Recent Security Breach At Saudi Aramco Solidifies The Notion Of Preparing For The Worst
Like any major catastrophe, many companies think it won't happen to them. But "stuff" happens and it's best to be prepared for the worst. Just ask Saudi Aramco. On Aug. 15 the oil producer was attacked by a virus named “Shamoon,” which damaged 30,000 computers. About 85% of the company’s devices had their hardware destroyed.
In a Sept. 10 statement, Aramco said that the virus, which only affected personal workstations in the company, had no significant impact on the company’s administrative operations or the productivity of its employees.
“We addressed the threat immediately, and our precautionary procedures, which have been in place to counter such threats, and our multiple protective systems, have helped to mitigate these deplorable cyber threats from spiraling,” said Khalid Al-Falih, president and CEO of Saudi Aramco, in a statement published last week on the company's Facebook page.
Coincidentally, Chemical Processing hosted a webinar -- Preparing for Physical and Cyber Security Integration in the Chemical Industry (access the on-demand version here.) -- on the heels of this news. Original air date was Sept. 11, 2012. To kick off the webinar, presenter Rick Kaun, manager of Honeywell’s Industrial IT Solutions business, discussed the cyber security breach at Saudi Aramco and segued into a very informative presentation on preparing for security threats.
When first introduced, the Chemical Facility Anti-Terrorism Standards (CFATS) focused on physical security, storage and handling of chemical facilities and feedstock. However, there is also a section on the need for a cyber security program. To date, there has been little detail in that section, but the general intent is for the rapidly evolving ISA99 standard to become the cyber guidebook for CFATS. When that happens, organizations that are prepared to include cyber controls within or integrated with existing physical security systems will have a significant head start.
According to Kaun, ISA99 is a good program to consider because it is grounded in process control. "It is an important, emerging tool." While it's not a regulation yet, he did allude to that reality a few times during the presentation.
He also offered several sage steps toward security. The first: "Treat cyber security as a matter of fact, not like the sky is falling," says Kaun. If you make it one of your business practices, it will be in place when you need it and you won't have to run around like Chicken Little.
Another major theme throughout the event was accountability. The best security measures can be nullified if employees don't adhere to the protocol. Kaun suggests that employees be rewarded for following procedure and reprimanded when they fail to do so.
Be sure to access the on-demand version of the webinar. Total run time is 60 minutes. The last 15 minutes address audience questions. You must register for the event, but you will have instant access after you fill out the short form. Enjoy.
Senior Digital Editor
On the social media front, be sure to check out her Google+ page.