Critique of IP Commission's Cyber Security Recommendations

The National Bureau of Asian Research published (and assisted in writing) "The IP Commission Report: The report of the Commission on the theft of American intellectual property" (.pdf). The Commission members along with its purposes are as follows:

• Dennis C. Blair (co-chair), former Director of National Intelligence and Commander in Chief of the U.S. Pacific Command 
• Jon M. Huntsman, Jr. (co-chair), former Ambassador to China, Governor of the state of Utah, and Deputy U.S. Trade Representative 
• Craig R. Barrett, former Chairman and CEO of Intel Corporation 
• Slade Gorton, former U.S. Senator from the state of Washington, Washington Attorney General, and member of the 9-11 Commission 
• William J. Lynn III, CEO of DRS Technologies and former Deputy Secretary of Defense 
• Deborah Wince-Smith, President and CEO of the Council on Competitiveness 
• Michael K. Young, President of the University of Washington and former Deputy Under Secretary of State 

The three purposes of the Commission are to:

• Document and assess the causes, scale, and other major dimensions of international intellectual property theft as they affect the United States 
• Document and assess the role of China in international intellectual property theft 
• Propose appropriate U.S. policy responses that would mitigate ongoing and future damage and obtain greater enforcement of intellectual property rights by China and other infringers 

IP and trade secret theft is a rapidly growing and very critical problem for U.S. companies. The IP Commission estimates the value of stolen IP from U.S. companies and government agencies at over $300 billion, which is about 75% of what the U.S. spends on R&D research each year.

While the report takes a deep and heavily annotated dive into the scale and scope of this problem, chapters 13 and 14 that detail the Commission's cyber security recommendations, have absolutely no footnotes whatsoever. In other words, there's no way to know who provided the commission with some very risky and questionable cyber security advice. So I called them.

I was told by the person who took my call that the cyber security experts wanted to remain anonymous, however she recommended that I speak with someone at the NBR. I sent a message via the NBR's information email account, read receipt requested, and watched it work its way up to Roy Kamphausen who confirmed that they spoke with "a wide array of cyber experts" but didn't mention any names.

Unfortunately, while much of the report is quite good, the cyber security advice ranges from problematic to potentially damaging. Here's my critique of that content. I'd be happy to debate it with anyone that the Commission spoke with.

1. No where in this report is mentioned the critical importance of first identifying a company's critical data or "crown jewels". It's a huge problem because most companies have no idea how to do this and the Commission never once mentions it.
2. Locking down a person's computer with a booby-trapped file has questionable legality but even worse, may result in the threat actor coming back to take more aggressive action against the targeted company. Remember Saudi Aramco? SA had to replace 2,000 servers thanks to a Wiper virus that only half worked due to some amateur coding mistakes. Remember HBGary Federal when its CEO threatened to "out" some members of Anonymous? There is no more HBGary Federal but Anonymous is alive and well. 
3. Recommending the passage of CISPA is both bad security advice and inserts a political agenda to an otherwise apolitical report.  
4. Threat-based deterrence is advocated for without being adequately defined. There are numerous ways that such a deterrence plan can have negative and unexpected consequences. And just like it's stupid to pick a fight with a stranger,  it's never a sound strategy to threaten an unknown adversary who can operate anonymously and holds the advantage.
5. Chapter 14 contains a back-handed recommendation to pursue three measures that constitute aggressive offensive action. The commissioners couched it in a bizarre manner by effectively saying that while we don't recommend these things at this time, if the situation doesn't improve, then they should be considered. The measures were for what's commonly called hacking-back, cutting funding to the World Health Organization, and raising tariffs on Chinese goods 150% higher than the amount of IP theft stolen by China. 

Considering how potentially bad if not operationally ludicrous some of these recommendations are, it's not surprising that none of the commission's cyber security experts wanted their names attached to the report. The topic of "active defense" or "hacking back" or "offense as defense" is an important one that needs broad discussion. In fact, I made it the focus of last February's Suits and Spooks DC conference and we'll address it again in La Jolla in two weeks. But it is rife with pitfalls and needs much more informed discussion and debate. The Commission really failed its audience in terms of the content of these last two chapters.

