Friday, August 17, 2012

Operations Security at Saudi Aramco? Zero.

The world's largest oil producer Saudi Aramco has apparently suffered a cyber attack according to this announcement on its Facebook page:
Saudi Aramco Responds to Network Disruption  
On Wednesday, Aug. 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network.  
The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network. Saudi Aramco confirmed the integrity of all of its electronic network that manages its core business and that the interruption has had no impact whatsoever on any of the company’s production operations. 
The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems. Saudi Aramco IT experts anticipate resuming normal operations of its network soon.
What's shocking in terms of operational security (OPSEC) is that Aramco employees are publicly commenting on the event and adding information that wasn't disclosed in the announcement, such as:
  • (name and position deleted): "My hard disk crashed, not cool"
  • (name and position deleted) "I lost everything I did for this week too"
Besides poor OPSEC, Saudi Aramco has other major issues with its network security. Oil companies, like power companies, should have air-gapped networks which isolate their industrial control systems from their business networks as well as from the Internet. That appears not to be the case based upon the wording in Aramco's announcement - "the company has isolated all its electronic systems from outside access as a precautionary measure ...". If the systems responsible for its production operations were air-gapped, there'd be no reason to take such draconian measures. On the other hand, the company appears to be relying on McAfee as their security vendor which means that the House of Saud doesn't understand that their anti-virus vendor should never be relied upon for best practices in the area of network security nor should an AV vendor be trusted to perform incident response.

8 comments:

  1. Kindly delete employee names & positions to protect them from severe punishment by Aramco.

    ReplyDelete
  2. Done, however you might want to jump on Aramco's Facebook page and leave the same advice for their employees.

    ReplyDelete
  3. You are not convincing as you are judging with your own assumptions with proper justification by saying "Zero"! On what bases you rated them with zero?

    ReplyDelete
  4. Ibrahim, "zero" as in Fail. The basis for that score is that Aramco employees have been discussing details not mentioned in the official press release on Aramco's public Facebook page.

    ReplyDelete
  5. I really like this article and you are totally right! Armco has just started its info. Protection but really it has a very poor management! They need to restructure everything to have real secure systems.

    ReplyDelete
  6. good article to sign a contract with the biggest oil company ever

    ReplyDelete
  7. Thanks for posting this. I think this is the reason so many people are going with security company in Calgary these days. They need to feel safe.

    ReplyDelete