Mena on the frontline of energy sector cyber war
The Middle East and North Africa has become a battlefield in an increasingly hostile cyber-war. And the region’s vital energy sector is the frontline, says Justin Dargin
Computer screens at the North American Aerospace Defense Command (NORAD) indicate to anxious personnel that a massive Soviet attack is under way.
Hundreds of bombers, nuclear-tipped inter-continental ballistic missiles (ICBMs) and submarines are heading for the US. NORAD prepares to retaliate and readies the US nuclear arsenal for a devastating counter-attack. But, at the last moment, humanity is saved, and it is discovered that the supposed Soviet nuclear attack was the result of a hacking gone wildly out of control.
Sounds real? Thankfully, it was not. It was a scene from the 1983 blockbuster WarGames. The movie was released a full decade before the internet became commercialised and a full two decades before it became part of everyday life. While hackers first appeared on the scene in the 1960s, borne out of the high-tech and competitive environment at the Massachusetts Institute of Technology (MIT), hacking was first introduced to the general public by WarGames.
In WarGames, the film’s main character, played by a young Mathew Broderick, attempted to hack into the mainframe of a video game manufacturer so he could play games. Instead, he mistakenly hacked into NORAD’s advanced nuclear combat simulator, almost starting global thermo-nuclear war in the process. The movie, and a string of films made after it, sensationalised the dangers inherent to our computerised society.
While some of the fears voiced about cyberwar may be overblown, it is undeniable that there are serious risks. Cyber-attacks, which include cyber-espionage, the act of obtaining privileged information without the permission of the holder, as well as hacking to cause sabotage, are on the rise. And one of the most prominent targets has been the energy sector in the Middle East-North Africa (MENA) region, a development which threatens global energy markets by potentially disrupting supply and destabilising prices.
The beginning of major regional cyber-hostilities can be traced to the release of the Stuxnet virus, which targeted Iranian uranium enrichment facilities at Natanz in 2010. Stuxnet, the most damaging cyber-attack in the region to date, forced MENA policymakers to seriously consider the threat posed by cyber-attacks.
Top secret work
The virus is the product of “Olympic Games”, a classified programme launched during George W Bush’s presidency. Since its launch, the Obama administration has made cyber-defence and -offence a strategic pillar of national security. Neither the US nor Israel have admitted any connection to Stuxnet, but it is widely believed they collaborated to develop the sophisticated malware. In mid-2010, a programming error released Stuxnet to the internet. Since then, the virus has infected millions of computers around the world.
After the Stuxnet attack, several other computer viruses compromised sensitive Iranian computer infrastructure, including the W32 Flame virus, which targeted the National Iranian Oil Company and the Iranian Oil Ministry in April 2012. These viruses did not seriously compromise Iranian oil production, as the country’s hydrocarbon sector is still primarily mechanical, not computerised. In a bid to mitigate the attack, Iranian officials disconnected several of its main oil terminals from the internet to prevent the virus from spreading. And to provide a defence against further attacks, Iran is following a two-pronged cyber-security strategy, creating a special hacking unit with both defensive and offensive functions.
Iran is also planning to protect its national computer systems by isolating its domestic internet from the global web. The Iranian authorities already implemented the first phase of this plan, which saw all governmental offices and ministries connected to a national network which lacks external access. The second phase, due for completion in March, will bring all Iran’s internet users into the national intranet fold. While the Iranian intranet will regulate the exchange of information among citizens and regulate social media use, it will go some way towards shielding industrial networks from cyber-attacks from outside the domestic network.
Iran is not the only country fighting on the virtual frontlines. In August 2012, hackers launched cyber-attacks against Saudi Aramco and Qatari natural gas producer RasGas. The two firms were hit by the Shamoon virus, also called Disttrack, which is capable of overwriting computer files, rendering them unusable.
The Aramco attack infected nearly 30,000 workstations, crippling almost three-quarters of the company’s computers. This ultimately purged documents, spreadsheets, emails and files from the computer system. The virus replaced the purged files with an image of a burning US flag, and siphoned off data, sending it to a remote server. US defense secretary Leon Panetta claimed the attack was “probably the most destructive attack that the private sector has seen to date”. Abdullah al-Saadan, Aramco’s vice president for corporate planning said that hackers spent nearly a month attempting to penetrate Aramco’s servers before they succeeded. Al-Saadan told the media: “[T]he main target in this attack was to stop the flow of oil and gas to local and international markets.”