Add to Cart View detail

10 Years Ago Today - Another Build-up to War on Bad Intelligence?

10 years ago in October 2002, a National Intelligence Estimate (NIE) was produced whose findings concluded that Iraq had Weapons of Mass Destruction. In February, 2003, SECSTATE Colin Powell addressed the U.N. Security Council on that same subject. His remarks were based entirely on source material vetted by intelligence analysts. That speech was the U.S. case - and his case - for going to war against Iraq. On March 19, 2003, the U.S. invaded Iraq for reasons that later proved false.

It didn't take long for the U.S. and the world to see that the rush to war against Iraq was a colossal error in intelligence and good judgment. Colin Powell to this day regrets the speech he made before the U.N. An investigation into the intelligence failures leading up to war with Iraq - "Report of the Select Committee on Intelligence on the U.S. Intelligence Community's Prewar Intelligence Assessments on Iraq" - laid out the many analytic failures that informed Powell's speech and the Bush Administration's position in minute detail.

Now we seem to be laying the political groundwork for yet another war in the Middle East - this time against Iran. While there's no doubt that Iran wants to acquire nuclear weapons, there's a lot of doubt regarding how close that is to happening. Iran has only been successful at enriching low levels of uranium at low amounts. It's certainly a serious problem and one that needs addressing but it's not in and of itself sufficient cause to go to war over yet. So let's pile on another layer of threat - Iran's capability to cause a "cyber Pearl Harbor" or the cyber equivalent of "9/11". In order to underscore those threats, Secretary Panetta pointed to two recent cyber attacks: the DDoS attacks against major U.S. banks allegedly performed by an Iranian hacktivist group that no one had ever heard of before, and the Shamoon attacks against Saudi Aramco and RasGas which the Secretary referred to as a "very sophisticated virus". In reality, Shamoon is neither a virus nor sophisticated. It was a quick and dirty piece of malware (a worm), probably reverse-engineered from the original Wiper (not Flame) that struck at Iran's oil ministry back in April. Half of its functionality didn't even work properly due to a coding error. And the DDoS attacks were most likely the work of an Eastern European criminal gang who specialize in banking attacks and decided to mask this one with an Iranian hactivist false flag.

The bottom line on Iran is that both its Uranium enrichment and its cyber warfare capabilities are not fully developed. There are lots of other countries, including the U.S. its allies, and some adversary states who are far more advanced than Iran in both of those categories. While it's certainly possible that at some point in the future the West will have no choice but to go to war with Iran, we aren't there yet and certainly not for the reasons given by Secretary Panetta. I have nothing but respect for the current Administration but I cannot in good conscience watch a repeat - or what even smells like a repeat - of the 2002-2003 build-up to war with Iraq happen a second time. Not while I have a voice and an opportunity to try to stop it by calling out errors in facts when I see them.

Add to Cart View detail

Ridiculous Administration Premise on U.S., Iran, and Saudi Aramco

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order. 

1. Iran makes a threat to SA - Don't increase your oil production. 

2. SA ignores the threat and increases production anyway.

3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.

2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone? 

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other".  That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Add to Cart View detail

My Talk on Cyber Warfare and China's Active Defense Strategy

I'm very pleased to be able to announce that I'll be speaking at The New York Military Affairs Symposium in New York City this Friday, October 19th with renowned historian Dr. John Prados. If you're in the city or close by,  please attend and introduce yourself. My portion of the evening will include a discussion of China's use of Active Defense as part of its informatized warfare strategy (China doesn't use the term "cyber warfare"). I'll also include comments on SECDEF's recent speech, Iran's cyber operations, and the attack against Saudi Aramco's facility.

Also, if you're in or near the Boston area, it's not too late to register for Suits and Spooks. Dale Peterson of Digital Bond's talk on how to simultaneously compromise multiple power facilities is going to blow everyone away, and rather than hearing whispers about Israel's cyber capabilities, a former IDF hacker will tell you first hand how he and a red team would run a full spectrum (cyber and kinetic) offensive op against a power plant. The full agenda and registration info can be seen at the above link. Don't miss this one.

Add to Cart View detail

Why Wasn't Saudi Aramco's Oil Production Targeted?

The recent cyber attack against Saudi Aramco resulted in the destruction of thousands of servers and hard drives. Replacement costs along with incident response fees had to have exceeded US$15 million dollars. While it's true that oil production and distribution were not affected, it may be because they weren't targeted.

It's not because Saudi Aramco's network security prevents such attacks from happening. I'm sure that the company has done everything that it can to implement best practices but that's not enough to stop a dedicated attacker. And today, with the amount of open source data on SCADA exploits available combined with the alleged existence of hostile insiders working for the company, it could have been easily done. So why didn't it happen this time?

