How secure are GCC networks?
With 2015 witnessing a spate of attacks on the oil and gas industry and 2016 set to see no less, the regional oil and gas industry is investing in securing its systems, providing IT companies a lucrative opportunity to trade its products.
A cyber fraud is attempted between the trading unit of Saudi Aramco – the world’s largest oil producing company – and India’s state-owned ONGC (which eventually is foiled). A ‘financially motivated threat group’ known as FIN1, most likely based in Russia or a Russian-speaking country, launches a highly sophisticated malware that subverts conventional system checks to access sensitive payment data.
The year 2015 witnessed several cyberattacks against not just the energy industry, but the global economy as a whole.
The year also saw campaigns from alleged state-sponsored actors, including the group responsible for breaching American health insurance company Anthem’s IT system and stealing personal information on millions of current and former customers and employees.
Security software company Trend Micro Inc found out that 47% of energy industry organisations reported attacks, thus being the highest corporate sector to be at risk of infiltration and breach.
In the oil and gas industry, 27% of all attacks are considered advanced and targeted and thus the potential for an attack to interrupt production activity is high.
The steep rise in the number of cyberattacks, known or unknown, in 2015, leads one to ask: How secure are the IT networks of GCC oil and gas companies?
“In general, security is more complex when automation and ICS (Industrial Control System) infrastructure is involved, and not only for the energy industry. ICS infrastructure is more fragile and can be more complex when it comes to implementing security controls as well as security technology,” Jens Monrad, global intel liaison - EMEA, of IT company FireEye, said.
(continued on next page...)
“Typically, the ICS environment is operated by professionals outside the security operation. Therefore, there can be a gap in the organisation between the security operations and the people working with network security, and the people operating the ICS environment.”
With IT concepts such as cloud computing and the Industrial Internet of Things (IIoT) rapidly becoming the order of the day, the energy industry too is steadily adopting them for achieving operational excellence.
Major IT enterprises too have been trying to popularise these IT trends and the regional industry’s need to utilise them, by reaching out to players at industry events such as ADIPEC.
They have been successful in transforming the GCC into a key marketplace for their IT and network security-related products, and continue to launch new ones.
“Now that we are entering the era of internet of everything, we are actually digitising the business. So for all the oil exploration, production and distribution, you now have a trend of digitisation that is opening fantastic opportunities for these organisations to accelerate their business and continue to excel,” Rabih Dabboussi, general manager, Cisco UAE, said.
Industrial automation and information company Rockwell Automation recently published its new, validated resources with strategic alliance partner Cisco.
These resources are aimed at helping the automation industry address the security concerns associated with implementing new technologies and trends like IIoT.
Offered free of cost, these resources ‘address the dynamic security practices for both information technology (IT) and operational technology (OT) - essential in managing risk from the plant to the Connected Enterprise’, Rockwell Automation said in a press release.
However on the flipside of the trending IT concepts comes the associated security risks, as systems such as cloud computing have been known to be prone to cyber/malware attacks.
“It (the concepts) also poses a big challenge, i.e., how do you secure the surface that is expanding. What I mean is, for example, three years ago, we didn’t have sensors that were deployed in pipelines, oil rigs etc.,” Dabboussi told Oil & Gas Middle East.
Awareness of the potential threats on the part of the organisation also forms the backbone of its cyber defence capabilities. “If you think of it from a personal perspective, the attack surface has increased and this is key for us to raise awareness that now we are more prone to attacks, but we must be agile and ready to respond quickly,” Dabboussi remarked.
Monrad feels awareness in the industry can be improved to safeguard the enterprise’s network. “Because of the typical disconnect between ICS environments and security operations, I think awareness can be greatly improved. Cross-team projects can be implemented, where both the ICS and network security staff work together on ensuring uptime, as well as implementing monitoring of the environment, in order to gain more visibility into the infrastructure and to be able to detect breaches and provide a quicker response to potential threats,” he explained.
However, with the current downturn in the oil and gas companies taking a toll on the major NOCs of the region, forcing them to heavily slash capital expenditure, investments in boosting the IT network are presently featuring in the bottom of their priority lists.
“The fluctuating marketplace for feedstock and energy prices means that competitive advantage for Middle East oil and gas, refining, petrochemical and chemical production is being squeezed. The region is focussed on the development of mega-refineries and large integrated petrochemical plants that are world-class in both size and complexity. Therefore, the need for integrated optimisation software is important in today’s market to help drive profitability by optimising assets,” Ossama Tawfick, VP Sales - MENA, AspenTech, said.
Dabboussi, although, thinks otherwise. (continued on next page...)
“At a time when there is quite a lot of cost-cutting happening, what I have seen being reflected throughout these organisations (major oil and gas companies) is the paramount importance on security and the fact that security cannot be compromised in any way,” he believes.