Microsoft announced that in the UAE alone approximately 36% of private-sector computers are infected with some form of computer virus
Shamoon did not disrupt Saudi production, mostly because Aramco’s main output facilities are behind a secure computer system and, like Iran, much of the firm’s production technology is mechanised.
While Aramco has not publicly announced who, or what, it suspects is behind the attack, US officials maintain it is the work of Iran. Iran, for its part, denied any involvement. While the Islamic Republic is widely assumed to have both the motive and the capability to have launched the attack, computer forensics operations are still under way and no concrete evidence has yet been made public to support US claims.
Some analysts point out that the Aramco cyber-attack could have been Iran’s response to Saudi Arabia’s decision to increase oil production in mid-2012. The Saudi move compensated for the loss of Iranian production as western sanctions against Iran came into force, effectively removing Iranian production from the market.
Since the Shamoon attack, Saudi Arabia has doubled homeland security spending from $7.8 billion to $15.4bn. The kingdom also established a protection force for its oil sector, which will employ 35,000 personnel. Cyber-security will be one of the force’s main focuses.
Shortly after the Aramco attacks, Qatar’s RasGas also became a victim of hacking. As with Aramco, the damage did not extend to production facilities. Even before the attack, Qatar was proactive in defining its cyber-security policies. It created a government agency in 2004 to focus on deterrence, monitoring, detection and analysis of emerging cyber-threats.
In both the Aramco and RasGas attacks, the virus did not disrupt energy production as a thick wall of cyber protection separated the output-controlling servers from the main network. Iran is believed to have masterminded both attacks, but officials have yet to provide indisputable evidence for this allegation. In any case, it appears that insiders at Aramco, and possibly RasGas, helped the hackers gain access to the firms’ computer systems. The mole seems to have uploaded the malware via a USB drive, thereby bypassing the extensive security firewalls.
The United Arab Emirates’ energy infrastructure has, so far, not been compromised by a cyber-attack. Nevertheless, there are concerns about the country’s vulnerability. Historically, the UAE, a major financial hub for MENA, considered cyber-security issues through the prism of financial crime. Various estimates posit that, annually, cyber-crime costs the UAE approximately $600m.
According to an International Institute for Management Development report, the UAE’s cyber-security ranks first in the MENA region, and is fourth globally. However, in terms of non-governmental computer networks, the statistics are not so impressive. In its annual cyber-threat assessment report, Microsoft announced that in the UAE alone approximately 36% of private-sector computers are infected with some form of computer virus, adding that the Emirates’ infection rate is almost double the global average.
Now, as the UAE plans to increase its oil production from 2.8m barrels a day (b/d) to 3.5m b/d by 2018, it is focusing on developing a cyber-security apparatus for its energy sector.
While other MENA countries are still developing their cyber-security infrastructure, the UAE has already created a national cyber-defence organisation, the Computer Emergency Response Team, a unit of the Emirates’ Telecommunication Regulatory Authority (TRA). The response team monitors and prevents attacks on the country’s technology infrastructure. The TRA provides alerts to members and gives directions on how to mitigate attacks, and also searches for structural weaknesses in the country’s computer network.
The MENA region is not the only region seeing an increase in cyber-attacks directed against the energy sector. It is a global issue and many countries now sense their vulnerability. For instance, the US Department of Homeland Security (DHS) announced that by the end of the fiscal year on 30 September 2012, American companies reported 198 cyber-incidents (attacks and intrusions) to the government. The DHS indicated that more than 40% of these incidents targeted energy companies.
In 2012, the DHS warned of an extensive cyber-attack aimed at US natural-gas pipeline companies, adding the attack appeared to be espionage. Some US intelligence community officials suspect China was complicit, either officially or unofficially. Similar intrusions have targeted Canadian energy firms.
China vehemently denied the accusations, saying they are unfounded. Canadian security agencies warn that the “usual suspects” (China or Iran, for example) are not always the perpetrators, cautioning that so-called hacktivist groups, such as Anonymous, may be the culprits. In 2011, Anonymous threatened to unleash a wave of cyber-attacks against companies active in Canada’s oil-sands. It is understood organised crime syndicates are seeking to pilfer sensitive company and governmental information by malware in order to sell to the highest bidder.