Saudi Aramco is a state-owned company so an attack against it is equivalent to an attack against the Kingdom of Saudi Arabia. If the outcome of a cyber attack is principally financial with some disruption to business processes, then it will probably be treated as a criminal matter. If the attack resulted in a disruption of oil production and/or delivery, it would almost certainly be treated as an attack against a military objective (see Section 4 "Attacks Against Objects" of the Tallinn Manual on the International Law Applicable to Cyber Warfare for an indepth discussion of this legal term of art).

Iran is a possible suspect in the Shamoon attack and had it targeted one of Aramco's SCADA systems, then what was probably a warning to Aramco not to increase its oil production would almost certainly have been treated as an act of war instead. The IRGC which is in command of Iran's cyber warfare units would know that. Whether it was the IRGC or a proxy Iranian hacker group working on their behalf, Iran knows better than to do anything that would interrupt the world's oil supply.

UPDATE (14SEP12): I've edited this post to correct some errors in my original post regarding the types of operating systems used at Aramco.

Add to Cart View detail

Saudi Aramco Under Attack Again

According to at least one knowledgable source, Saudi Aramco is currently dealing with another network attack which affected some of its business systems at 0800 AST but not its production or distribution facilities. At this time the company's websites at saudiaramco.com and aramco.com are down and employees have been advised to unplug their workstations while U.S. and Saudi security teams attempt to conduct incident response.

There's been no announcement from the company nor has anyone yet claimed credit for the attack. A call to Saudi Aramco's public affairs department went to voicemail. If anyone has additional information to provide, please contact me via Twitter (@jeffreycarr) or email.

UPDATE (0751 PST 05SEP12): Saudi Aramco's official Twitter account denies that anything is wrong.

However more than one source has confirmed to me that Aramco never fully recovered from the first attack and that Aramco employees were asked this morning to disconnect their workstations from the network.

UPDATE (0858 PST 05SEP12): I've been told via Twitter that this morning's attack may have been a false alarm. At this time, Aramco's website isn't accessible from my location in the U.S. but a journalist in UAE can access it. Email correspondence also seems to be working.

UPDATE (0944 PST 05SEP12): Aramco's websites and field offices are all affected by an Internet outage at the company according to an email from Aramco's CEO, and they may be down for awhile.

Add to Cart View detail

Who's Responsible for the Saudi Aramco Network Attack?

Saudi Aramco R&D headquarters

At least three different hacker groups have claimed responsibility for the August 15th, 2012 attack against Saudi Aramco's network which damaged 2000 servers and up to 30,000 workstations but which failed to impact the segregated production and exploration networks. Only two of the three groups are named and neither of the two have an Internet history associated with their names.

The first, which calls itself the Arab Youth Group, uses terms like "evil Al-Saud" and "Al-Saud traitors" and specifically refers to Lebanon and the Forqan War (aka Operation Cast Lead 12/2008-1/2009) which at least one Iranian hacker crew - the Ashiyane Security Group - participated in.

The second hacker group call themselves the Cutting Sword of Justice. They posted multiple pastebins containing proof of the scale of the attack in the form of compromised IP addresses of servers. They also posted the start date and time which corresponds to the code string found in Shamoon. Their posts lacked the religious phrasing of the Arab Youth Group and emphasized "tyranny" and "oppression" instead.

The third hacker group is the one which announced a second attack on 25 Aug 2012 at 2100 GMT in order to prove that they didn't need an insider's help. That attack doesn't appear to have been successful. The Cutting Sword of Justice specifically referred to them as a separate group and their phrasing and word choice is different from that used by the Arab Youth Group. This third group seems to be a late comer and can be dismissed as an active participant in the attack. And while the Arab Youth Group and Cutting Sword of Justice have claimed responsibility, the timing and circumstances of the attack elevate it beyond either of those groups ability to conduct it alone.

Iran and Hezbollah
According to the analysis that's been done on Shamoon by Kaspersky Labs, it appears to be related to the Wiper virus that struck Iran's oil ministry last April. None of the security labs have a copy of Wiper but since Iran was the victim, it would be in the best position to produce a similar or reverse-engineered version that Kaspersky has named Shamoon.

