[Interview] 2 Minutes with Sarfaraz Ahmed, CISO at ENGIE

[Interview] 2 Minutes with Sarfaraz Ahmed, CISO at ENGIE

Please introduce yourself and tell us a little about your journey in cyber security. 

I am Sarfaraz Ahmed, CIO and CISO at ENGIE. I have been in the industry for more than 20 years, with experience in strategic roles including information technology, cyber security and digital transformation of the regional business of ENGIE, covering Middle East, South & Central Asia, Turkey and Africa.

In my role as CISO (Chief Information Security Officer), I am responsible for cyber security of IT and OT environments.

How is the pandemic reshaping the threats against critical infrastructures in the MENA region? 

In the energy industry, more than 80% of assets are part of critical infrastructure, this stands for all geographies, including MENA. The COVID-19 pandemic poses new challenges and threats to these industrial assets, as access to site is impacted due to travel and other restrictions. Remote operational support is increasing in situations where OEM’s are not able to reach sites for plant outages, hence increasing the threat landscape of the assets.

What are the 3 main challenges that cyber leaders in MENA are facing at the moment?

• Shortage of skilled resources in cyber security domain
• Lack of strategic influence on decision-makers & limited awareness of board members around cyber security risks
• Proliferation of digital solutions is outpacing cyber security investments

What impact are these challenges having on your cyber security strategy?

• Shortage of skilled cyber security resources – The organisation does not have enough capacity to respond to increasingly growing cyber risks and expanding threat landscape.
• Lack of strategic influence – Investments on cyber security projects are taking awful lot of time and effort to get board level approvals. More specifically, many critical industrial assets are facing obsolescence challenges on their SCADA and DCS systems, which is posing great risk of cyber-attacks. Such upgrades generally require sizable investments and without awareness at board level,  decisions take very long time, and some cases remain frozen.
• Proliferation of digital solutions – Cyber security teams are often not consulted until digital plans for the organisation are well underway, leaving limited time to embed adequate controls to protect the digital solutions for cyber security threats. In the context of COVID, many organisations are on a fast-track of adoption of digital and cloud technologies, hence cutting corners on required cyber security controls.

What is your advice for companies looking to baseline and start their OT security journey?

One of the most important pieces of advice would be to focus on a risk based approach when drafting the cyber security strategy of critical assets. Many organisations fall into the trap of expanding the scope to a very large scale, which becomes unmanageable, especially when there are constraints on budgets or cyber security resources.

My second piece of advice is to invest in people and develop a strategic plan of talent development in the cyber security domain. You should also embed cyber security into all processes of IT, including infrastructure, software development, business applications, ERP, operations etc.

Looking at the protection of critical infrastructures in MENA, in which area do you think collaboration between states at a regional level is the most mature? And where is it needed the most?

In all fairness, it is hard to find a positive answer to the first part of the question. I see a very limited coordinated approach, which is mainly due to strained geo-political situation in the region. The areas where regional collaboration is needed the most is in advanced threat intelligence. The regional states should join hands to share threat intelligence at regional level.

What do the next 5 years hold for your industry?

In the next 5 years, the energy industry, and more specifically the power generation sector, is expected to move towards merchant market where energy players will be able to sell electricity in the market as a commodity. While such operation is quite common in the Western world, it would be quite new to Middle East and Africa region. From a cyber security perspective, it will result in increased demand of secure solutions for energy trading, dispatch and settlements. Most of these solutions would be hosted and provisioned through cloud technologies, which may introduce new cyber security challenges.

With increasing demand for businesses to achieve higher operational excellence and to save operational cost, remote operations of industrial assets will become very common. However, it will expose the critical assets to internet and cloud computing where legacy technologies will face the risk of cyber threats.

Connect with Sarfaraz Ahmed and learn more about How to Achieve a More Holistic Approach to Securing CI Cyber-Physical Systems as part of a live panel discussion with cyber security experts from CC Energy Development (Oman), International Medical Centre (Saudi Arabia) and Ministry of Health (Saudi Arabia) at the upcoming CS4CA Cyber Security World Summit, on May 6th. Find out more and secure your free ticket using the complimentary discount code: ENGIE at: world.cs4ca.com/register/

*Offer is valid for end-users only. Vendors and consultants are not eligible but can redeem a 10% discount with the code SECURITY-10