Why Wasn't Saudi Aramco's Oil Production Targeted?

The recent cyber attack against Saudi Aramco resulted in the destruction of thousands of servers and hard drives. Replacement costs along with incident response fees had to have exceeded US$15 million dollars. While it's true that oil production and distribution were not affected, it may be because they weren't targeted.

It's not because Saudi Aramco's network security prevents such attacks from happening. I'm sure that the company has done everything that it can to implement best practices but that's not enough to stop a dedicated attacker. And today, with the amount of open source data on SCADA exploits available combined with the alleged existence of hostile insiders working for the company, it could have been easily done. So why didn't it happen this time?

Saudi Aramco is a state-owned company so an attack against it is equivalent to an attack against the Kingdom of Saudi Arabia. If the outcome of a cyber attack is principally financial with some disruption to business processes, then it will probably be treated as a criminal matter. If the attack resulted in a disruption of oil production and/or delivery, it would almost certainly be treated as an attack against a military objective (see Section 4 "Attacks Against Objects" of the Tallinn Manual on the International Law Applicable to Cyber Warfare for an indepth discussion of this legal term of art).

Iran is a possible suspect in the Shamoon attack and had it targeted one of Aramco's SCADA systems, then what was probably a warning to Aramco not to increase its oil production would almost certainly have been treated as an act of war instead. The IRGC which is in command of Iran's cyber warfare units would know that. Whether it was the IRGC or a proxy Iranian hacker group working on their behalf, Iran knows better than to do anything that would interrupt the world's oil supply.

UPDATE (14SEP12): I've edited this post to correct some errors in my original post regarding the types of operating systems used at Aramco.


  1. The reason why is relatively simple ...

    The number of people involved in ICS is a much smaller and more confined group. (if outsourced, then to direct stakeholders - the vendors)

    ICS is not has no direct connection to the Internet. No email, no web browsing.

    Shamoon propagates using file shares, best firewall practices do not allow file shares between systems on either side of the firewall.


Post a Comment