Business & Money | Wednesday 17 August, 2016 11:58 am |

Since the 2010 discovery of the Stuxnet worm targeted at industrial programmable logic controllers (PLCs), the Middle East has been central to the increased profile of cyber security threats facing industrial enterprises worldwide. The 2012 security breach of a leading oil and gas company in the region still remains one of the most significant cyber attacks on a process plant to date.

It should be no surprise the region faces a particular challenge from cyber-attacks. Risk in any setting is a function of the threat, vulnerability and consequences, and the Middle East’s status as a global centre for oil and gas production puts a heavy weight on the last part of that equation. The consequences of a successful attack on its key businesses are profound.

So, while the threats have continued to evolve, the Middle East remains a key target for attackers. In early 2015, for example, cyber security firm Symantec identified a new information harvesting malware – dubbed “Trojan.Laziok” – targeting energy companies worldwide. The most frequent target for these attacks, according to Symentec, were the UAE (25 per cent), Saudi Arabia and Kuwait (10 per cent), and Oman and Qatar (5 per cent).

With attacks increasing both in terms of numbers and sophistication. for most it is not a question of if they are attacked, but when. Whether from enemy states, terrorists, “hacktivists” criminals or insiders, the risks facing oil and gas producers in the region are ever changing and ever growing.

 

A survey conducted for Honeywell by researchers Ipsos shows this message has got through: More than two thirds (69%) in the UAE, for example, fear cyber hackers breaching the defences of major sectors of the economy; 64% say oil and gas producers are vulnerable to attack.

 

 

Increasing expectations

 

In response, there have been significant efforts from the industry to address cyber security. Partly, these efforts are driven by fear, particularly in the aftermath of previous attacks. Partly, they simply reflect industry requirements to ensure availability, reliability and safety – key foundations for profitable and efficient operations. Increasingly, they are also driven by regulation and the adoption of cyber security standards in the region.

Many national governments in the region have stepped up their requirements. Qatar, for example, published the third version of its National Standards for Security of Critical Industrial Automation and Control Systems in 2014, and last year outlined further developments in its National ICT Plan 2015. In 2014, the UAE’s National Electronic Security Authority also published new standards, drawing on international standards such ISO 27001 and the US National Institute of Standards & Technology. Saudi Arabia, meanwhile, has been developing its National Information Security Strategy (NISS), and has had tough anti-cybercrime laws in place since 2007.

Despite this, the evolving threats, increasing use of connected devices and systems, and – it should be admitted – continued weaknesses in security in some companies mean further improvements in cyber security are needed.

To achieve these, businesses must take a holistic approach: Technological solutions to both detect attacks and fend them off; good processes to ensure technology is well applied and can be effective; and training and awareness raising among staff to prevent them becoming a weak link in businesses’ battle for cyber security.

This is harder than it sounds.

 

A holistic approach

What is required is a full lifecycle approach that encompasses people, the process and technology.

A lifecycle approach recognises that no cyber security project is ever complete. It starts with a risk assessment and audits to establish the risks and vulnerabilities. These are then addressed through IT architecture design and optimization, network security and endpoint protection. Tools and processes to develop situational awareness then enable monitoring for attacks and incidents, and, when incidents do occur, effective responses, recovery and reviews are implemented. Finally, the learning from the process feeds back into the risk assessment that began it.

The key point is that the process is iterative, and that the real work only begins when the implementation project ends.

Traditional security software only addresses part of this process: providing firewalls, patches and malware protection, but not proactive monitoring for weaknesses and exposures, nor a route to improve security. Weaknesses in such a system are often only discovered through an incident or periodic review. Moreover, no clear visibility of the risks is offered to enable continuous monitoring by operational teams. The products address an IT rather than operations audience.

Honeywell’s Risk Manager software addresses these issues to promote continuous and proactive security.

An industry first, the software provides real-time monitoring for indicators of threats and vulnerabilities in the industrial control system; translates these indicators into simple risk measurements to promote situational awareness; and offers guidance for engineers and operators without cyber security experience to respond effectively. It also provides key performance indicators, baselines and risk scores in line with industry standards to enable continuous improvement of the cyber security program and promote compliance.

 

The people problem

Poor practice and lax security among staff continue to be key weak spots in cyber security strategies. This is why people and processes, as well as technology, are vital to security. By promoting situational awareness and understanding of the risks, operational software can help operational and IT teams identify and address training and educational needs. It can also help them review processes to make them more secure.

Nevertheless, the cyber security efforts need to be led by experts in the field, and this is the other part of the people problem: finding staff with the requisite knowledge and skills.

 

This is a challenge worldwide, since the number of skilled workers with in-depth understanding of both cyber security and industrial automation and control systems is limited. In the Middle East, recent pressure – regulatory and otherwise – to develop cyber security resources means demand for qualified specialists is particularly fierce.

Fortunately, technology can also help address this issue by facilitating connections to outside expertise. Encrypted, secure connections allow businesses to outsource services such as protection management, continuous monitoring and alerting, intelligence reporting, and perimeter and intrusion management.

Such managed services are likely to see increasing uptake in the future, because neither the expectations on critical businesses in the Middle East, nor the threats they face, show any sign of diminishing. In fact, both look likely to continue to grow. As they do, the difficulties of meeting them with traditional IT solutions and in-house expertise will grow as well. Those businesses, such as Honeywell, with both worldwide expertise and a significant regional presence to provide real-time support are well placed to help meet this challenge.    

To control both their security and their costs, Middle Eastern businesses have to look take a fresh look at their cyber security strategy. As ever, it will mean looking at their technology, people and processes. Increasingly, however, the difference between success and failure will be how well they are able to work with their partners to help develop more effective answers to this challenging area.