The region’s top tier oil and gas companies are at risk of cyberattack at a rate of up to one every second, an industry expert said.
The drone attacks on the Aramco facilities in Saudi Arabia on Sept. 14 are well documented, but Marcus Josefsson, director for Middle East, Africa and Russia at Nozomi Networks, said cyber criminals were always lurking in the background.
Nation-states, terror groups and organized crime circles can shutdown pumping stations with something as basic as a laptop computer with an Internet connection.
“There is one threat every second — or every couple of seconds — but the real question is how many of them are successful,” he said.
Josefsson’s employer, Nozomi Networks, is a cybersecurity company that works on ensuring industrial control systems are secure.
“We’ve seen them many times in this region before. There’s a specific malware that gets into these systems, and then they can target the centrifuge or they can target the pumps, the valves, and just break things down completely,” he said.
In 2012, 30,000 computers were hacked in Aramco facilities, but oil production was not affected.
Josefsson said often the attacks come from “people who are in it for the money.”
“One thinks now that organized crime has almost the same turnover as the cybersecurity industry, if not bigger.”
But countries “definitely play a big part to it,” Josefsson said. “Imagine you are a nation-state — you have a number of friends and enemies, no matter what. You have spies and intelligence gathering so when something goes wrong, you want to be able to deploy and do something quickly. That’s exactly what goes on in oil and gas companies, airports — all these critical national infrastructures,” he said.
Josefsson said attackers are always lurking in these important systems, “scanning, finding out information” for when an attack is called for.
“If there were a red alert at some point, if it escalated between two countries, they would want to be able to play that card — to take out an oil rig, to take out a pipeline, most importantly to take out electricity or water,” he added.
Although the amount of “internal and external threats towards these oil and gas companies is staggering,” Josefsson said that the success rate is very low, and that the region is “catching up very quickly” in improving its cyber capabilities.
He said the region has worked over the years to improve the security of information technology (IT) – this involves network firewalls and anti-viruses. However, there’s still a need “to do a lot more” in securing operational technology (OT), a collective term that refers to computer-run machines including oil pipelines, power grids, and railway systems.
He added the problem with existing OT is that it was not built with cybersecurity in mind.
“These systems were built 20 years ago — for uptime purposes, safety of personnel, pumping as much oil as possible, that’s how it was built. The same holds for things like the electrical grid system — cybersecurity wasn’t even there,” Josefsson said.
He noted how Saudi Arabia is “getting ready fast” in ensuring it has the sufficient security measures to respond to such threats.
“They have a good plan in place. The Kingdom is mobilizing quickly. They are taking all the right steps, and I don’t see any other country moving as fast as Saudi Arabia at the moment. Saudi Arabia takes it seriously,” he said.
He emphasized how “securing critical national infrastructure is arguably more important here than it is in Sweden or in the UK. Take Aramco for instance, it’s such a massive part of the economy.”
In 2018 alone, Nozomi Networks, which has an office in Dammam and has worked with big oil and gas, utilities, and mining companies, recorded a customer growth of 500 percent in the region, according to Jossefson, who is predicting a whopping 1000 percent increase this year, in light of the recent attacks.
“They are a hundred percent aware,” he said. “Especially after the things that happened very recently, it became even more topical.”
Although "99 percent (of the threats) are very basic," Josefsson said: “It’s the one percent that organizations need to look out for.”
“Attackers only need to be lucky once.”
