x Abu Dhabi, UAEMonday 22 January 2018

UAE oil and gas producers must beef up security or risk cyber attacks, expert says

According to Niraj Mathur, security practice manager at Gulf Business Machines, outdated computer systems of production plants 'have critical vulnerabilities'.

DUBAI // Oil and gas production plants in the UAE are at risk from devastating cyber attacks because they rely on outdated computer systems, an expert warned yesterday.

Supervisory Control and Data Acquisition (Scada) networks monitor and run industrial processes and are often used in oil and gas plants.

"These are legacy systems that have been running in the field for 10 or 15 years," said Niraj Mathur, security practice manager at Gulf Business Machines in Dubai.

"They were not built from a security perspective, they have critical vulnerabilities. The oil and gas industry is not carrying out any assessments today to try to know what vulnerabilities they could be facing. Unless you know what the critical vulnerabilities are, how will you protect yourself?"

Mr Mathur said large Scada networks were used to control the flow of oil, and utility companies used them to regulate water and electricity supplies.

"Someone who can manipulate these instrumentation controls can bring down your systems and there have been Scada attacks in other countries that have resulted in a huge amount of damage," he said.

"In the Middle East, Iran was the subject of such a cyber attack.

"Updating such networks should be a priority because you can imagine the kind of damage that could be caused if your nuclear facility is compromised, or your oil facility, or your electricity facility."

Mr Mathur was one of the speakers at the Gulf Information Security Expo and Conference, continuing today at Dubai World Trade Centre.

They referred to security risks from staff connecting their devices, such as tablets and smartphones, to their employers' networks.

Mr Mathur said research found 62 per cent of employers in the Middle East allowed "BYOD", which stands for "Bring your own device".

A PC or laptop provided by an employer and connected to the corporate network is under the control of the system's administrators.

"When I bring my own tablet the administrators do not know whether it has the latest security patches or not," said Mr Mathur.

"I use that tablet to access internet sites at home and I could be downloading a Trojan or malware. Then I connect the same device at work and this could inject malware into the corporate network. This is one of the big threats in the UAE."

He said this method of infecting systems had led to an increasing number of attacks focusing on the Android mobile operating system.

"Hackers are targeting Android because they see it as an easy way to get into corporate networks."