Sunday, August 19, 2012

Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors and More

After Friday's blog post on Saudi Aramco's lack of Operations Security involving its network infection by Shamoon, I was contacted by a former Aramco IT employee who provided me with a lot more background on just how bad the security situation is at the world's largest oil producer. My contact's career with Saudi Aramco spanned over 30 years dating back to the late 80's when by royal decree the Arabian American Oil Company became the Saudi Arabian Oil Company or Saudi Aramco.

In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:
  1. "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
  2. "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"
I'm including data on Aramco's R&D and patents because in my professional judgment, that's the best way for CEOs and Boards of Directors to plan for and justify their IT security budget - as a percentage of their annual R&D investment. While it's clear that Aramco has a lot to protect, what's not clear is why Aramco's leadership has made so many bad decisions or received such bad security advice. The following information in italics comes directly from the emails that I received and in my opinion helps explain why the company is struggling to defend against what Kaspersky Labs has called the work of some "script kiddies". More importantly however is that if the below information is accurate, then the company has probably experienced multiple breaches that it never discovered; breaches targeting its R&D, mining data, or other valuable IP over the course of several years just like many other oil and mining companies in the U.S., Australia, Brazil, Canada, and elsewhere have reported.

Here are the issues:

All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."

Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks. 

The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.

If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.

Insider Threat 
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.

Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management.  It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.

Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.

UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.


RELATED:
Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Operations Security at Saudi Aramco? Zero.

24 comments:

  1. concluded the reasons clearly straightforward. Knowing the problem causes is half of resoving it.

    ReplyDelete
  2. I really like your way of analysis. Thank you.

    ReplyDelete
  3. This is best analysis I've ever read. A lot if IT exper emploees were set on the shelves.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Inaccurate information certainly lead to a flawed conclusion. Aramco has openly offered a direct phone line for media inquiries related to the incident. It would be wiser to give them a call before drawing a judgement. This is at least to offer their counterargument for the sake of journalistic integrity! Your lashes at the energy giant certainly draw wide attention, but all for the wrong reasons!

    ReplyDelete
  6. I think neither the writer nor his informants know any thing about IT. It is very coommon practice to outsource IT task, which has become the norm to get the proper talant mainly from India. ARAMCO had the most sophisticated IT system in the world, which obviously beyond the writer and his informants ability to understand let alone make an intellectual opinion about.

    ReplyDelete
    Replies
    1. مهندس/ علي بن سعيد القحطاني - thanks for confirming that ARAMCO is out-sourcing its IT security. That's one of the worst mistakes that a company can do and often has disastrous consequences.

      Abdullah Al-Ghazal, I'm fairly certain that no one on that phone line would acknowledge any of the above problems. The former IT employee contacted me tried for many years to have these problems addressed without any success.

      Dahim and Nayef, thanks very much for your support. Hopefully airing the above issues will get them addressed which in turn will help create a better security framework for ARAMCO in the future.

      Delete
    2. When Ida Minerva Tarbell sought to slay the oil dragon-Standard Oil and destroy its monopoly on the industry, she sought information directly from the second most senior figure in the company-John Archbold. In contrast, you are seeking your information and drawing damaging conclusions from a “retired unknown”. You didn’t even make an attempt to obtain official statement from the company-none whatsoever!

      Delete
    3. In saudi arabia outsourcing is mainly hiring the proper talant nothing more and all are working under the management of Aramco. Nearly all workforce in saudi are expats, whom can change jobs frequently weather outsourced or direct hire. I am not working for armco but know very well their IT infrastructure, which we all follow and learn from. I think you are not pleased with Armaco, my be they has not asked for your services.

      Delete
    4. مهندس/ علي بن سعيد القحطاني, i think you don't know any thing about Saudi ARAMCO and its corruption, which obviously beyond your ability to understand let alone make an intellectual opinion about.

      Delete
    5. Well this is what we are suffering from in saudi arabia, bringing some EXPERTS! From india or other 3rd world country so they can control their openion when they want to implement a system or administrate it. Guys i am a saudi DBA & i had been working in many envirounment that Outsourced Guys coming to install and run away, it was funy how they did it, contractor need to take cash and go wherever DB configuration is. I remmber one of the EXPERT ^_^ replied to me what is Grid control server that u need to connect ur DB to mean! If some consoltant replied to me like this, then i know that this guy is just Nothing in DBA world. Mr jeffery thank you for ur comment, u know our courrption more than our speechfull people like Mr.Ali. I belive that we as saudis are not good at all in management cuz we are mody&emotional when we select people to do something. I meet Many fresh saudi graduauated & they tell me we don't need IT knowldge, we need the easy way to kiss asses & lead us to be managers in short term. Who made them belive on that!! Real life examples. Aramco was good on the time of early americans who build it and take care of it because they respect one word WORK which is not in our dictinery. Devil never change, devil changes you.

      Delete
    6. I fully agree with u regarding American mangement to ARAMCO.

      Delete
  7. "An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system" that's not really accurate, seems your source is a user of the system only. it's well known that the XXX number of SAP systems serving different functionalities are separated and maintained by different ARAMCO entities, which is a common practice in IT.
    I totally agree on the rest of analysis. If you know all about it you would have an urge to write a book about it, Jeffrey.

    ReplyDelete
  8. Saudi ARAMCO should learn from this mistake. Their setup is now publically desclosed and they might be targeted by hackers after this news.
    Thanks for this post.

