According to one of the most salient findings of a recent study by Siemens and the Ponemon Institute, three out of four organisations in the oil and natural gas industry in the Middle East have experienced a security compromise in the past 12 months that resulted in the loss of confidential data or operational technology (OT) disruption. Such cyber-compromises are a common occurrence for 11% of organisations which suffered more than 10 breaches in the preceding 12 months. This is against the backdrop of another finding in the study organisations believe that roughly one in every two cyberattacks against the OT environment actually goes undetected. The study, called “Assessing the Cyber Readiness of the Middle East’s Oil and Gas Sector”, provides a glimpse into the security posture of the region’s oil and gas companies. It is based on a survey of 176 executives who are responsible for securing or overseeing cyber-risk in their organisations. The oil and gas industry is the target of as much as one-half of all cyberattacks in the Middle East. Given its importance for the region’s economies, the risks faced by the industry are all the more pressing.
The study comes as OT, which encompasses systems that monitor and control physical devices and industrial processes, is increasingly interconnected with IT networks. For all its benefits, however, this IT/OT convergence is opening up new avenues for attacks. The attendant risks aren’t lost on the survey’s respondents. Most of them (60%) hold that their organisations face greater risks in the OT than in the IT environment. As much as 30% of the region’s attacks target OT, according to the study. Insiders were actually found to be the primary source of threat for OT security. This particularly applies to negligent or careless insiders, rather than those acting out of malice. The report notes that, due to the prevalence of insider threat risk, “traditional strategies of air-gapping networks are not an adequate security measure”.
The study acknowledges that organisations have begun to adopt measures to ward off increasingly pervasive attacks. This includes establishing dedicated OT security teams, partnerships with OT security experts, leveraging security analytics, and introducing cutting-edge monitoring tools. Having said that, budgets for OT cyber-defences “have not kept up with the threat”, reads the study. Oil and gas organisations in the Middle East were found to be spending only one-third of their cybersecurity budgets on hardening their OT environments. Their total cybersecurity budgets, comprising both IT and OT, were lower than those of their global counterparts. On the other hand, the financial fallout from attacks on the oil and gas sector in the Arabian Gulf was calculated at €1 billion last year alone.
The region’s oil and gas industry has been in the attackers’ crosshairs for some time. In 2012, Saudi Aramco, the world’s largest oil company, suffered a major disruption after a virus infected 35,000 of its computers. In August 2017, attackers used OT specific malware called Trisis, or Triton, to take out the safety system of an unnamed oil and gas plant in Saudi Arabia, resulting in the halting of the facility’s operations.