The importance of cybersecurity

Kuwait

Abdullah Al Ali, CEO of Cyberkov, talks to The Energy Year about the company’s role in cybersecurity efforts within the oil and gas sector and the evolving risks that must be dealt with within the cybersecurity industry. Cyberkov is a Kuwaiti professional cybersecurity firm providing a targeted set of security services.

What role does Cyberkov play in the oil and gas cybersecurity efforts?
Our main goal when we established Cyberkov was to assist the oil and gas sector following the attacks on hydrocarbons infrastructure that Aramco suffered.
We started in 2012, following the cyber-attack against Saudi Aramco by helping KNPC, conducting a series of cybersecurity assessments of their IT infrastructure as well as their operational infrastructures, which contain all critical systems such as refinery, oil processing, fuel and gas systems. We also worked with KGOC [Kuwait Gulf Oil Company].
We discovered a lack of cybersecurity capabilities, resiliency, awareness and readiness in the sector. The oil and gas sector is doing a good job of managing IT operations, but it is missing a cybersecurity strategy. Cyberkov improved the culture of the top management and executives upon working closely with them.
In Kuwait, we were the sole cyber security adviser for the Communication and Information Technology Regulatory Authority (CITRA) from 2016-2020, and we played a key role in building the Kuwait National Cybersecurity Strategy in 2017-2020.
We operate not only in Kuwait, but also in Saudi Arabia. We work with key partners and strategic organisations. We are one of the few companies in Kuwait who work with the Ministry of Defense in Saudi Arabia.
We co-operate closely with oil and gas companies to identify gaps that can be potential entry points. The level of sophistication and targeting used by a lot of hackers in the world today has improved. They are not just normal attackers with simple skills, they are very sophisticated. A lot of them are sponsored by their governments. They want to create massive damage in these sectors in order to slow down or even stop the production of oil and energy. This has been seen recently in Ukraine, for example.

How have cybersecurity risks evolved in the past years?
When we started the company, we provided mainly 35 sets of services, between advisory services, penetration testing, vulnerability assessment, digital forensics, incident response, training, awareness, phishing assessment and blockchain and email fraud investigations.
In 2020, we made some shifts in our business model, expanding our set of services to include fully managed security operations and end-to-end vulnerability management to help the clients fill the current gaps in their cybersecurity programmes.
We saw an exponential rise in ransomware attacks targeting organisations of all sizes including those in the supply chain, which is the most risky and damaging type of attack. After these types of attacks, the whole oil and gas sector massively invests in cybersecurity. They acquired the best technology and hire the best people, train their own people and make big changes when it comes to cybersecurity. However, the attackers can also shift their strategies, and they start attacking the supply chain and third parties who work with all of this critical infrastructure, which are easier to target and compromise the critical infrastructure of companies.
We have seen that a couple of big companies here in Kuwait working with the oil and gas sector have been hit by ransomware attacks, and they were completely shut down. They had significant downtimes and delays in deliveries.
So, we shifted our strategies. When it comes to providing services, we now provide 24/7 cybersecurity surface protection and incident response.

What is the level of awareness and understanding of cybersecurity risks in Kuwait?
I think we are still not mature enough when it comes to understanding the risk and the damage that can be done by cyberattacks. All of these groups who launch the cyberattacks are sophisticated and well-trained because they make a lot of money off ransomware attacks.
They operate just like companies. They have analysts and third parties, and they work with engineering and development teams. They develop sophisticated malware that goes undetected even by the most advanced cybersecurity protections. In a matter of an hour, they can enter a network and do serious damage by implanting a lot of backdoors, stealing information, credentials, confidential documents and more. Then, they blackmail the victim by threatening to publish the stolen data, causing serious damage to reputation which can end in legal and economic challenges, as well as trust issues from the customers.
I think GCC countries have made a significant effort to close these gaps and to build their capacity and capabilities. Most companies I have seen are investing a lot, and they understand the risk. Saudi Arabia is a leader in this respect.
Governments generally are taking good steps, although some of them are still operating under an old mentality. A key issue in the GCC region and especially in Kuwait is the lack of regulatory and compliance matters, as well as the gap between the public and private sector.

Does the Kuwaiti private sector understand the potential cost implications of ransomware attacks?
We see the private sector as quite weak in cybersecurity in terms of understanding the value or return of investment in cybersecurity. Usually, the only way they invest and take it seriously is after they have been hit with ransomware attacks.
These attacks can paralyze the entire operation of the companies, making them return to a pen-and-paper way of work in the age of digitalisation. Another issue is corporate and industrial espionage implications, which should be considered as well. The main issue driving this private sector weakness is that there is still no regulation in Kuwait to force the private sector to follow at least a minimum requirement for cybersecurity, like in the UK.
In the UK, the government helps mitigate the damage of cyberattacks by forcing SMEs to implement minimum security requirements in order to do business in the country. This came after a significant increase in cyberattacks, espionage activities and ransomware attacks targeting UK SMEs, where around 60% of those SMEs hit by ransomware attacks could not recover, forcing them to close their doors and shut down business, based on a recent UK study.
Sometimes, the cost of the ransomware recovery is higher than shutting the business down. This is what we see: when companies in Kuwait are hit by ransomware, the cost is sometimes double or triple than what they would have invested in the first place to prevent this.
Because of these successful attacks, top management loses the trust of their own team, they change technology and sometimes replace a lot of hardware in order to recover operations quickly. This leads them to spend more money without a proper strategy. Additionally, they suffer from media issues as well as legal issues with clients. Sometimes, the attackers leak a hundred gigabytes of confidential information and business strategy. This leads to embarrassment between business partners, especially for companies dealing with international businesses.

Read our latest insights on:

• Kuwait
• Saudi Arabia