Strategies to combat complex cyber and critical infrastructure security threats were the focus of a session at the ADIPEC Security in Energy conference on 14 November
In a keynote address, Don Randall, former head of security and chief information security officer, Bank if England, posed the question "Who is policing your IT? Is is the same person as the one who is managing and maintaining it, and possibly covering it up?" While the CIO (Chief Information Officer) and CISO (Chief Information Security Officer) should work in harmony, the two functions should be independent, he argued, whatever the type of organisation. He also advised that companies should have a single point of intelligence gathering, interpretation and response, and that attention should be given to geopolitical analysis.
He highlighted the need for collaboration and partnership between the public and private sector to tackle the cyber security threat. "Law enforcement bodies can't deal with this on their own, the enforcement agencies need to talk to each other, private companies need to talk to each other." Sharing information is critical, he said, adding "the key word is trust."
Educating staff on cyber and fraud could reduce the risk of fraud by 80 per cent, he said, advising "Share with your staff the basic philosophies and practices."
Cyber security should be a board level concern, he concluded.
Following on from Mr Randall's keynotes address, delegates heard from Mohamed Al Jneibi, representing the UAE's Global Defense Centre, Alfio Rapisarda, senior vice president of security, Eni, and Dr Zhang Jian, chief technology officer, CNPC.
The moderator, Irene Copruz, section head, planning and IT security, Western Region Municipality, said that data security is "very critical" because of the risk of exposure for "billions of dollars worth of information".
"The systems we use for our workers to work remotely are the same systems the hackers are using," she said.
Mr Al Jneibi said the UAE's oil and gas industry was the first priority for cyber security protocols and said the "convergence of both OT and IT was our area of concern".
Mr Rapisarda said that he had the "crazy idea" of putting IT and security together because "nobody was looking after why we are attacked or when we are attacked." He said this means of intelligence-gathering has proven to be "very effective, very efficient".
"We are embedded in the system and we are at board level," said Mr Rapisarda, reflecting Mr Randall's comments in regard to ensuring that cyber security leaders are represented at board level for all organisations.
Mr Rapisarda said that without taking into account all considerations, including geopolitical, financial, technical, industrial and environmental factors along with security, operators will only achieve "compliance without being effective". He also advocated cooperation between private and public sector players rather than "fighting one against the other". He said that this was not an option when dealing with cyber security threats.
Dr Zhang said that the challenges presented by CNPC working with the UAE were considerable because of ambitious targets, such as 70 per cent oil recovery. One of the main challenges is meeting human resources requirements, according to Dr Zhang. He stressed the importance of finding the right people and developing a strong talent pool.
"The first step to a more oil and gas-specific set of standards is to establish working groups with oil and gas," said Dr Zhang. He echoed the sentiments of Mr Randall and Mr Rapisarda when he said that private and public cooperation was essential.
Referring back to the need for a strong talent pool, Dr Zhang said that he had found that often government employees are "behind internationally recognised standards and need to catch up".
He added that working in the Middle East present its own challenges because "it is in a unique position geographically" and geopolitical events are a consideration for all cyber security systems.
A risk-based approach with a focus on cooperation and rapid integration was advocated by Dr Zhang to ensure public and private stakeholders are all engaged.
"Geopolitical instability makes cyber security more complicated," said Dr Zhang. "We always talk with local authorities in each of the countries where we operate."