Regional Oil & Gas industry lagging in security

The guest written article contributed by the security writer at ESET, Tomas Foltyn discusses the security concerns persist as the major oil and gas industry players have experienced loss of confidential data or OT disruption.

Three out of four organizations in the oil and natural gas industry in the Middle East have experienced a security compromise in the past 12 months that resulted in the loss of confidential data or operational technology (OT) disruption. This is according to one of the most salient findings of a recent study by Siemens and the Ponemon Institute.

Such cyber-compromises are a common occurrence for 11% of organizations that suffered more than 10 breaches in the preceding 12 months. This is against the backdrop of another finding in the report – organizations believe that roughly one in every two cyberattacks against the OT environment actually goes undetected.

The study, called “Assessing the Cyber Readiness of the Middle East’s Oil and Gas Sector”, provides a glimpse into the security posture of the region’s oil and gas companies. It is based on a survey of 176 executives who are responsible for securing or overseeing cyber-risk in their organizations.

The oil and gas industry is the target of as much as one-half of all cyberattacks in the Middle East. Given its importance for the region’s economies, the risks faced by the industry are all the more pressing, notes the report.

IT meets OT

The study comes as OT, which encompasses systems that monitor and control physical devices and industrial processes, is increasingly interconnected with IT networks. For all its benefits, however, this IT/OT convergence is opening up new avenues for attacks.

The attendant risks aren’t lost on the survey’s respondents. Most of them (60%) hold that their organizations face greater risks in the OT than in the IT environment. As much as 30% of the region’s attacks target OT, according to the study.

However, insiders were actually found to be the primary source of threat for OT security. This particularly applies to negligent or careless insiders, rather than those acting out of malice. The report notes that, due to the prevalence of insider threat risk, “traditional strategies of air-gapping networks are not an adequate security measure”.

The study acknowledged that organizations have begun to adopt crucial measures in order to ward off increasingly pervasive attacks. This includes establishing dedicated OT security teams, partnerships with OT security experts, leveraging security analytics, and introducing cutting-edge monitoring tools.

Having said that, budgets for OT cyber-defenses “have not kept up with the threat”, reads the study. Oil and gas organizations in the Middle East were found to spend only one-third of their cybersecurity budgets on hardening their OT environments. Their total cybersecurity budgets, comprising both IT and OT, were lower than those of their global counterparts.

The financial fallout from attacks at the oil and gas sector in the Arabian Gulf was calculated at €1 billion last year alone, reads the report.

The region’s oil and gas industry has been in the attackers’ crosshairs for quite a while now. In 2012, Saudi Aramco, the world’s largest oil company, suffered a major disruption after a virus infected 35,000 of its computers.

In August 2017, attackers used OT-specific malware called Trisis, or Triton, to take out the safety system of an unnamed oil and gas plant in Saudi Arabia, resulting in the halting of the facility’s operations.