Digital danger zone
By staff - Thu Jun 28, 9:38 am
Vulnerability to a cyber attack could be the oil and gas industry’s Achilles heel. Leading experts outline the very real and present dangers underprepared upstream companies are exposed to in the Middle East.
The protection of critical national infrastructure has long been a serious concern to governments in this region, but an all-encompassing approach means achieving this is no longer limited to physical security. The widespread use of interconnected networks and control systems in national oil, gas, power, water and electricity sectors, means there is now a very real and growing need to enhance cyber security, highlighted by an ever increasing number of international attacks.
Indeed, as a region responsible for much of the world’s energy, GCC countries are placing cyber defence as one of their priority areas for development. Saudi Arabia has plans to spend $3.3bn on oil and gas infrastructure security and Qatar, Oman, Kuwait and the UAE are set to follow suit over the coming years.
“The cyber security threat to energy installations is surprisingly widespread, running across utilities and distribution networks to generation, refining, and even drilling and exploration. Most security professionals now say that if you think you have not had your security breached then you just haven’t detected it,” says Professor Paul Dorey, director at CSO Confidential.
“Wherever there is digital technology there is the potential of cyber threat. What can change between industry sectors is the nature of the motivation of attack. Basic utilities have less information of commercial value to steal than do exploration companies bidding for assets, however both have the potential to create widespread disruption if their operations are stopped or disrupted by attack on critical cyber systems such as Industrial control,” Dorey adds.
Governments and large corporations all over the world should be wary of a growing cyber menace in 2012 in particular, according to experts at Kaspersky Lab. Not only will there be a dramatic increase in the number of targeted attacks on state institutions and large companies, it is also likely that a wider range of organisations will bear the brunt of the expected onslaught.
“At the moment, the majority of incidents affect companies and state organizations involved in arms manufacturing, financial operations, or hi-tech and scientific research activities. In 2012 companies in the natural resource extraction, energy and transport industries will be affected, as well as information security companies,” warns Alexander Gostev, headed of the global research and analysis team at Kaspersky Lab. Attacks will range over more of the world than ever before, spreading beyond Western Europe and the US and affecting Eastern Europe, the Middle East and South-East Asia.
It has been reported that there was more than a 40% increase across the Middle East in computers infected by malware in 2011. The threat of such viruses was highlighted by the discovery in 2010 of the most sophisticated cyber attack to date, Stuxnet.
It was a vicious computer worm with highly specialised malware coded to target specific Supervisory Control and Data Acquisition (SCADA) systems and disrupt their operational activities but without the operators being aware of such changes.
“SCADA networks are widely used in all industrial sectors and provide essential services and commodities in a very efficient manner,” explains Dr Nick Coles, founder and organiser of the International Forum to discuss the cyber security of energy and utilities sectors in the Middle East.
“However, they were originally designed to maximize functionality with little attention paid to security. Consequently performance, reliability and safety of these highly complex and interconnected systems are invariably robust, but the security is weak, making them vulnerable to disruption of service, process redirection or manipulation of operational data that could result in public safety concerns and even loss of life,” adds Coles.
The management need for information and remote control in the modern energy business has led to the adoption of common network protocols and the connection of many of these SCADA and Industrial Control Systems (ICS) to the corporate network. While these changes have resulted in business benefits they also have meant that system security is even more prone to the same cyber threats faced by corporate networks.
The Stuxnet worm demonstrated that it can cause real damage to public safety, the economy and the environment. On the other hand, Stuxnet drew attention to the enhanced cyber security needs for ICS systems.
“Compared to the other industries, oil and gas companies and operators are probably more likely to embrace the necessary cyber security steps once they are aware of the risks they are facing, because most of them actually have a solid risk management culture.
They can quantify what bad security could cost them and then make the decision to do something. In contrast, the power industry and manufacturing industry tends to be lost when it comes to moving to address the risk until they have a problem or are legislated to do something.”
Additionally, the step to wireless, which has always raised security related questions from the industry, may actually be helping migrate upstream firms into safer territory.
“Frankly most of the wireless deployments I see are better than the wired ones in terms of security. People see the word “wireless” and they immediate ask themselves: What do I need to do about security? With wired systems, security never crosses their mind,” Byres states.
Whilst wireless networking can introduce potential security risks to networks and facilities, many secure wireless solutions have been developed. It is, however, easy to implement wireless solutions in an insecure way that can introduce security weaknesses.
“Companies implementing wireless solutions in the industrial environment should only do so having been informed by a thorough risk assessment and should design the wireless solution to address the identified risks,” explains Lowe.
“These should be reviewed on a regular basis and action taken as required to maintain security levels against an evolving threat and risk landscape.”
Many local energy companies are only just beginning to recognise the cyber security risks. However, that recognition has kick-started an appetite to address, explore and counter future threats.
The upcoming Abu Dhabi International Forum to discuss the cyber security of energy and utilities sectors in the Middle East is proof that the threat is being taken seriously by the major energy and utility players and their partners throughout the region.
With participation from leading cyber security luminaries, and their local upstream energy and utility counterparts, means local business leaders are embracing the need for rapid, but planned adoption of a cyber security framework.
The Middle Eastern energy industry could not be more vital to meeting the Gulf’s aspirations, as well as the stability and general wellbeing of the global economic system.
The threat is being tackled, but the oil and gas industry, and its utilities counterparts cannot pause for deliberation. Action to match good intentions is now as critical as the challenge.
Source: Arabian Business