16/11/2017 – News / Energy / Cyber-Security / ADIPEC / Middle East
Energy sector is overtaking finance as target for cyber-criminals in Middle East
Ibrahim Al Shamrani, Executive Director of Operations at Saudi Arabia’s National Cyber Security Center, speaking at ADIPEC
Energy is overtaking banking and finance as a target for cyber-criminals in the Middle East, yet companies in the sector are leaving themselves significantly more open to a successful attack, leading international experts told ADIPEC’s Security in Energy conference in Abu Dhabi.
In an opening address to delegates, Ibrahim Al Shamrani, Executive Director of Operations at Saudi Arabia’s National Cyber Security Center, said 300 new malware samples were being discovered each day, and that his organisation was facing a growing number of attacks on the energy industry.
“The energy sector is trending to be the second most targeted sector in the country in 2017, behind the government and ahead of the financial and telecommunications sectors,” Al Shamrani said. “However, attackers are three times more successful in compromising energy companies than they are in the financial sector. In this era, if oil and gas companies think they haven’t been attacked, or even compromised, I can tell them, you are not looking hard enough.”
Recent figures from McAfee estimate the global cost of cyber-related crime, or illicit activity, is between US$375bn and US$550bn per year.
In a keynote address to the Security in Energy conference, Don Randall, former Head of Security and Chief Information Security Officer (CISO) at the Bank of England, said he believed that figure was probably around US$400bn, and growing at between 10 and 20 per cent every year.
The threat trinity – hacking, phishing, and false identity
“When we look at the types of issues that could affect the oil & gas or energy industries, the three principles are still hacking, phishing, and false identity,” Mr Randall told the conference. “It doesn’t matter if you’re in the financial sector, in energy, utilities, the government, or anything else – the cyberattack will be the same, it’s just the consequences that are different.”
For those making attacks, the chances of getting caught are low. Mr Randal said that in the first six months of 2017, there were 350,000 attacks reported in the UK, but it is estimated that figure represents only 40 per cent of the actual number of attacks taking place. He added that just 10 per cent of reported attacks are then investigated by law enforcement, and only 1.5 per cent result in any kind of judicial process.
Who is policing your IT?
In his Bank of England role, Mr Randall helped develop new security protocols, including the creation of a specific Information Security Division, headed by himself as Chief Information Security Officer, reporting directly to the board.
That model is now widespread in banking, completely separating the department that runs the IT infrastructure from the team responsible for recognising and responding to threats.
“I think we have to be quite radical in how we structure the responsibility and role of those who are there to police cyber activities,” Mr Randall asserted. “Seriously look at who is policing your IT, and ask: is that the same person who is managing it, maintaining it, implementing it, and looking after it – and potentially covering it up? That’s the issue. You’ve got to work in harmony with the IT department, but you’ve got to have an independence there.”
Held under the patronage of His Highness Sheikh Khalifa Bin Zayed Al Nahyan, President of the UAE, hosted by the Abu Dhabi National Oil Company (ADNOC), and organised by the Global Energy division of dmg events, ADIPEC is one of the world’s leading oil and gas events, and the largest in Africa and the Middle East.