Fighting cyber crime
Organisers of the second annual Security in Energy conference, to be held in Abu Dhabi in November, say that oil and gas has been exposed as a prime target for cyber criminals after the industry was singled out during international ransomware attacks.
Co-located within the Abu Dhabi International Petroleum Exhibition and Conference (ADIPEC), Security in Energy recognises the increasingly critical importance of IT systems to oil and gas operations, and follows two major ransomware attacks in the first half of 2017.
The second of these, the NotPetya attack at the end of June, appears to have specifically targeted oil and gas companies. According to analysis by Kaspersky Labs, just three business sectors accounted for around 80 per cent of targets. Oil and gas accounted for around 25 per cent, a close second to the finance sector, and just ahead of manufacturing.
“Cybercrime is a serious problem for any business, but recent incidents raise concerns that oil and gas companies will be high-priority targets for attacks,” said Christopher Hudson, President – Global Energy at dmg events, which organises ADIPEC in partnership with Abu Dhabi National Oil Company (ADNOC). “The Security in Energy conference provides a robust discussion specific to the needs of this industry, helping companies ensure that strong defences are in place,” he mentioned.
Recent reports predict the Middle East cyber security market will grow from USD 11.38 billion in 2017 to USD 22.14 billion by 2022. ADIPEC’s Security in Energy Conference delivers the latest market intelligence in energy security protocols, and places a spotlight on the best innovations, security practices and crisis planning within the industry.
Specific conference sessions will cover key topics in cyber security, including ransomware; the internet of things (IoT); the convergence of operating technology and IT; security and compliance risks in cloud computing; risk management for supply chain and business continuity and the use of big data and analytics. Keynote addresses will focus on the balance between investment and risk, and the impact of regional collaboration on oil and gas security, with discussions to include both defensive and offensive approaches to security.
The conference programme is planned to offer immediate relevance to oil and gas. For example, there will be a significant discussion of threats to critical infrastructure, where attacks could cause widespread operational disruption and safety risks. It will offer insights into and front-line protection strategies, whether for new systems, or by retrofitting of existing industrial control systems to build secure and resilient operations.
There will also be a dedicated Security in Energy zone within the ADIPEC exhibition halls.
“Illicit cyber activity is here to stay,” said Don Randall, Former Head of Security and Chief Information Security Officer for the Bank of England, who will be sharing his expertise during the conference. “But understanding the motivation of the perpetrators, with appropriate responses and education, can substantially reduce the risk and harm,” Don Randall underlined.
The list of speakers will feature leading figures from organisations tasked with tackling cybercrime in the Middle East, including Ahmed Alshemaly, Director, Cyber Defense Centre, National Electronic Security Authority (NESA), United Arab Emirates; Eng. Ibrahim AlShamrani, Executive Director of Operations, National Cyber Security Center, Ministry of Interior, Saudi Arabia; and Mohammed Bushlaibi, Forensic Analyst, Telecommunications Regulatory Authority (TRA), United Arab Emirates. They will speak alongside renowned international experts.
According to Accenture’s High-Performance Security 2016 Report, 96 cyberattacks were reported over 12 months by oil and gas company heads, while 55 per cent of oil and gas leaders say the need to fill cybersecurity gaps in end point or network security is their most pressing concern. The Cisco 2017 Annual Cybersecurity Report estimates that the frequency of ransomware attacks is growing by around 350 per cent each year. The tools to conduct an attack are easy to obtain and easy to use. Ransomware is even available as a software-as-a-service subscription.
While the number of attacks is increasing, there are concerns that some oil and gas companies have reduced their security budgets as they struggle to balance cost and risk at a time when finances are under pressure, leaving themselves dangerously exposed. The Security in Energy conference sessions will aim to bridge this awareness gap, emphasise the importance of building a solid defence platform against cyber-attacks and understanding the fallout of an attack and its implications to business.
“Cybercrime is a threat to the global economy,” said Sandip Patel, QC, a UK-based lawyer and leading international expert on prosecuting cybercrime cases in court, and one of the speakers at the Security in Energy conference. “Some estimates cost it at more than 445 billion dollars, but the true cost is far greater as many countries do not report on this.”
By co-locating security within ADIPEC, one of the world’s most important strategic gatherings for top global oil and gas executives, Security in Energy ensures that the integrity of systems is part of a broader discussion of industry issues.
A company’s security protocols are generally in the capable hands of the CIO/CISO. However, in order for the protocols to be 100 per cent understood and delivered, it is the priority of the entire organisation, from the top-down and bottom-up, to ensure a solid framework and delivery. Bridging the vocabulary gap between security professionals and their CEO’s and senior management teams is vital to ensure they are all aligned on the ever-present security risks to their organisation.
“Reducing cost and improving efficiency are important messages in oil and gas today, and many companies are investing in technology to reduce their costs,” said Christopher Hudson. “Keeping that technology safe and secure needs to be a number one priority. It needs to be as much a concern for the Chief Executive Officer as it is for the Chief Information Officer. “Security in Energy recognises that this is a core issue for a modern business, and cannot be pushed into a departmental silo,” Christopher Hudson highlighted.