GCC energy giants have, since the recent past, begun laying emphasis on utilising IT to not just secure their networks, but also to improve efficiency and make every dime count.
The Dubai Government-owned Emirates National Oil Company (ENOC) recently signed a strategic Memorandum of Understanding (MoU) with GE ‘to explore areas of collaboration for developing innovative technologies that will strengthen energy conservation at ENOC’s facilities and enhance the performance and efficiency of ENOC’s fuel and lubricants solutions’, it announced.
GE and ENOC, have partnered in the past and with the recent agreement intend to ‘focus on bringing added value to the business units of ENOC Marketing, including aviation fuel, lubricants, and liquefied petroleum gas (LPG) among others.
The technology collaboration will draw on the potential of GE’s Industrial Internet solutions to help achieve new levels in productivity and operational efficiency’, the statement said.
AspenTech, which works with regional giants such as Saudi Aramco, Qatar Petroleum, and ADNOC, among others, claims its aspenONE Advanced Process Control software is ‘an excellent return on investment’.
“Aspen DMC3 efficiently scales to any control problem size and it has also been successfully applied to virtually every control problem in refining, chemicals and petrochemicals processing. Significantly, this helps improve the financial performance of the plant where companies have experienced benefits ranging from 3 - 5% increase in capacity and 3 - 5% reduction in energy usage,” Tawfick said of the product.
“In addition, using AspenTech’s integrated process engineering tools deliver significant tangible results, including improving process engineering workflow around 10%, 30% capital and operating cost savings due to inherently better designs, a 10% – 20% improvement in engineering quality and a 10% – 20% improvement in engineering efficiency,” he added.
According to FireEye's 2016 Security Predictions, disruption is a valid concern in 2016 and the losses associated with business disruption are considered some of the highest. In certain circumstances, disruption can be more than just the inability to perform regular work operations.
“Due to certain high-profile incidents, chief information security officers (CISO) have had to change their risk profile. There is now a chance that someone could just break in and delete everything, without any risks or repercussions involved,” Ray Kafity, VP - META at FireEye, said.
Another valid concern in 2016 is the growth of infrastructure-based attacks. As the energy sector continues to invest in new technologies to automate production, the potential for attacks inevitably grows.
“We will start to see more visible attacks against industrial control systems (ICS). Additionally, environments shifting to Wi-Fi will broaden the attack surface, potentially opening the doors to increased cyber terrorism aimed at critical infrastructures. To stay ahead of all threats, the C-level and boards will need to address ICS security in their risk reviews and begin allotting a larger budget to protection” Kafity recommended.
Moreover, though still at a nascent phase, the popularity of mobile wallets, magstripe readers and other similar payment systems is growing rapidly, but without the protection needed to secure transactions.
The proliferation of these systems gives potential attackers another front to launch cyberattacks, as was demonstrated by the attempted fraud between Aramco Trading and ONGC. “As a result, we will likely see an increase in malware targeting these systems,” Kafity predicts.
On the other hand, the International Data Corporation (IDC) estimates that IoT-related expenditure in the Middle East is set to rise at a five-year growth rate of 21.9% to total $10.18bn by 2018.
New internet-enabled devices are being released regularly these days, and many have weak security controls, allowing for new ways of accessing data.
“These “things” could be held hostage by ransomware, which will subsequently lead to extortion. As these pick up in the region, various cybersecurity issues will need to be addressed,” Kafity said.
2015 was characterised by a spate of attacks on the oil and gas industry. The energy sector has long been the mainstay of regional economies and as the GCC consolidates its position as an economic hub, 2016 will witness further cyberattacks on this sector, experts say.
In such a scenario, they insist cybersecurity must assume paramount importance in an oil and gas producing company’s business strategy.
“Due to the sensitivity of ICS environments, companies are advised to implement processes and monitoring capabilities, which can help them in the following three areas: Detect (Monitoring of the environment, corporations with Security Operations and personnel); Respond (Have a tested Incident Response Plan, a workflow, process and documented plan for how to handle incidents discovered, allowing the company to operate during the incident); Contain (Have a tested and functional Disaster Recovery Plan, allowing a move to a non-compromised environment, while mitigating the threat against the compromised environment),” Tawfick said.
“I would advise that security should be the top priority for the organisation. Secondly, a very senior person should take on the responsibility to be the person who is leading the security practice. We advise them to talk to companies who have expertise in that space, and have a track record in providing the right solutions, advisory around securing the infrastructure data and adopt a methodology and strategy that helps to continue to advance and continue to renovate the security environment to keep up with the advancement of attacks,” Dabboussi explained. “And if these steps are implemented, I think that would help in securing the data and networks in the region.”