Saudi Arabia’s cybersecurity concerns increase as threats evolve

The country’s geopolitical position and natural resources make it an obvious target, as field and industrial operations come into the crosshairs of malicious actors.

programmer developer devops apps developer code hacker dark secrets by peopleimages getty
PeopleImages / Getty Images

Saudi Arabia's oil resources and location in a region rife with geopolitical tensions have long made it an obvious target for cyberattacks. As those attacks escalate and evolve technically, both the government and private enterprises are having to update and rethink their defenses.

Saudi Arabian businesses are rightfully concerned about security vulnerabilities, despite the fact that Saudi Arabia ranked first regionally and 13th globally in the Global Cybersecurity Index 2018.

After the U.S., Saudi Arabia ranks second in the cost of data breaches and, with 38,800, has the highest average number of compromised records per breach, compared to the global average of 25,575, according to a report commissioned by IBM Security.

Across the Middle East, meanwhile, the average cost of a data breach increased from US$5.31 million in 2018 to $5.97 million in 2019, the second-highest cost globally when compared to other regions.

The government has made moves to address these issues through the recently launched National Cyber Security Agency and the Saudi Arabia Federation for Cybersecurity, Programming & Drones (SAFCPSD).

Geopolitics, as well as the country's wealth, make cyberattacks likely, with malicious actors attempting to create social unrest, disrupt oil production or focus on financial theft, according to Joseph Carson, chief security scientist and advisory CISO at cybersecurity firm Thycotic. Saudi Arabia also has strict internet access and monitors it quickly and assertively, censoring certain content, meaning that targeting citizens has a low success rate. Therefore, he says, businesses are likely to be the top target.

Saudi Arabia invests in cybersecurity

“Saudi Arabia does invest heavily in cybersecurity, specifically after the well-known cyberattack against Saudi Aramco in 2012 from malware known as Shamoon that disrupted oil production making 30,000 workstations unusable,” explains Carson. He says that this incident made the country recognise the importance of cybersecurity, which has led it to invest in cybersecurity innovations. Saudi Arabia has also invested in smart cities, with Riyadh becoming one of the top smart cities in the world, deploying internet of things (IoT) technology, which presents another target for malicious hackers.

Xage Security, a three-year-old start-up headquartered in Palo Alto, California, has been working with Saudi Aramco to address cybersecurity concerns around its oil and gas operations through its blockchain-protected security fabric.

The nature of cyberattacks has evolved, explains Roman Arutyunov, Xage's co-founder and head of product. “We saw IT-style attacks for a long time, like malware or even ransomware, but now we are seeing attacks on field operations as well.”

Cyberattacks are targeting the industrial control systems themselves. These attacks, in the form of RATs (remote access Trojans), penetrate industrial control systems -- devices,  software and networks used to operate or automate industrial processes. These are often critical controllers that manage the safety of operations. The RATs try to penetrate as many of these controllers as possible, but they lay dormant and don’t activate until there are enough of them to do maximum damage, not only on IT systems but on the cyber-physical systems as well.

Physical infrastructure now under risk

Any organisation with networked physical infrastructure now needs to consider how to protect those assets as well. “It doesn’t mean that they shouldn’t be networked. They should be networked, because of the great efficiency it brings and increased safety, but it needs to be done with cybersecurity protection in mind all the way out at the edge, not just in the IT space where we have been battling attacks for a long time,” Arutyunov says.

He adds that there is increasing awareness of the changing nature of cyberattacks. “They all say the same thing: that IT is where the battle was, and now the space has changed,” Arutyunov says.

Saudi’s government has also been looking to address these concerns more broadly.

Matt Moynahan, CEO of security technology firm Forcepoint, believes that, as Saudi Arabia looks to Vision 2030 and embraces the digital transformation opportunities for competitive advantage and GDP growth, cybersecurity within organisations will be critical to success. “Developing an effective digital transformation platform that can sustain, advance and scale business operations may be the most important task facing the Kingdom’s decision makers moving forward,” he says.

Moynahan emphasizes that all regions are dealing with similar cybersecurity issues  but what is exciting about Saudi Arabia is that the country has been transforming at a rapid pace and has an opportunity to adopt a new cybersecurity approach from the ground up.

“Due to the national transformation in the region, even the ministries are realising that security is not only about products but programs. When we think about programs, we also need to consider the economy, and the outcomes for citizens of Saudi Arabia and its companies. This is what Vision 2030 is all about,” Moynahan says.

Information security and data domiciliation concerns affect almost all of the Saudi-related work for Simmons & Simmons , says Raza Rizvi, regional telecommunications, media and technology (TMT) head. Rizvi’s team provides legal and regulatory advice to businesses in the TMT sector and in the emerging fintech sector, where the most interesting underlying asset is data.

“As Saudi businesses increasingly undertake root and branch digital transformations, we’re seeing that cyber risks need to be demonstrably addressed before a data-rich project progresses,” Rizvi says.

New laws target cybercrime

In line with legislation in other Gulf Cooperation Council states, Saudi Arabia already has a standalone Anti-Cyber Crime Law through which law enforcement agencies, with assistance from the Communications and Information Technology Commission, the national communications regulatory body, have wide powers to investigate cybercrimes.

Another key piece of Saudi legislation is the recently approved electronic commerce law, designed to curb online fraud and boost economic growth. “The emerging e-commerce environment and other data-rich commercial environments in the Kingdom will also become battlegrounds for cybercriminals where law enforcement actors will need to develop enhanced capacity and capabilities,” Rivzi says.

Meanwhile, even in countries like the U.S., there is great disparity in terms of regulation of cybersecurity, across industries, Xage's Arutyunov says. The utility industry has really stepped up, with tight regulation around cybersecurity measures and controls that need to be in place. Utilities are audited and fined for not meeting these compliance regulations. “But if you took an industry like oil and gas or manufacturing, there is very light or close to no cybersecurity regulation; no auditing body and no fining,” he says.

Rather controversially, he believes that having a regulation across industries that is as tight as it is for utilities could be a very good start. “It immediately steps up the controls and cybersecurity that these organisations have to put in place. That is a role that government could play in creating this,” he says, adding that he knows others will say that such a move may impact innovation. “But I think it could be a good first step without really effecting the innovation.”

Maher Jadallah, regional director for the Middle East at security firm  Tenable, says that governments around the world have cautioned that the cyber threat will worsen rather than lessen, and Saudi Arabia is no different. 

“Finding a solution to any problem begins with acceptance. It is essential that security professionals understand the increased attack surface if their organisation is to moderate their business risk,” Jadallah says.

He emphasizes that, in this context, security professionals are not the only ones who must be aware of the risks facing their environments. Given the potential impact of any damage, executive leaders and company boards also need to understand where their organisation is exposed and to what extent, especially given the evolving nature of the cyberattack threat.

Related:

Copyright © 2019 IDG Communications, Inc.

Survey says! Share your insights in our 19th annual State of the CIO study