Cyber-attacks have not yet disrupted global oil and gas supplies. This is, in part, because attacks on the energy sector have been limited to business IT networks, rather than production facilities. In many energy companies, these two networks are separated by an “air gap” which physically separates two or more networks from electronically communicating with each other. While this has prevented many cyber-attacks hitting hydrocarbons output, this quarantining of a company’s production network could be defeated by an inside job. It is possible for a hacker to physically transport malware via a USB flash drive, as is suspected behind the Aramco and RasGas attacks, and upload it into a company’s production network, potentially wreaking havoc.
Regional tensions, associated with Gaza and the West Bank, the Arab Spring and the Iranian uranium enrichment programme make it probable that cyber-attacks in the region will continue apace. The Arab Spring is of particular salience as it created a perfect storm for such cyber-attacks to increase in both scope and ferocity as pro-government and rebels battle it out in the virtual realm.
In the future, it is likely most cyber-attacks will focus on regional energy infrastructure, while increasing in scope and sophistication. Many MENA countries are working to further develop their defensive capabilities to stave off and deter potential attacks. However, there are no international treaties governing cyber-activity of this kind, and no globally accepted norms of what constitutes acceptable state action in this field.
But legal principles are emerging to govern the virtual world. For instance, the US government reasons that rules governing defensive posture in the wake of a cyber-attack should follow parallel rules for military engagements in the “kinetic” world. The corollary of this is that the Pentagon and Department of Defense are increasingly likely to respond to a destructive cyber-attack against US interests with conventional military retaliation.
Nonetheless, there are several reasons to believe that cyber-attacks will increase exponentially in the future. For one thing, they are often viewed as a “cost-free” method to inflict damage on a rival who is unlikely to respond in a conventional military way. Moreover, governments and companies often do not disclose cyber-attacks in order to avoid creating a media storm. The issue of attribution of cyber-attacks is quite unsettled as well. While computer forensic techniques have become more sophisticated, it is still exceedingly difficult to discover the identities of the perpetrators of a cyber-attack.
MENA policymakers are well aware of the potential damage cyber-attacks could cause, not only to their reputations, but to their economic growth and the health of the global economy as well. As a result, many MENA countries have recently hosted several high-profile IT defence forums, including the Cyber Defense Summit, which has been held in Muscat for the past two years, and the Middle East Energy Security Forum, held in Dubai. Moreover, several IT security companies have relocated to the region to assist policymakers develop robust defenses.
It must be stressed that cyber-attacks, such as Stuxnet against Iran, are not run-of-the-mill. For a start they are not easy to deploy. But, as MENA countries modernise their computer systems and energy production infrastructure, their vulnerability to cyber-attacks will increase. Some energy companies are upgrading their IT networks, but are connecting some critical infrastructure directly to the internet. This worries cyber-security experts as these nodes can be used as entry points by dedicated hackers. However, the leap from gaining entry to a computer network to hacking into and controlling production systems is a large one, and quite difficult to achieve.
Malicious computer codes of Stuxnet’s calibre require significant expertise and capital to develop and unleash, making them beyond the competence of “ordinary” hackers. Furthermore, a determined foe could bypass online security architecture by using a mole within the company to upload malware via a USB drive.
The greatest cyber-threat facing the energy sector is cyber-espionage and intrusion. At present, it is extremely difficult to gain virtual control over an industrial process. But as convergence – the use of network architecture to integrate separate networks into one, such as the business and production networks of an energy company – becomes the norm, companies increase their vulnerability to hackers. After all, a network is only as strong as its weakest element.
The damage such an attack on production infrastructure could cause is, for the moment, largely unknown. However, it is fair to state that a major attack on the IT network of a major MENA producer could have serious consequences – not just for that company’s domestic energy industry, but also for the global energy market.
Even if an attack failed to disrupt production, it would spark enough uncertainty to spike oil prices. This alone would threaten the fragile global economic recovery. However, a cyber-attack of this magnitude would have another, more worrying, consequence. It would add a new, wild-card element to oil-price risk assessment – one that would add extra volatility to the market, at a time the world economy can ill-afford to shoulder the cost of that risk.
Map 1 Victims of advanced cyber-espionage networks