The recent cyber attack against Saudi Aramco resulted in the destruction of thousands of servers and hard drives. Replacement costs along with incident response fees had to have exceeded US$15 million dollars. While it's true that oil production and distribution were not affected, it may be because they weren't targeted.
It's not because Saudi Aramco's network security prevents such attacks from happening. I'm sure that the company has done everything that it can to implement best practices but that's not enough to stop a dedicated attacker. And today, with the amount of open source data on SCADA exploits available combined with the alleged existence of hostile insiders working for the company, it could have been easily done. So why didn't it happen this time?
Saudi Aramco is a state-owned company so an attack against it is equivalent to an attack against the Kingdom of Saudi Arabia. If the outcome of a cyber attack is principally financial with some disruption to business processes, then it will probably be treated as a criminal matter. If the attack resulted in a disruption of oil production and/or delivery, it would almost certainly be treated as an attack against a military objective (see Section 4 "Attacks Against Objects" of the Tallinn Manual on the International Law Applicable to Cyber Warfare for an indepth discussion of this legal term of art).
Iran is a possible suspect in the Shamoon attack and had it targeted one of Aramco's SCADA systems, then what was probably a warning to Aramco not to increase its oil production would almost certainly have been treated as an act of war instead. The IRGC which is in command of Iran's cyber warfare units would know that. Whether it was the IRGC or a proxy Iranian hacker group working on their behalf, Iran knows better than to do anything that would interrupt the world's oil supply.
UPDATE (14SEP12): I've edited this post to correct some errors in my original post regarding the types of operating systems used at Aramco.
Add to Cart
View detail
It's not because Saudi Aramco's network security prevents such attacks from happening. I'm sure that the company has done everything that it can to implement best practices but that's not enough to stop a dedicated attacker. And today, with the amount of open source data on SCADA exploits available combined with the alleged existence of hostile insiders working for the company, it could have been easily done. So why didn't it happen this time?
Saudi Aramco is a state-owned company so an attack against it is equivalent to an attack against the Kingdom of Saudi Arabia. If the outcome of a cyber attack is principally financial with some disruption to business processes, then it will probably be treated as a criminal matter. If the attack resulted in a disruption of oil production and/or delivery, it would almost certainly be treated as an attack against a military objective (see Section 4 "Attacks Against Objects" of the Tallinn Manual on the International Law Applicable to Cyber Warfare for an indepth discussion of this legal term of art).
Iran is a possible suspect in the Shamoon attack and had it targeted one of Aramco's SCADA systems, then what was probably a warning to Aramco not to increase its oil production would almost certainly have been treated as an act of war instead. The IRGC which is in command of Iran's cyber warfare units would know that. Whether it was the IRGC or a proxy Iranian hacker group working on their behalf, Iran knows better than to do anything that would interrupt the world's oil supply.
UPDATE (14SEP12): I've edited this post to correct some errors in my original post regarding the types of operating systems used at Aramco.