Hezbollah, a Shi'a militant group based in Lebanon receives financial and political support from Iran. Since Hezbollah members include hackers, and since Iran's decision to recruit hackers to join the ranks of its Basij paramilitary corps in late 2010, Hezbollah's possible involvement in this attack against Saudi Aramco must be properly evaluated.

In fact, a Saudi Arabian minister in 2007 was quoted in a U.S. diplomatic cable in which he expressed his fear that Saudi Aramco had some employees who were members of Hezbollah and who were in a position to disrupt oil production.

Lebanese Shi'a Questioned
According to this Arabic website, up to 70 Aramco employees, including Lebanese Shi'a, are being investigated for involvement in the attack. There's not enough information to know if they were investigated because their religious beliefs made them suspect or because there was evidence connecting them to the attack. Knowledgable sources have told me that this number of suspects has been reduced from 70 to 20.

Tension between Iran and Saudi Aramco Over Oil Embargo
The stated motivation for this attack by the Arab Youth Group and Cutting Sword of Justice is a nebulous religious objection which completely fails to acknowledge recent events related to the oil embargo placed upon Iran by the U.S. and European Union that went into effect on July 1, 2012. Is it just coincidence that these groups attacked now? More likely, in my judgment, is that this attack represents retribution for Saudi Arabia's Foreign Minister Prince Saud al-Fisal saying that talks with Iran are a waste of time and that the oil embargo should proceed as planned.

To add fuel to this fire, on July 20 India's Mangalore Refinery & Petrochemicals Limited "bought Azeri, Saudi and Emirati crude to replace imports from Iran in July 2012 and it may halt purchases from Tehran altogether as sanctions make shipments more difficult." Iran responded with a threat to close the Strait of Hormuz if sanctions weren't revoked however that same threat has been made many times before and Iran has never carried it out. A much more likely form of retribution, and one that's considerably safer for Iran, is to sponsor a damaging network attack against Saudi Aramco through a proxy like the Arab Youth Group.

Summary
Iran is at the center of every significant aspect of this attack. It is the only nation with access to the original Wiper virus from which Shamoon was copied. Iran is angry at Saudi Aramco for off-setting Iran's drop in oil production due to the Embargo that started 45 days prior to the attack which gives it motive. It supports a militant organization (Hezbollah) that uses hackers and who allegedly has members employed at Saudi Aramco which gives it opportunity and access. While both the Arab Youth Group and the Cutting Sword of Justice involvement gives it the appearance of a mere hacktivist attack, I think that a careful analysis of the known facts points to a state-sponsored attack by Iran that was crafted to look like the work of hacktivists. Perhaps Iran has learned something from Russia about the strategy of misdirection via the government's recruitment of patriotic hackers.


RELATED:
Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Lessons for CEOs from the Saudi Aramco Breach

Source: Joint Intelligence Preparation of
the Operational Environment (JP 2-01.3)

It's doubtful that Saudi Aramco will issue any substantive statements about the scope of the network attack that it suffered last week. However the information that's been privately shared with me by people with inside knowledge as well as by the attackers themselves reveals enough about the incident to draw certain lessons that CEOs from multi-national corporations (MNC) need to pay attention to. Here are my top 3 recommendations:

1. The Conventional Cyber Threat Landscape Is Too Narrowly Viewed
Most if not all companies' security operations centers are monitoring for the now conventional Advanced Persistant Threat-style of attack and their defensive tactics are geared towards interrupting that attack by use of an "intrusion kill chain". The attack suffered by Saudi Aramco didn't fit this model, and hence would have been completely missed by most of the world's largest companies. A multinational corporation must perform a comprehensive review of its entire threat landscape prior to designing its security framework. This includes evaluating its network exposure through its offices in foreign nations, its vendors (including U.S. vendors) and their relationships with the governments of potential adversary states, compromise of its senior executives while traveling, legal access to its intellectual property (i.e., source code) by foreign intelligence services (FIS) if the company conducts business in those same states, and so on. None of these potential attack vectors rely on spear phishing, social engineering, or other commonly watched-for schemes nor would any of them be caught by the vast array of security software being shopped by vendors today. While MNCs are busy sticking their fingers into the APT holes in their dike, State FIS are quietly re-routing the entire river behind the dike.

