Secretary of Defense Leon Panetta’s recent address to the Business Executives for National Security conference in New York revisited an old metaphor of the cybersecurity game: a Pearl Harbor-esque surprise attack on the nation’s computer systems. Though the fears that Panetta invoked of a massive cyber attack on the United States may be overblown, there are valid reasons for concern. As Panetta highlighted, foreign powers are increasingly going on the offensive in cyberspace, with two of the world’s most important industries, energy and banking, recently coming under assault. His speech signals that, for the Department of Defense, cyberattacks have likely eclipsed acts of terrorism as the top national security threat.
Prominently mentioned in Panetta’s address was Shamoon, a malicious software program used in an August 2012 attack directed at Saudi Aramco, the world’s largest oil producer, representing some 13.3 percent of global production. Shamoon corrupted data on Saudi Aramco’s network of Windows-based personal computers, deleting contents and disrupting business operations for the company. It is reputed to have impacted as many as 30,000 computers at Aramco, with Qatar’s RasGas also affected. While the Shamoon malware does not appear to have significantly damaged the process control systems for upstream or refining operations at Aramco, its impact on the company was significant.
What Aramco, and the whole of the oil and gas industry, should learn from Shamoon is that their thinking on cybersecurity has to change, significantly and swiftly. As entities with significant geopolitical importance, energy companies are particularly ripe targets for cyberattack. Unfortunately, cybersecurity has until now been a reactive exercise for major global firms. Information technology has allowed massive increases in efficiency and productivity through the development of highly interconnected chains of supply and distribution. But while IT innovation in business processes has raced forward, security has not. Security efforts remain largely focused on confronting known vulnerabilities, such as out-of-date or poorly configured systems, and known threats, of the sort anti-virus software programs intercept on hundreds of millions of computers around the world right now.