In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:
- "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
- "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"
Here are the issues:
All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."
Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks.
The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.
If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.
Insider Threat
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.
Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management. It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.
Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.
UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.
RELATED:
Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Operations Security at Saudi Aramco? Zero.
0 komentar:
Posting Komentar