2. Companies Need To Pay Closer Attention to the Insider Threat
It's my understanding from a confidential source that the initial infection vector wasn't through a spear phishing attack but instead was via a Shamoon-infected USB stick which was inserted into a workstation in one of Aramco's foreign offices. This required the cooperation of an insider which, in fact, has been a serious and growing threat vector for a number of years. It's also one that conventional defenses like anti-virus, firewalls, and IPS/IDS cannot stop and that more sophisticated defenses like encryption and virtualization are not entirely effective against. This threat vector requires a more specific and potentially intrusive security posture which monitors for early signals that an insider typically presents prior to his malicious act.

3. Companies Cannot Keep a Dedicated Adversary Out of their Network
Saudi Aramco's attackers have threatened another attack today, the 25th at 2100 GMT to prove their ability to cause harm to the company. And the fact is, they can. This is a David and Goliath scenario if there ever was one. The world's wealthiest company cannot stop a small group from successfully performing an attack. No one can. Therefore, the correct course of action for not only Aramco's CEO but every CEO is to focus on being able to absorb an attack and not have it affect its critical operations. This requires making choices between what's critical and what isn't. Keeping your website up 24/7 in the face of a DDOS attack isn't critical. Keeping your oil production from being interrupted is. Keeping your intellectual property from being stolen is. An MNC's CEO and Board of Directors need to perform a difficult but necessary inventory of their corporation's assets and divide them into critical and non-critical groups. Different security protocols and controls need to be applied based upon criticality and resiliency.

While I haven't had the privilege of consulting with Aramco's leadership on their breach, my team and I have provided counsel for other MNCs and the above guidance is a very high level overview of our recommendations in those cases. Obviously, the devil is in the details and specifics on how to implement the above guidance will vary on a company by company basis. The bottom line is that if a company's board still believes that their company is safe from being breached, they have their heads up their collective asses.

RELATED:
Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Was Iran Responsible for Saudi Aramco's Network Attack?

I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil.

The attackers who call themselves the "Cutting Sword of Justice" probably used Shamoon (Symantec's W32.Disttrack). It destroyed 2000 servers and affected business operations based upon this list of affected IP blocks. It looks like Iran tried to mimic the Wiper virus that was used against its oil ministry last April. Kaspersky called Shamoon a copycat of Wiper. The differences were:

The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.

It's also important to note that Wiper was not Flame; that they are two distinct and separate pieces of malware and that the investigation of Wiper led to the discovery of Flame. Since none of the software security companies have a complete copy of Wiper, it makes sense to me that Iran, the victim of the Wiper attack, reverse-engineered or at least mimic'd it to create Shamoon. Kaspersky Labs noted that the start date of the Aramco attack was August 15 11:08 AM (Arabia Standard Time - AST) per the attackers first pastebin posting. This exactly corresponded with a date and time found in the code "15th August 2012 08:08 UTC". The difference between UTC and AST is +3 hours.

Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker.

I understand that Aramco has been vigorously investigating the attack to determine how their network was compromised and that some firings of employees and contractors have already occurred. I've asked Saudi Aramco's public affairs office for a comment but so far no one has returned my call.

UPDATE (23AUG12): I've received new information from knowledgable sources that the attack vector for delivery of the worm was via a USB stick inserted into a workstation at one of Aramco's global offices (not in Saudi Arabia). Further, the timing of the attack was carefully chosen to be one hour before the end of the work day which was the end of the month of Ramadan and the start of the Eid holiday.

RELATED:
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors and More

After Friday's blog post on Saudi Aramco's lack of Operations Security involving its network infection by Shamoon, I was contacted by a former Aramco IT employee who provided me with a lot more background on just how bad the security situation is at the world's largest oil producer. My contact's career with Saudi Aramco spanned over 30 years dating back to the late 80's when by royal decree the Arabian American Oil Company became the Saudi Arabian Oil Company or Saudi Aramco.

In 2010, the Financial Times estimated Saudi Aramco's value at "$7,000bn, 40 times Shell’s market capitalisation and double that of the entire London Stock Exchange." A 7 trillion dollar valuation makes Saudi Aramco the most valuable company in the world. From an intellectual property perspective, the company owns over 100 patents and employes over 500 engineers and scientists in two R&D facilities:

1. "Exploration and Petroleum Engineering Center Advanced Research Center (EXPEC ARC) which is solely managed by Exploration & Producing and focuses on upstream research"
2. "The Research and Development Center (R&DC), which focuses on downstream research and includes bio-research. Leading research undertaken at these two major facilities provides Saudi Aramco with competitive technology solutions throughout the vast range of its petroleum-related activities"

