Certification firms for Aramco’s third party cybersecurity standard
Saudi Aramco has selected eight leading professional services firms in the region as its exclusive preferred suppliers for conducting third party cybersecurity assessments and issuing compliance certificates.
The Saudi Arabian oil giant introduced its Cybersecurity Compliance Certificate Program for its suppliers last year, prescribing that all third parties working with Aramco should comply with the cybersecurity requirements spelled out in the company’s Third Party Cybersecurity Standard (SACS-002).
By applying an independent evaluation system, Aramco aims to minimise third-party risk, which has over the years proven to be a key risk in the area of cybersecurity – especially for corporates the size of Aramco (with revenues of over $220 billion one of the globe’s largest companies) who are strongly reliant on external parties or suppliers for running their operations.
The importance of cybersecurity to the oil industry was demonstrated once more last month, when Colonial Pipeline (the largest pipeline system for refined oil in the US) was hacked, leading to a days-long halt of all operations and the payment of a million-dollar ransom fee. While the hack originated from a security flaw in Colonial Pipeline’s own control-room infrastructure, experts have warned that third-party APIs with suppliers offer hackable entry points that could cause similar damage.
The types of Aramco suppliers who need to obtain the certificate include general vendors, outsourced infrastructure, customised software, network connectivity and critical data processors.
To become certified, suppliers need to comply with a string of cybersecurity standards and procedures stipulated by Aramco’s program, and then have their approach ratified by one of the eight authorised firms. Enlisted to oversee this certification process are: Baker Tilly, BDO, Crowe, Deloitte, Grant Thornton, KPMG, RSM and STC Solutions.
About Aramco’s Third Party Cybersecurity Standard
The standard consists of four major components:
1. Identify: The identification component consists of four parts:
- Asset Management – catalog and classify digital assets
- Governance – establish cybersecurity policies, standards, and staffing
- Risk Assessment – conduct penetration testing for IT infrastructure and websites
- Risk Management Strategy – identify, access, and remediate risks to data and information systems
2. Protect: Protection consists of four parts:
- Access Control – include issuing passwords and security badges, establish visitor management processes, and define other access to restricted systems and facilities
- Data Security – describe how to secure systems, data, documents, and applications
- Information Protection Processes and Procedures – include disaster recovery and business continuity plans
- Protective Technology – describe how key systems and technologies should be protected, including the use of intrusion detection systems (IDS)
3. Detect: Detection consists of two parts:
- Anomalies and Events – describe how technology assets and systems are monitored for unauthorized access or activity
- Continuous Monitoring – include physical security measures, account monitoring, vulnerability scans, and use of non-authorized devices
4. Respond: Response consists of three parts:
- Communications – include an incident management policy and plan
- Analysis– describe the incident response capability and tracking of all cybersecurity incidents
- Mitigation – describe how vulnerabilities should be resolved or mitigated
Certifications
There are two types of cybersecurity compliance certificates:
- The Cybersecurity Compliance Certificate (CCC): this is for suppliers classified as general vendors, outsourced infrastructure and customised software. They need to conduct a self-compliance assessment against SACS-002, and have this assessment verified remotely by one of the authorised firms.
- The Cybersecurity Compliance Certificate Plus (CCC+): this is for suppliers classified as network connectivity and critical data processors. They need to hire one of the authorised firms to conduct an on-site compliance assessment against SACS-002.
Both certificates are valid for two years from the issuance date.
Authorised firms
While Saudi Aramco has released a list of authorised auditors and certification firms, the oil giant has stated that suppliers seeking certification are free to choose with whom they do business. “Aramco does not have any preference when it comes to choosing the firm, as long as you are going to work with one of the authorised firms,” reads a statement on the company’s website.