x Abu Dhabi, UAEThursday 20 July 2017

Cyber complacency must be hacked down

When it comes to cyber attacks an attitude of "it couldn't happen here" is highly dangerous. Middle Eastern companies are vulnerable - and must be on their guard.

Saudi Aramco was one of Middle East companies targeted by hackers. Above, a Saudi Aramco oil facility near Riyadh. Ali Jarekji / Reuters
Saudi Aramco was one of Middle East companies targeted by hackers. Above, a Saudi Aramco oil facility near Riyadh. Ali Jarekji / Reuters

Corporations in the Middle East should not consider themselves immune from cyber attacks over the internet.

The communications systems of major firms in the region have already been devastated by such attacks.

If companies do not act quickly to plug what are regarded as increasingly large holes in their internet defences, industry watchers believe they could also face the imminent threat of ecological disasters generated directly by the new wave of cyber attacks hitting the region.

Qatar's RasGas, a major natural-gas producer, suffered a cyber attack only weeks after Saudi's Aramco, the world's largest crude oil producer, suffered a similar assault.

Aramco was forced to communicate internationally via outdated technologies such as telex machines after the attacks took down its email system.

A hacker group calling itself the Cutting Sword of Justice is reported to have claimed responsibility for the attack on Aramco.

"The effects of the hacker attacks in … Saudi Arabia serve as a reminder that no business in the Middle East is immune from security threats," says Roger Cressey, a cyber security expert and senior vice president at the American consulting firm Booz Allen Hamilton.

Booz Allen believes some Middle East companies are guilty of nurturing an "it-couldn't-happen-here" culture, believing cyber attacks in countries such as the United States are unlikely to be replicated in the Middle East. Such an attitude could be suicidal for any corporation in an era when any target is only a click away on the internet.

"Among Mena [Middle East and North Africa] clients Booz Allen talks to, the number one mistake they make is to believe that cyber attacks and cyber espionage are a 'western' problem and not issues that affect the Middle East. The fact is that coordinated cyber attacks can bring any business, anywhere, to its knees," says Mr Cressey.

He believes another common misconception is security attacks are uncoordinated and lack purpose. This may have been true in the early years of cyber hacking but that is no longer the case.

"Much talked-about 'script kiddies' and teenage hackers can mask the real threat posed by cyber espionage," says Mr Cressey.

According to Booz Allen, the threat of cyber attacks is especially strong in rapidly growing sectors that operate in multiple locations, such as oil and gas. Businesses that might be adopting new internet technologies are also especially vulnerable.

Remotely hosted so-called "cloud"-based information and communications infrastructures designed to share data across multiple locations and help company users access data wirelessly all offer new opportunities for cyber hackers looking for breaches in the internet defences of energy companies.

The Middle East's unabated enthusiasm for personal communications devices such as iPhones also makes companies increasingly vulnerable to cyber attacks.

"Energy companies have a strong perimeter defence," says Rob Enderle, the principal analyst of the Enderle Group, based in California's Silicon Valley.

"But with the advent of personal technology and wireless access points, these perimeter defence programmes are often more like Swiss cheese than they are impermeable barriers."

Mr Cressey also says the defences of energy companies are low considering the scale of the threat they face from cyber attack.

"The reality of our cyber-security environment is grim," he says. "Firewalls and data encryption are not enough to protect intellectual property, financial assets, operational systems and reputations.

"We are seeing an alarming increase in the number of cyber attacks from outside as well as inside organisations, potentially creating long-lasting and negative business impacts. A security approach that combines people, processes and technology gives business and governments the best chance to protect themselves."

Mr Enderle predicts it will take a major tragedy before the world's energy companies understand the scale of the threat presented by cyber attacks. A hacker located on a different continent could wreak untold financial and environmental damage on a corporation after breaking through its internet defences.

"Given that a successful penetration can result in anything from a plant shutdown to a large-scale, life-threatening ecological disaster, it is likely many of these firms need to completely, from the ground up, redesign their automation systems to be self-defending," says Mr Enderle. "But they lack the funds or the will to do that.

"As a result it will likely take one or more massive catastrophe connected to digital attack to force these industries to retool to properly address the threat."

Middle East energy companies may still have a small window in which to plug holes in their corporate and personal communications systems before it is too late, - but they must act now.

"The [Arabian] Gulf represents a prime target for attacks, with the region's economic strength and widespread usage of social media making it an attractive target," says Mr Cressey.

"Businesses need to reinforce their defences inside and out, and what happened in Saudi Arabia and Qatar are urgent reminders to those who think they are already strong enough to withstand attack."