The world’s most profitable company told Offshore Europe delegates last week that “everybody” will eventually be hit by a cyberattack.
Raed Al-Shaikh, who heads up Saudi Aramco’s cybersecurity division for oil and gas operations, highlighted the “exponential” growth in the threat in recent years.
Aramco, one of the world’s largest oil companies which recorded profits of £38billion in the first half of 2019, has been hit by high profile attacks in recent years.
In 2012, it was reported thousands of computers were partially wiped or destroyed by an attack, with another in 2017 hitting a joint venture company between Saudi Aramco and Dow Chemical.
Mr Al-Sheikh leads the information security division at Aramco’s exploration and production engineering centre (Expec) which overseas its upstream operations.
He highlighted stringent measures by the company to avoid any more attacks, and outlined the scale of the problem for the oil and gas sector.
He said: “I have bad news for you: everybody will be hacked. That is the way we see it.
“If you’re not hacked already, you will be hacked. There is a reason for that – the advancement of threat actors.
“In the 80s, most of the people doing viruses were just probably doing so for the fun of it or were just students or enthusiast people trying to make a virus or programme something.
“But now it is being developed to be more damaging, it is becoming more lucrative for some organisations. It’s growing exponentially in terms of the danger or the damage it can do.”
Mr Al-Sheikh said its employees are the “first line of defence”, with greater steps being taken to give every worker an understanding of cyber security and threats such as phishing emails.
However the panel session also described the need for more professionals in this field to be recruited into the oil and gas sector.
Emilie Hudson is the principle industrial control systems security officer at BP, who said that it is important that both operators and vendors work to increase their competence in this arena.
She added: “Bringing cyber security into the procurement space is not an accident. Having cybersecurity professionals with a seat at the table that is the purchasing aspect is really becoming much more important.
“It is starting to become more obvious that having cyber security, or a greater competence in cyber security, on the part of both parties is serving us much better
“It really is about raising the level of competence across the industry. Having an engineer who has a stronger foundation in cyber security principles, or at least knows who to ask.
“What I observe in this system is that, frankly, the pipeline of resources is inadequate.
“There is no doubt that the need for recruiting and professional development does not decrease, this is a time for increased opportunity.”