Dealing With Cyber Threat in the Middle East
Since the 2010 discovery of the Stuxnet worm targeted at industrial programmable logic controllers (PLC), the Middle East has been central to the increased profile of cyber security threats facing industrial enterprises worldwide.
While the threats have continued to evolve, the Middle East remains a key target for attackers. In early 2015, for example, cyber security firm Symantec identified a new information harvesting malware – dubbed “Trojan.Laziok” – targeting energy companies worldwide. The most frequent target for these attacks, according to Symentec, were the UAE (25 percent), Saudi Arabia and Kuwait (10 percent), and Oman and Qatar (5 percent).
With attacks increasing both in terms of numbers and sophistication, for most it is not a question of if they are attacked, but when. Whether from enemy states, terrorists, “hacktivists” criminals or insiders, the risks facing oil and gas producers in the region are ever changing and ever growing.
A survey conducted for Honeywell by researchers Ipsos shows this message has been heard – more than two thirds (69 percent) in the UAE, for example, fear cyber hackers breaching the defences of major sectors of the economy and 64 percent say oil and gas producers are vulnerable to attack.
There have been significant efforts from the industry to address cyber security. These efforts are partly driven by fear, particularly in the aftermath of previous attacks, and reflect industry requirements to ensure availability, reliability and safety – key foundations for profitable and efficient operations. Increasingly, they are also driven by regulation and the adoption of cyber security standards in the region.
Many national governments in the Middle East have stepped up their requirements. Qatar, for example, published the third version of its National Standards for Security of Critical Industrial Automation and Control Systems in 2014, and last year outlined further developments in its National ICT Plan 2015. In 2014, the UAE’s National Electronic Security Authority also published new standards, drawing on international standards such ISO 27001 and the US National Institute of Standards & Technology. Saudi Arabia, meanwhile, has been developing its National Information Security Strategy (NISS), and has had tough anti-cybercrime laws in place since 2007.
Despite this, the evolving threats, increasing use of connected devices and systems, and – it should be admitted – continued weaknesses in security in some companies mean further improvements in cyber security are needed.
To achieve these, businesses must take a holistic approach. They need technological solutions to both detect attacks and fend them off, good processes to ensure technology is well applied and can be effective, and training and awareness-raising among staff to prevent them becoming a weak link in businesses’ battle for cyber security.
This is, however, harder than it sounds.
A Holistic Approach
What is required is a full lifecycle approach that encompasses people, the process and technology.
A lifecycle approach recognizes that no cyber security project is ever complete. It starts with a risk assessment and audits to establish the risks and vulnerabilities. These are then addressed through IT architecture design and optimization, network security and endpoint protection. Tools and processes to develop situational awareness then enable monitoring for attacks and incidents, and, when incidents do occur, effective responses, recovery and reviews are implemented. Finally, the learning from the process feeds back into the risk assessment that began it.
The key point is that the process is iterative, and that the real work only begins when the implementation project ends.
Traditional security software only addresses part of this process – providing firewalls, patches and malware protection, but not proactive monitoring for weaknesses and exposures, nor a route to improve security. Weaknesses in such a system are often only discovered through an incident or periodic review. Moreover, no clear visibility of the risks is offered to enable continuous monitoring by operational teams. The products address an IT rather than operations audience.
View Full Article
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.