Energy companies in the Middle East, the most vulnerable region to cyber-attacks, are underspending on cyber security even after the Arabian Gulf took a $1 billion hit last year from incidents against the sector, according to a new report.
The region’s oil and gas companies are spending just a third of their cyber security budget on securing operational technology (OT) and are unprepared to deal with the risk, according to a study by Germany’s Siemens and the Ponemon Institute released on Tuesday. OT refers to hardware and software deployed across the value chain of industries that have become increasingly digitalised in the oil and gas sector. Three in four of these companies were hit with at least one security attack that either disrupted operations or led to the loss of confidential information in the last 12 months.
“The reality is that the sector in general is not keeping up with the threat,” Leo Simonovich, vice president and global head of industrial cyber at Siemens, told The National. “While there’s awareness, there’s a gap between risk, readiness and the strategy to close the gap.”
The Middle east suffers the most from cyber-attacks globally, with half of these directed at its critical oil and gas industry, according to a 2016 PwC study. The region, which accounts for 35 per cent of global oil production, has seen widespread cyber security breaches and many are frequently undetected. One of the most prominent cases was the Shamoon virus attack on Saudi Aramco systems in 2012, which wiped hard drives clean at some 30,000 computers. Last June, a $20 billion petrochemical project joint venture between the world’s top oil producer Aramco and Dow Chemicals of the US experienced a spate of hacking attacks.
The financial fallout from cyber-attacks in the Arabian Gulf last year is estimated at more than $1 billion, the report showed. Among the companies surveyed, 11 per cent reported experiencing more than 10 cyber breaches in their OT in the last 12 months, a rate nearly three times the global average.
The study surveyed 176 professionals including heads of industrial control systems, process engineering heads, OT security leaders and IT security heads in the Mideast’s oil and gas industry.
Given the region’s dominance in the energy sector, cyber attacks on upstream and downstream facilities could have wide-ranging implications on global energy markets. In the particular case of Saudi Arabia, whose biggest petrochemicals firm Sabic is also the largest listed firm in the Middle East, there are also possible implications for regional stock markets.
“There’s a real under-investment in industries compared to the risk,” Mr Simonovich told reporters in Dubai. “Industrial cyber is the new risk frontier.”
The Middle East energy companies’ spending on OT security is at par or slightly below the global average spend of 25 to 30 per cent of the cyber security budget, Mr Simonovich said. The study found that 30 per cent of the region’s attacks are targeting OT.
Ideally companies should spend at least half their cyber security expenditure on OT systems, an area where there’s more work to be done compared to the mature field of IT, Eitan Goldstein, Siemen’s director of industrial cyber and digital security, told The National.
The Gulf’s energy industry has weathered rough years following the oil price slump, which slowed investment across the hydrocarbons value chain globally. Cyber analysts say that investments in safer solutions do not have to break the bank.
The spate of cyber attacks on critical energy infrastructure in the region has “raised the focus and attention on issues related to cyber security and has made it more real,” Husain Al Bustan, team leader of information technology at state downstream operator Kuwait National Petroleum Company, said during a panel on cybersecurity in Dubai on Tuesday.
Regulatory bodies in the Gulf are “working hard” to establish controls to maintain cyber safety measures on power grids, without which company licenses will not be renewed, Mir Dawar Ali, IT director for Saudi Arabia’s Acwa Power, said at the panel.