CEO on Cybersecurity
SPEECH: Amin Nasser delivers keynote at Global Cybersecurity Forum in Riyadh
Aramco will introduce this year the President’s Excellence Awards for Cybersecurity.
Your Excellencies, distinguished guests, ladies and gentlemen,
It is a pleasure to be with you again for this Global Cybersecurity Forum here in Riyadh.
And thank you for inviting me to speak about cybersecurity in the energy sector. After all, there are very few industries – if any – that play such a significant role in every single aspect of the daily lives of billions of people around the world — from keeping the lights on, to actually protecting the world from complete chaos.
In fact, the energy industry’s importance cannot be overstated. It is no surprise, therefore, that the energy industry as a whole and in parts has long been a favored target for attackers.
While such attacks were typically physical in the past, the danger is now compounded with the additional threat of cyberattacks. And whether these cyberattacks originate with criminal gangs seeking payments through ransomware or from terrorist groups seeking to damage critical energy infrastructure, the danger for us is very clear, present and constant.
Now, clearly the energy industry has an obvious vulnerability.
— Amin Nasser
Namely, the sector’s dependency on legacy systems, many of which were built long before cyberattacks were ever considered a risk.
And our industry’s shift towards digitalization is leading to a growing convergence of information and operational technologies, something that also increases the potential danger of crippling cyberattacks. Indeed, this convergence makes it easier for cyber attackers to move laterally within organizations, which has very serious implications.
The other consideration that we must take in to account is the fact that the energy industry is a complex ecosystem, with many common service providers and partners. It is therefore vital that cyber resilience is extended beyond just big energy companies to include all service providers throughout our respective supply chains. This is why Aramco requires all of our partners, suppliers and service providers to put in place strong cybersecurity standards.
That said, fighting against cyberattacks is not something that individual companies can do on their own. We all need to urgently increase collaboration — across borders, across industries, across the public and private sectors.
Aramco, for our part, is an active member of global platforms and organizations that are bringing together multiple stakeholders to tackle cyber threats. We are one of the founding partners of the World Economic Forum’s Center for Cybersecurity. Through this and other organizations, we are supporting the adoption of best practices and principles for cyber resilience globally.
Here in the Kingdom, we have also recently partnered with the National Cybersecurity Authority, joining as a founding member of their OT Center of Excellence. This initiative by the NCA will help shape the global cybersecurity ecosystem, providing common standards and advancing R&D.
Simply put, cyber resilience is and will continue to be an extremely high priority at Aramco as cyberattacks are among our top corporate risks. As such, we see a cyber-aware culture across our organization and the entire ecosystem as essential.
In fact, this year we are introducing cybersecurity as one of the select categories of Aramco’s President’s Excellence Awards. These are annual and internal awards that I personally hand out.
Awards which recognize achievements by organizations within the company, as well as affiliates and partners.
This means we now rank cybersecurity on par with other critical areas such as safety, operational excellence and environmental excellence. We take it so seriously because the Kingdom’s energy and chemical products go to almost every corner of the world.
And any significant disruption of these flows, through either physical attacks or cyberattacks, would have devastating consequences.
To help put the stark reality of cybersecurity into perspective, we must never forget that cyber attackers really only need to be successful once to cause major damage, while to prevent such, we, on the other hand, must be successful every single time.