Cyber Security

Call to define best practices

Kureishy: companies unable to detect adversaries

The Middle East  oil and gas industry should define what the best practices are locally for cyber security and towards that end collaboration and sharing information is critically important, a senior official  of a prominent technology consultancy firm has said.

Atif Kureishy, principal, Booz Allen Hamilton, Mena, suggested that  national-level cyber authorities are well positioned to define a set of recommended security practices that needs to be considered and implemented by the industry regionally. Since a national-level cyber authority has visibility across multiple critical infrastructure sectors, they can also offer best practices that may be defined in another domain but are still applicable, for example financial services, to oil and gas.

Kureishy said all Middle East oil and gas companies have an opportunity to increase their cyber defences by improving their information security programmes. These programmes can help identify risks facing these companies by understanding various threats and vulnerabilities of their networks, gaps in their application of security controls and how to apply mitigating security controls to their corporate and process control networks.

Oil and gas companies are realising that cyber espionage is a very real threat

Public awareness of cyber-attacks and cyber exploitation on critical oil and gas infrastructure has increased tremendously over the last few years. In response, Middle East oil and gas companies have begun their security initiatives with a focus on newer digital oil field development. But in the absence of a specific cyber incident, typically these same companies remain reluctant on taking proactive, risk-based security measures on existing fields and facilities, the official said.

“Oil and gas organisations that are driven by compliance or attaining an international security standard such as ISO 27001 may miss the intent of these security frameworks,” he cautioned.

“While these security frameworks are valuable to provide a management construct around security, organisations should adopt a comprehensive security risk methodology that assesses their information security programmes across various controls that are tailored for the needs of their corporate and industrial process stakeholders.”

Oil and Gas companies need to coordinate across their industry for sharing threat intelligence regarding realised and emerging cyber activities to better position themselves considering that cyber espionage is a very real threat. This is particularly serious in situations of unconventional exploration and production of emerging oil fields due to the strategic value of this data, said the official.

“Well-funded adversaries are able to navigate porous corporate network defences through a combination of social engineering and more advanced techniques such as zero-day exploits. Because of the sophisticated nature of these attacks, companies are unable to detect these adversaries on their networks that are potentially exfiltrating their high value information assets. Even when they are detected, companies are hesitant to report because of the impact to their reputation and brand.”