udi defence ministry spokesman Colonel Turki Al-Malik displays on a screen drones which Saudi government says attacked an Aramco oil facility, during a news conference in Riyadh, Saudi Arabia September 18, 2019. Hamad I Mohammed | Reuters

A recent attack against Saudi Aramco damaged the world's largest oil producer and delayed oil production, roiling oil and gas markets. The Saudi government and U.S. intelligence officials have claimed the incident is the work of Iran, while Iran blamed Yemeni rebels. This is a real-world continuation of a long-simmering cyberwar between the two countries, which has spilled over into other global powers. In recent years, Iran has deployed destructive computer viruses against Saudi Arabia. The Kingdom and oil and gas industry have been slow to shore up their defenses, raising red flags about the possibility of longer term fal-out in the region, experts said. Investors should expect long-term cyber espionage and flare-ups of malicious activity, including the potential for destructive attacks that hurt companies in the region beyond Aramco. Saudi Aramco declined to comment for this article.

Learning from history

Iran and Saudi Arabia have been cyberwarfare proving grounds for more than a decade. Activity across the Gulf has concentrated on oil and gas companies, which gather terabytes of data related to drilling and oilfields. The oil and gas sector has long relied on potentially vulnerable "internet of things" devices to measure information about the availability of oil, and to power the complex machinery that finds, extracts and refines it. Iran's nuclear facilities were attacked by a virus called Stuxnet in the mid-2000s. This malicious software was sophisticated, built in a "modular" format. Attackers could use it not only to extract intelligence but also to control and destroy sensitive machinery. Stuxnet has widely attributed to a combined effort by Israel and the United States. Iran reacted to Stuxnet in a surprising way: they didn't talk about it much at all. But they did take action, said Lieutenant Colonel Scott Applegate, an expert in the history of cybersecurity and a cyber professor at Georgetown University.

One theory is that Iran took some of what they learned from Stuxnet and created a new weapon, which they then deployed against Saudi Aramco in 2012. That virus, known as "Shamoon," was modular and multi-faceted like Stuxnet, but had only one purpose: To find and destroy data. It did this quite successfully, said Brian Hussey, vice president of cyber threat detection and response for cybersecurity company Trustwave. "You saw that at Saudi Aramco, 30,000 boxes got bricked," said Hussey, describing how 30,000 of the oil agency's computers were erased over the course of the day, destroying swaths of data. The attack laid out Iran's cyber capabilities for the world to see, but had little financial impact on Saudi Aramco, costing only a small fraction of the oil giant's daily revenue, Applegate said. "While they made a big impact on the world stage, they did not bleed over into the wider system. Historically, cyberattacks have not played a huge role in the oil and gas industry, other than from a hyperbolic rhetoric point of view," Applegate said. But what happened after Shamoon is more alarming.

A slow change problem

Following the Shamoon attack, Aramco took several years fortify its defenses. Saudi Arabian officials were interested in installing American-style cybersecurity best practices throughout the company. But one cybersecurity engineer who participated in the response to Shamoon said he observed a corporate culture throughout Saudi Aramco that was resistant to change. It was difficult to "spark urgency" in workers and leaders, he said, because their jobs "simply weren't on the line, like they are everywhere else when there's a breach." Workers, many of whom were guaranteed lucrative jobs because of their family ties or tenure, expressed indifference at some security basics, he said. The result was a "slow change problem," that made it difficult to implement the types of controls that are often required at American companies, especially following a security incident, he said. Two other cybersecurity experts who worked in Saudi Arabia at the time concurred with these observations. All requested anonymity because they were not authorized to speak with press. The engineer said he was not surprised when he saw that Saudia Arabia had suffered another series of attacks by the same Shamoon virus in 2017, five years after the initial attacks. Also in 2017, reports surfaced that Saudi Aramco's industrial safety systems may have been "tested" by hackers looking to see how they could turn those systems off. This dark turn showed how cyber conflict could have a significant effect on public safety and the wider oil and gas industry. "There is certainly potential if they can get into the SCADA systems that there is a potential to disrupt oil and gas production, and that would be a much more serious incident," Applegate said. He also cauthioned that Saudi Arabia's slowness to respond tot to very similar attacks, years apart, may have been a bad sign in terms of preparedentwo

What happens next