: Poor Design, Corrupt Contractors and More
After Friday's blog post on Saudi Aramco's lack of Operations Security involving its network infection by Shamoon,
I was contacted by a former Aramco IT employee who provided me with a
lot more background on just how bad the security situation is at the
world's largest oil producer. My contact's career with Saudi Aramco
spanned over 30 years dating back to the late 80's when by royal decree
the Arabian American Oil Company became the Saudi Arabian Oil Company or
Saudi Aramco.
In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:
Here are the issues:
All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."
Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks.
The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.
If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.
Insider Threat
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.
Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management. It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.
Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.
UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.
In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:
- "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
- "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"
Here are the issues:
All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."
Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks.
The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.
If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.
Insider Threat
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.
Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management. It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.
Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.
UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.
Posted 10 hours ago by Jeffrey Carr
ليست هناك تعليقات:
إرسال تعليق
أهلا بك ،
أشكر لك إطلاعك على الموضوع و أن رغبت في التعليق ،
فأرجو أن تضع إسمك ولو حتى إسما مستعارا للرد عليه عند تعدد التعليقات
كما أرجو أن نراعي أخلاقيات المسلم;حتى لانضطر لحذف التعليق
تقبل أطيب تحية
ملاحظة: يمنع منعا باتا وضع أية : روابط - إعلانات -أرقام هواتف
وسيتم الحذف فورا ..