Saudi Aramco's Security Nightmare

: Poor Design, Corrupt Contractors and More

After Friday's blog post on Saudi Aramco's lack of Operations Security involving its network infection by Shamoon, I was contacted by a former Aramco IT employee who provided me with a lot more background on just how bad the security situation is at the world's largest oil producer. My contact's career with Saudi Aramco spanned over 30 years dating back to the late 80's when by royal decree the Arabian American Oil Company became the Saudi Arabian Oil Company or Saudi Aramco.

In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:

1. "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
2. "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"

I'm including data on Aramco's R&D and patents because in my professional judgment, that's the best way for CEOs and Boards of Directors to plan for and justify their IT security budget - as a percentage of their annual R&D investment. While it's clear that Aramco has a lot to protect, what's not clear is why Aramco's leadership has made so many bad decisions or received such bad security advice. The following information in italics comes directly from the emails that I received and in my opinion helps explain why the company is struggling to defend against what Kaspersky Labs has called the work of some "script kiddies". More importantly however is that if the below information is accurate, then the company has probably experienced multiple breaches that it never discovered; breaches targeting its R&D, mining data, or other valuable IP over the course of several years just like many other oil and mining companies in the U.S., Australia, Brazil, Canada, and elsewhere have reported.

Here are the issues:

All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."

Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks. 

The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.

If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.

Insider Threat 
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.

Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management.  It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.

Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.

UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.

Posted 10 hours ago by Jeffrey Carr