I'm including data on Aramco's R&D and patents because in my professional judgment, that's the best way for CEOs and Boards of Directors to plan for and justify their IT security budget - as a percentage of their annual R&D investment. While it's clear that Aramco has a lot to protect, what's not clear is why Aramco's leadership has made so many bad decisions or received such bad security advice. The following information in italics comes directly from the emails that I received and in my opinion helps explain why the company is struggling to defend against what Kaspersky Labs has called the work of some "script kiddies". More importantly however is that if the below information is accurate, then the company has probably experienced multiple breaches that it never discovered; breaches targeting its R&D, mining data, or other valuable IP over the course of several years just like many other oil and mining companies in the U.S., Australia, Brazil, Canada, and elsewhere have reported.

Here are the issues:

All Services On One SAP System
"The first mistake was Aramco's continued work on migrating all of its services to SAP regardless of the type of service. An employee can get an employment certificate through SAP and at the same time can get a gate pass from the same system. One is an EIS function while the other is a security function. Not only that but also doctors prescribe medications on the same system and the hospitals and pharmacies are run through this part of SAP."

Security Administered by Part-time Contractors
The second major mistake is when Aramco trusted the security and administration of all of its systems to contractors instead of its own IT staffs. To be more clear, those contracted firms use temporary manpower to manage the networks. 

The contractors I am talking about are "Local companies" newly established to provide IT services to Aramco. For example, if Aramco wants to install new stations in a department or a unit, then one of those contractors will provide the stations, install the SAP interface and other applications, connect the stations to the network, and add the users to the system. This is how open the system is.

If an employee has a problem on his/her station, then the employee will have to dial "904, The Help Desk" where a contractor employee will issue a trouble ticket, and another contractor employee will remotely use "Remote Desktop" or similar functions to solve the issue.

Insider Threat 
Those contracted companies hire employees from Asian counties for low salaries and have them do this work. If any of those workers gets a better deal somewhere else he will quit the IT function and go. But those contracted workers can go to Dubai or Qatar if they find better deals. And in this case, they know more than enough about Saudi Aramco system. They can go to Iran and work there with this information.

Corruption in Out-sourcing Contracts
The outsourcing business started in the mid-nineties. It was whispered to be a product of the start of corruption in the corporate management.  It was rumored that each of those outsourced contractors is being fostered by a big figure in management in a way that is difficult to verify.

Each of these is a major problem on their own but combined it means that Saudi Aramco has placed itself in an indefensible position with a massive threat landscape. Sadly, Aramco's leadership seems to be targeting loyal employees for responsibility rather than the local contractors whose poor security practices are to blame. The good news is that all of these problems are reversible if Saudi Aramco's President is willing to pursue more informed options on how the State-owned company should handle its network security.

UPDATE (20AUG12: 0655 PDT): A contact at Aramco has informed me that one of the oil plant's gate access system and intruder detection systems are down.


RELATED:
Lessons for CEOs from the Saudi Aramco Breach
Was Iran Responsible for Saudi Aramco's Network Attack?
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Operations Security at Saudi Aramco? Zero.

The world's largest oil producer Saudi Aramco has apparently suffered a cyber attack according to this announcement on its Facebook page:

Saudi Aramco Responds to Network Disruption  

On Wednesday, Aug. 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network.  

The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network. Saudi Aramco confirmed the integrity of all of its electronic network that manages its core business and that the interruption has had no impact whatsoever on any of the company’s production operations. 

The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems. Saudi Aramco IT experts anticipate resuming normal operations of its network soon.

What's shocking in terms of operational security (OPSEC) is that Aramco employees are publicly commenting on the event and adding information that wasn't disclosed in the announcement, such as:

• (name and position deleted): "My hard disk crashed, not cool"
• (name and position deleted) "I lost everything I did for this week too"

Besides poor OPSEC, Saudi Aramco has other major issues with its network security. Oil companies, like power companies, should have air-gapped networks which isolate their industrial control systems from their business networks as well as from the Internet. That appears not to be the case based upon the wording in Aramco's announcement - "the company has isolated all its electronic systems from outside access as a precautionary measure ...". If the systems responsible for its production operations were air-gapped, there'd be no reason to take such draconian measures. On the other hand, the company appears to be relying on McAfee as their security vendor which means that the House of Saud doesn't understand that their anti-virus vendor should never be relied upon for best practices in the area of network security nor should an AV vendor be trusted to perform incident response.

Add to Cart View detail