Major oil-producing countries have become increasingly vulnerable to cyber risks as oil sector digitization heightens the possibility of a major supply disruption. In a report published last month, the International Energy Agency (IEA) said malware, ransomware, phishing, and botnets are enabling new forms of cyber crime—including sabotage, industrial espionage, and ransom—that could force the shutdown of major energy facilities. The global cost of these vulnerabilities could top $6 trillion by 2021, double 2015 levels, says a report by the research firm Cybersecurity Ventures.
Countries that rank low in cyber readiness account for more than 44 million barrels per day, approximately 45 percent of the world’s daily oil production.
Countries that rank low in cyber readiness account for more than 44 million barrels per day (mbd), approximately 45 percent of the world’s daily oil production. The International Telecommunication Union (ITU), a U.N. branch responsible for technology regulation, assessed 25 cyber readiness indicators based on questionnaires and secondary data collection. Based on an analysis of its data, OPEC producers as a block are less prepared for a significant cyber incident than non-OPEC counterparts, and score a median 40 out of 100 on its index (see below). While OPEC nations are highly vulnerable to attack, the members of the Gulf Cooperation Council (GCC) are better prepared than the others in the cartel. Qatar, which has made substantial investments in cyber infrastructure over the past five years, scores a high 68 out of 100, while Saudi Arabia scores 57.
Recent incidents underscore the region’s ongoing cyber vulnerabilities. Last month, an online espionage campaign sought to steal log-in credentials from government officials in five Middle East countries, including Saudi Arabia. The Kingdom, the world’s top crude oil exporter, is an attractive target for hackers. In 2015, some 160,000 cyber-attacks aimed to disrupt Saudi banking, telecommunications, and energy networks. Saudi Arabia’s regional adversary Iran is allegedly responsible for many of these incidents. Analysts suspect Iranian hackers were behind the Shamoon virus, which in 2012 wiped the disks of more than 30,000 computers at Saudi Aramco, the state-owned oil company. The Saudi government in recent years has boosted the country’s cyber war-fighting capabilities by dedicating more resources to counter Iran’s aggressive actions. In January, it warned organizations to be on the lookout following a labor ministry attack that also disrupted the network of a chemicals firm.
The Saudi government issued a royal decree establishing the National Authority for Cyber Security to consolidate defense and interior oversight of the sector. Throughout the region, all GCC states—including Saudi Arabia, Qatar, and the United Arab Emirates—now publish standards to secure critical infrastructure and codify anti-cybercrime provisions into law.
While governments of major oil-producing states look to fight cybercrime throughout their entire countries, they are also calling on their national oil companies to help. The Gulf States are developing strategies to bolster cooperation across the petroleum sector value chain. In May, the head of Kuwait’s information technology regulatory agency suggested that the country adopt a national strategy to address loopholes and system weaknesses. The U.A.E. has gone one step further, launching the Dubai Cyber Security Strategy to establish a way for industry leaders to evaluate best practices around cyber-preparedness and responses. As mentioned above, Aramco has worked with the Saudi government to reduce its vulnerabilities.
Even Western oil companies are encountering potentially devastating attacks.
Even Western oil companies are encountering potentially devastating attacks. Statoil experienced a significant incident in 2014 when it, with other Norwegian companies, were targeted. Since then, the company has taken steps to mitigate its exposure to hackers. Alongside the Norwegian Petroleum Safety Authority, Statoil is working to tailor internationally recognized cybersecurity guidelines for the oil industry. These include the International Society of Automation’s IEC-62443 standard that establishes uniform policies and procedures, compliance metrics, and approved security technologies for industrial control systems. DNV GL, a Norwegian accreditation company, says Statoil plans to work with industry partners Shell Plc, Lundin, Siemens, and Honeywell to modify prevailing standards for oil sector systems.
Connectivity opens opportunities for hackers to find exploits. Geographically distributed online architectures—called supervisory control and data acquisition systems (SCADA)—enhance network efficiencies, and enable top-down decision-making. However, the diffusion of these virtual systems creates pathways for hackers to access unguarded systems, a notable contrast with older, closed-circuit networks. In the Middle East, the high concentration of oil and gas networks and the increasing levels of sector-wide automation create opportunities for actors who are intent on disrupting supplies.
In the Middle East, the high concentration of oil and gas networks and the increasing levels of sector-wide automation create opportunities for actors who are intent on disrupting supplies.
“So much of the world’s oil production happens [in the Middle East], and in the pursuit of technologies to make it more efficient. When you increase that level of automation and use of information technology, it only increases the vulnerability,” explained former National Security Agency Director John McConnell during a 2013 visit to the U.A.E.
A June 2017 report by the consultancy Deloitte identifies one particular vulnerability of these so-called connected barrels: Oil and gas companies make Internet technology system decisions at field or unit level. Some 1,350 oil and gas fields have been producing for more than 25 years, Deloitte says, each using different equipment and systems architectures. Although companies can take measures to protect connected systems—such as running cyber scans on copied SCADA systems or measuring for anomalies versus baseline data—any interconnected online pathway creates the potential for disruption. For instance, in 2014, Somali pirates temporarily disabled a floating oil rig for 19 days by infecting it with computer malware and commanding it to physically tilt off the coast of Africa.
Over the next decade, the rapid adoption of smart devices is expected to drive rapid economic change throughout the Middle East. The proliferation of cellphones and the broader Internet of Things will fuel a significant outgrowth in new technologies, adding 160 million users and $95 billion to the region’s GDP through 2025. These digitally-enabled devices increase vulnerabilities, even in the oil sector, as electronic devices can be easily commandeered to control production and affect oilfield operations. In 2017, no OPEC nations, and only two in the Middle East—Oman and Israel—rank among the United Nations’ top-20 cyber-ready countries. This severe lack of preparedness—particularly for vulnerable energy infrastructure—opens opportunities for cyber criminals and hostile foreign governments to hack systems and steal data.
“Too many companies are thinking they are not targeted.”
“Too many companies are thinking they are not targeted,” FBI Computer Scientist James Morrison told a gathering of oil industry cyber-security experts near Houston in November. “That is not the reality. Every single one of you will be attacked,” he said. “You’ve got to protect the industrial control systems behind the data.”