nothing called 100 per cent security so that’s why we always think of the worst. And because of this we always think of business continuity.

“How fast can we (react)? This is very important.”

Duncan Hare is a journalist based in Scotland.