By Irina Slav
Oil and cybersecurity in one sentence certainly makes for a thrilling read, and there will be an increasing amount of information on the topic as the Internet of Things expands and the global oil industry adopts automation and digital technology.
OPEC is no exception in this digitalization drive, but unlike its non-OPEC counterparts, the cartel has emerged as much more vulnerable to cybersecurity threats.
An analysis of data collected from 134 countries by the International Telecommunication Union has revealed that some of the world’s biggest oil producers, including Iraq, Saudi Arabia, Venezuela, Iran, and the UAE, are lacking in the cybersecurity department. This means that, compared to European producers and the United States, OPEC members are pretty much unprepared for a major cyberthreat.
What is the likelihood of such a threat actually materializing? Well, the general opinion in cybersecurity circles is that everything that can be hacked will be hacked at some point. Saudi Arabia’s oil and gas industry, for example, has been a favorite target for numerous attacks over the last few years, including the Shamoon virus, which in 2012 wiped clean the disks of more than 30,000 computers at Aramco, and according to reports from the cybersecurity industry, reared its ugly head again in 2016.
Overall, about half of all cyberattacks in the Middle East target the oil and gas industry, which suggests the answer to the above question is “Pretty high,” but the worse thing is that this likelihood is only going to get higher in the future.
Middle Eastern producers are following in the footsteps of their non-OPEC counterparts in adopting digital technology and automation to improve efficiencies in the post-2014 world, where efficiency has come to the fore in oil and gas. The problem, of course, is that the more you digitalize, the more vulnerable you become to attacks through digital channels.
A recent study from Siemens and Ponemon Institute found that as digital tech adoption in the Middle East oil industry rises, so does cyber risk. What’s more, this risk is no longer limited to IT operations: the operational technology area is gaining prominence as a preferred target for cybercriminals.
The reason, according to Siemens and Ponemon Institute, is the convergence between IT and OT in the oil and gas industry. “Attackers have identified this convergence of IT and OT as a key opportunity to penetrate an organization. As a result, an emerging trend of cyberattacks is designed to disrupt physical devices or processes used in operations. In a digital environment, industrial cyber is the new risk frontier,” says Siemens’ Vice President and Global Head of Industrial Cyber, Leo Simonovich.
The cybersecurity industry is sounding an alarm and it seems those in the Middle East that can afford it are hearing it and heeding the warning to improve their cybersecurity capabilities.
The UAE has a Dubai Cyber Security Strategy. Earlier this year, Saudi Arabia launched a National Cyber Security Center, and last month announced the set-up of a National Authority for Cyber Security, seeking to utilize international expertise and best practices to prop up government and critical infrastructure defenses. Iraq is seriously lagging behind and Iran is seen by cybersecurity insiders as more a source of cyberthreats than as a potential victim.
This sounds all well and good, but the trends in cybercrime point to a desperate need to do more. Cybercriminals do not sit on their hands while potential victims work to improve their defenses. While cybersecurity service providers continue to warn businesses and other organizations that they need to become more pro-active with regard to their cybersecurity measures, the hackers are coming up with new ways to undermine existing defenses. This is true for all industries, but it is especially true for oil and gas in the Middle East—national energy infrastructures are called critical for a reason, after all.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it. I have no business relationship with any company whose stock is mentioned in this article.