Alarm bells in the global energy market rightfully rang in May when a cyberattack forced a six-day shutdown of the Colonial Pipeline – critical infrastructure in the US, the world’s biggest oil consumer and producer. The rising impact and effectiveness of cybercrime is the flipside to the widely lauded and strengthening adoption of digitalisation in our increasingly globalised energy market.
Global cybercrime costs are expected to climb by 15 per cent per year over the next five years, reaching $10.5trn per year by 2025, according to Cybersecurity Ventures.
This could represent the greatest transfer of economic wealth in history.
And the threat has only intensified amid the surge in remote working and decentralized systems amid Covid-19. For example, when the UAE announced movement restrictions in March 2020, the total number of brute force attacks against remote desktop protocols (RDP) jumped from 467,115 in February 2020 to 1.3mn in March 2020 — a 193 per cent rise in one month, Kaspersky revealed.
FINDING A NEW BALANCE
Digital tools are one of the vital keys to unlocking the greatest puzzle in today’s energy markets; how to affordably meet rising energy demand while increasing environmental protection? This means that the growing risk of cybercrime cannot translate into a retreat from digitalisation – it just means being a lot smarter about protection. Consider this viable scenario; a wave of simultaneous attacks on energy infrastructure in multiple countries essentially holds swathes of energy security hostage, impacting billions of people and millions of businesses.
Clearly, cybersecurity demands more serious and significant action.
State-owned energy companies – those acting as social champions as well as commercial ventures – can face particular risk. For one, attacks on such entities can trigger security and economic dislocation and throw healthy competition between operators into array.
Cyber criminals can also leverage the often-siloed nature of companies’ physical and cyber operations. This is being further exacerbated by energy companies changing their portfolios to support decarbonisation, such as exploring renewable energy markets. These upheavals only make it easier for cybercriminals to expose down vulnerabilities.
MIDDLE EAST'S NEXT STEPS?
Some energy companies’ antiquated security systems – perhaps borne in the ‘easy cash’ era of $100/bl+ oil prices – need urgent reviews. It is excellent progress to see that 59 per cent of Middle East CEOs plan to double digit investments in digital transformation, according to PwC’s 24th CEO Survey. But that just 41 per cent of Middle East CEOs are extremely concerned about cyber threats is more surprising considering the red flags.
For example, the number of users of Kaspersky software worldwide in 2019-2020 who encountered targeted ransomware – malware used to extort money from high-profile targets, such as corporations and government agencies – soared by 767 per cent.
Still, the good news is that awareness and measures are improving – and investments are flowing.
The post-Covid-19 market size for the Middle East’s cybersecurity market is projected to grow from $15.6bn in 2020 to $29.9bn by 2025, with a compound annual growth rate of 13.8 per cent, according to MarketsandMarkets.com. Plus, the UAE recently established a Cybersecurity Council and Saudi Aramco, Siemens Energy, and the World Economic Forum (WEF) have launched a co-lead report on cyber resilience in the oil and gas industry.
But there is still a lot of work to do. Based on IBM and Ponemon Institute’s 2020 analysis, the cost of all data breaches – not just energy-related ones – in Saudi Arabia and the UAE climbed by 9.4 per cent over the last year. These incidents cost companies studied in the region up to $6.53mn per breach on average – 70 per cent higher than the global average of $3.86mn. And notably, the average time for companies in the Kingdom and the UAE to first identify a data breach has only decreased by just 10 days, from 279 to 269 days, not including the 100 days to contain the breach.
WINNING THE POWER PLAY
Right now, cyber criminals largely have the upper hand. For example, some common criminal businesses can be operated for as little as $34 month with a $25,000 return. Others may routinely require $3,800 a month yet reap up to $1mn per month, detailed Deloitte. How to shift the balance so that energy companies have the ruling hand?
Aside from raising awareness and education – as per the aforementioned efforts – educated and keen investors also need to be involved. They can support the implementation of much-needed state-of-the-art digital protection systems, as well as supporting more sophisticated research and development (R&D) to outsmart the increasingly sophisticated cyber attackers.
Equally, financiers need signals from the industry that the right steps are being taken to not only keep their operations as safe as possible, but also investors’ money. Whatever route energy companies opt to take, they must act soon and collaboratively. Together, we can build stronger digital defenses – proverbial brick by brick.
(The writer is Senior Vice President, Sector Head – Energy at Mashreq Bank)
Oman Observer is now on the WhatsApp channel. Click here