    ReplyDelete
  9. Rely on strangers who will carry the worries of KSA in the most critical areas ; & leaving Saudi pepole without training & without trust is the main reason causes this case .
    There has been a similar case for Aramco many years ago , but they did not benefit from the lesson.
    And also from a few years in the STC in financial systems and that caused the burdens of wealth and administrative company and its customers. When what was to take advantage of human capital Saudi will end these problems.
    @FAHAD_KHAWAJI

    ReplyDelete
  10. Started to comment, but unfortunately i used to many characters:)
    So instead i published my comment on by seldom used blog..

    http://wp.me/p1rPLV-x


    ReplyDelete
  11. I don't agree with em in many points...
    He portrays the readers as stupid ppl n Aramco has no IT administration management n protection at all coz they're using only one system n that's not true. Aramco using many systems n db but same framework, which gives them the ability to be linked easier. This feature is not available in most of the companies in the world, coz it's too expensive...
    I think he is trying to offer his services coz he is a CEO for Global company lol

    ReplyDelete
  12. I believe most of what you are saying is true we all know how contractors treet his employees and the level of loyalty those employee present. Contractor give fake image about his employees for example just have a look at major finding related to safety and environmental issues found during last two month when Aramco decide to look at this.
    I question Salm Al Ayidh during outsourcing campign (he is the father of outsourcing and senior VP) how can you make sure contractor train his special stuff on critical issue and keep them with him without joining other company or seal his information he was not able to answer I gave example we buy vey expensive equipment and use to send our employee to US and Europe to know about the Repaire and Maintenace how you force contractor to do the same and after 2 years he leave you

    ReplyDelete
  13. Aramco have their own engineers to manage their servers, and it is not a problem to bring contractor to implement new projects under supervision of Aramco IT. The point I assume was missing, I think there was no schedule preventive maintenance and test for the security or no corrective action were taken to avoid such problem attacking users' computers and some servers!.

    ReplyDelete
  14. This has all that markings of an ex employee acting in a cheap attempt to hit at those who worked with him and gave him a decent long term job and secured income, when one wants to give sincere advice, why do so pubilcally, i dont believe for a minute that he tried to change things, and even if he did, why accuse anyone of corruption when he has no facts, this whole article is weak in context, and is cheap slander

    ReplyDelete
  15. The following comment was emailed to me from an Aramco employee, which I'm adding to this thread with his permission and with some edits for space:

    "I have read your article about the recent services interruption in Saudi Aramco network and resulted in isolating the core systems in order to protect them from any possible complications. You had two sources of information, your knowledge and internal resource from within Saudi Aramco (30 years experience).  Below are the headlines of your article,
     
    All Services On One SAP System

    1st of all, you made SAP sounds like a single unstable platform that can’t provide the required performance along with the needed security. The system is been utilized by governments and it is very reputable system(s) where even the development is done via it’s own programming language. Have centralization of application is the world trend to minimize the cost of fragmented systems and to insure the developed systems and application will have the best performance. In addition, I really don’t know how you related this incident to SAP where the failure was not at the application layer and SAP itself is utilizing and document management system that is capable for auto-archiving. The application services is writing to a data base system that is fully encrypted and even I case of opening the data base, the attacker cannot use it. Now once again, lets assume that we have fragmented systems and yet they all operate on the same network, I don’t see how this will protect it? This is why I don’t see a reason of blaming SAP on what happen.

    Security Administered by Part-time Contractors
 
    In this section, I can read clearly that your source was not accurate defiantly due to lack of information and\or wrong reading. The minute any employee\contractor is no more involved with Aramco tasks, his account get suspended and any privileges will be revoked immediately. Don’t you know even regular employees will get suspended or lose all access to the system in case of vacation, transfer or termination?  In addition, any privilege on the workstation level is been monitored and controlled closely with the network administrators. However, even if this is not the case, I don’t understand how this will have any relation to what happened lately?
    The contracted companies are citizens and apply certain Saudization percentage and owned by saudies. Unless you are referring to “who guarded the guards” in this case no one even in other planets can control it if someone you trusted is not trust worthy. How on earth the local private sector will be developed if we drop the trust factor? Saudi Aramco has thousands of employees and all trust worthy unless a case by case is proving that he or she is not. Otherwise will not have fairness in our systems.

    Insider Threat 

    Same applies and if I may add, they are not only Asians, they are US nationalities and others, however, they belong to reputable organizations and this is free market where everyone has write to move as far as he or she will get better offer. speculations to a later stages.

    Now, am I concluding the IT did it all right? Even if we did 99% right we will still have critic sessions to identify the remaining 1%. I believe strategic things will change within Aramco however no of the above are the real reasons of what happened. Yes there is an impact however, the company is still producing its oil quota and yet we did not hear that the oil prices raised up, this that proves the attackers can’t claim success. The process, plants and the critical mission critical communication weren’t harmed at all.
    In conclusion, areas like backup efficiency, end-user behavior, antivirus software, operating systems and protection methods are areas of improvements. Until now, we all don’t know who is behind it and it status are, that means regardless of what you do this is a terrorist attach that is new to the company however it will not be repeated if IT want to maintain the bright image they maintained over the years.  

    ReplyDelete
  16. Only want to say your article is awesome. The clearness in your post is simply impressive and i can assume you are an expert on this field. Well with your permission allow me to grab your rss feed to keep up to date with forthcoming post. Thanks a million and please keep up the effective work.
    Security Glass

    ReplyDelete
  17. yesta desamba Thank you for your comment<<< What a nice post it is! It is helpful for all. You can get help here. If you get more information about

    ReplyDelete