On 15 August 2012, an employee of Saudi Aramco with privileged access, opened a scam email; one of those that every day pass through spam e mail). Evidence later led to conclusion that this act was in a form of sabotage as the release of the virus that affected the system was intentional. The self-replicating virus infected as many as 35,000 of its Windows-based machines. In practice the whole computer based system of the organisation was destroyed in a matter of hours.
Shamoon was identified as the virus that caused significant disruption to of the world’s larger oil producer. Its main function appeared to have been the indiscriminate deletion of data from computer hard drives. Although this did not result in an oil spill, explosion or other major fault in operations of the organisation, the attack affected the business processes resulting in the loss of some drilling and production data. Saudi Aramco's computer technicians ripped cables out of the backs of computer servers at data centers all over the world. Every office was physically unplugged from the Internet to prevent the virus from spreading further.
Without access to the digital payment system, the company’s ability to supply 10% of the world with oil was also wiped out and it had to stall the trucks waiting at its gates to take the oil away. Company was sent back to 1970s as employees had to use typewriters and faxes in order to keep basic functions operable.
While drilling and pumping of oil continued because it was automated, the business’s operational capacity had to go offline to manage supplies, shipping and contracts. After 17 days, Saudi Aramco had to start giving away oil for free to ensure supply within Saudi Arabia. The knock-on effect was a constrained hard drive market as Saudi Aramco purchased 50,000 hard drives straight from factory floors in Southeast Asia, at a higher price to cut queues. Five months later, with a newly secured computer network and an expanded cybersecurity team, Saudi Aramco brought its system back online. The hackers were never caught.
The attack in Saudi Aramco revealed some interest findings in respect of Cyber Security:
- Cyber-attacks are difficult to be predicted
- Attacker needs to find just one vulnerable access point to enter into a system
- Vulnerabilities of systems usually remain undetected.
- Attacks are usually anonymous and hard to be located
- Low cyber security awareness among employee leads to cyber incidents that may be proven serious or catastrophic
- A computer based system collapse is rapid in relation to response actions. It only takes few minutes for an internet based system or network to be affected.
Unfortunately lessons learned from the attack were not taken seriously into consideration and in 2014 more than 50 Norwegian oil and energy organisations were hacked by unknown attackers, according to government security authorities.
Shamoon also attacked RasGas in Qatar, only after weeks of the Aramco cyber-attack. However, the RasGas disturbance was negligible compared to Saudi Arabia’s impact and hopefully it did not affect the production of natural gas. Qatar proved to be proactive by establishing a governmental organisation back in 2004 that focused on deterring possible attacks by detecting, analyzing and monitoring the cyber threats. In particular, Qatar serves as a good example for developing and obtaining agreement on a national cyber security strategy to deter cyber crime and create a national incident management capability.
Although headline cyber security incidents are rare, a lot of attacks go undetected or unreported as many organisations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems. In a recent study with the Lysne Committee, DNV GL identified the following top ten cyber security vulnerabilities for the oil and gas sector:
- Lack of cyber security awareness and training among employees
- Remote work during operations and maintenance
- Using standard IT products with known vulnerabilities in the production environment
- A limited cyber security culture among vendors, suppliers and contractors
- Insufficient separation of data networks
- The use of mobile devices and storage units including smartphones
- Data networks between on- and offshore facilities
- Insufficient physical security of data rooms, cabinets, etc.
- Vulnerable software
- Outdated and ageing control systems in facilities.
While speaking at the SAFETY4SEA Cyber Masterclass in May 2018, Mr. Apostolos Belokas, Managing Editor, SAFETY4SEA, provided lessons learned from recent cyber incidents and addressed future challenges.
You may view his video presentation by clicking herebelow