By Jeff Welgan, Head of Executive Training Programs, CyberVista
This is the fifth post in a six part series about cybersecurity risk. Each week we discuss a different category of enterprise risk and how cybersecurity impacts those risks at the board and executive level. This week we focus on Operational Risk, represented by the nature disaster of an earthquake. Use the links below to access the other articles in the series:
Part One – Introduction
Part Two – Financial Risk
Part Three – Compliance Risk
Part Four – Strategic Risk
Imagine what would happen to a modern office if all of its computers, phones, and electronic systems had to be physically unplugged from the Internet. This hypothetical became a reality on a massive scale in August 2012 when one of the most valuable companies in the world, Saudi Aramco, a Saudi Arabian petroleum company, was forced offline to prevent the spread of malware within its computer systems.
The initial attack took place on August 15, 2012. This was beginning of the Islamic holy month of Ramadan, and most of Aramco’s IT team was out of the office to observe the religious holiday. The few employees who were in the office noticed several machines acting “funny”: screens flickered, files began to disappear, and several computers powered down on their own. The IT department quickly realized that their systems were not merely malfunctioning, they had been intentionally infected by hackers. Aramco’s computer technicians frantically disconnected their workstations and servers, but the worm (i.e. self-replicating code) was already circulating throughout their network.
The next day, a group of hacktivists calling themselves the “Cutting Sword of Justice” took responsibility for the attack, citing Aramco’s support of the Al Saud royal family’s authoritarian regime. The original intrusion actually occurred earlier in 2012, when one Aramco employee accidentally opened a malicious link contained in a spearphishing email. That was all it took for the attackers to establish a foothold in Aramco’s network.
Before the attack could be contained, the worm would infect 50,000 hard drives. Dubbed “Shamoon” by computer security researchers, the malicious program also spread to the network of a second energy company. The Qatar-based oil company RasGas was also forced to shut down its desktop computers, email servers, and outward-facing websites, with many security researchers attributing the damage to the same self-replicating worm. The only link between the companies that they both operated in the energy sector; details about how the worm spread into the RasGas network remain unknown.
Saudi Aramco was spared total disaster by the fact that their main oil production mechanisms, drilling and pumping, were automated. But the rest of their day-to-day business operations, like supply and logistics management, came to a complete halt. Since the company had totally disconnected to avoid further spreading of the worm, every other single operation of the multi-trillion dollar company was done offline, resorting to antiquated methods to just stay in operation.
Faxes replaced email. Typewriters replaced keyboards. Interoffice mail replaced phone calls. Typical day-to-day business operation devolved into a paper-based, offline system. Managing supplies, logistics, and payment systems became an operations nightmare without an Internet backbone. Lengthy contracts had to be sent via fax, one page at a time.
Payment operations, especially, got so difficult that Saudi Aramco stopped refilling local tank trucks because the company’s systems were unable to accept payment. These were the trucks that supplied oil to Saudi Aramco’s domestic market. After nearly three weeks, Saudi Aramco caved to public pressure and pumped their gas into local trucks for free, just to keep the gas flowing within Saudi Arabia.
Recovery was as costly as downtime. Instead of wiping and re-using the infected hard drives, Saudi Aramco simply bought 50,000 new hard drives. They also built a cybersecurity incident response team from scratch, sparing no cost to bring in top international talent.
Fortifying the Foundation
The Saudi Aramco episode illustrates the importance of keeping your foundation strong – and preparing for the earthquake that you hope never comes. A cybersecurity incident can lead to lost business, time, money, and manpower, ultimately threatening your ability to operate in the marketplace. Fortunately, you can follow several best practices to mitigate the impact and allow you to recover even if your company is not a trillion-dollar company.
- Know when you’re setting up shop on a fault line. Understand your risk profile by identifying which threat actors could target you and why. Pay special attention to the organizations in your industry that have been attacked, how the incident occurred, and how the organization responded. Also understand the political implications of your business operations. Be aware of the possibility of retaliation from ideologically motivated adversaries who take offense to your business existence, decisions, or partners.
- Your employees are the foundation of your enterprise. Make sure that foundation is as sturdy as possible by routinely providing cybersecurity awareness and cyber hygiene training. Your employees can make the difference between a successful or thwarted cyberattack, as Saudi Aramco learned the hard way.
- Prepare for a magnitude 10 earthquake (the highest on the Richter scale). Keep in mind that there are ways to reduce your risk. Well-thought out incident response plans and business continuity plans can prepare your organization for cyber scenarios. These plans must be regularly tested and practiced through cyber simulation and table-top exercises. Portions of risk can also be transferred to a third party by purchasing cyber insurance.
After five very long months, Saudi Aramco finally and fully came back online. What was a five-month shutdown to Saudi Aramco would likely have been a complete closure to most other businesses. Since your company probably isn’t a multi-trillion-dollar business, focus on building a comprehensive cyber strategy that addresses operational risks.
Cyber-related risks evolve quickly and can affect your entire organization. Understand your compliance risks and plan accordingly. Need more training? Contact us. CyberVista provides training in the boardroom, at board and executive retreats, and in workshop settings.
Stay tuned for the next blog in this series covering Physical Risk.