Saipem, the contractor of two big oil refineries, Duqm (based in UAE) and Saudi Aramco (headquartered in Saudi Arabia) has publicly announced that it was a victim of a cyber attack last December 10, 2018. Unauthorized users were able to penetrate the servers, but fortunately, failed to get a hold of the data stored on them. Detailed information about the incident is still lacking how the remote infiltration happened, Saipem may be privy to more information, but they have not disclosed it yet.
“The attack on Saipem has reiterated the need for construction companies to prepare a multi-layered cyber, physical, and human response to data attacks, business development manager at construction consultancy Parsons. As demonstrated by the likely nature of this attack, protecting critical infrastructure from cyber threats does not have easy software-based solutions,” explained Stephen O’Connor, Business Development Manager for Parsons Consultancy.
Saipem needs to reassess their system in order not to have a repeat incident of unauthorized access to their servers. In the phase of the global market of oil where its price plays a vital role on how the world economy evolves, news about unauthorized access incidents in a company connected with oil refining sends chilling effect for the oil market as a whole.
The only way to make sure that all things are in good, safe and secure condition is for Saipem to subject its systems to a thorough penetration testing. This can be done in parallel with the investigation taking place in the company, as only a successful penetration testing can assure reliability and increased security of the system from outside interventions. To ensure that security assessments provide their ultimate value, Saipem should conduct root cause analysis upon completion the penetration testing to enable the translation of findings into actionable mitigation techniques.
These results may indicate that Saipem should address not only technical weaknesses but weaknesses in organizational processes and procedures as well. Penetration Testing has specific objectives, acceptable levels of risk, and available resources. Because no individual technique provides a comprehensive picture of a Saipem’s security when executed alone, they should use a combination of techniques. This also helps them limit risk and resource usage in the future while keeping the firm more secure.
“A top-tier oil and gas player like Saipem will have software-based countermeasures in place, and judging from their response so far, robust data loss protection and business continuity safeguards as well. At Parsons, we consider critical infrastructure protection the sixth domain of defence and security. This has emerged due to engineering, construction, industrial control systems, and the internet of things converging with cybersecurity – as well as legacy physical security domains on land, at sea, in the air, and in space,” concluded O’Connor.