Mobile Surveillance at Aramco Field Sites: Uptime Pressure and Vendor Lock-In

Perimeter security at Saudi Aramco field sites is no longer a procurement category, it is an availability contract written in oil barrels per hour.

The shift happened in plain view. Before September 2019, the operating assumption inside the Eastern Province was that fixed perimeter assets, hardened fencing, manned gatehouses and a layered CCTV grid carried the load, and that mobile surveillance was a supplement for construction zones, turnaround periods and remote wellheads. After the cruise missile and drone strikes against Abqaiq and Khurais, that hierarchy inverted. Mobile, redeployable, sensor-rich surveillance towers moved from supplement to primary perimeter layer at field sites where fixed infrastructure had proven both expensive to harden and slow to adapt. The procurement language changed with it. Uptime, mean time between failures, mean time to restore and detection latency now appear in the same paragraphs as throughput and corrosion resistance. The manufacturer who cannot answer those numbers in writing does not stay on the approved vendor list past the first review cycle.

This article describes what mobile surveillance looks like inside the Aramco operating perimeter, what the post-Abqaiq specification regime actually demands, how the uptime conversation is structured between operator and supplier, and where vendor lock-in has crept into a market that thought it was buying interchangeable hardware. The frame is the one developed in BOSWAU + KNAUER. From Building to Security Technology, in which mobile video towers are treated not as cameras on a mast but as deployable platforms that fail or hold under the conditions of the site, not the conditions of the datasheet.

The post-Abqaiq specification regime

Abqaiq did not introduce a new threat category to anyone who had been paying attention. It demonstrated that the existing one had outrun the existing controls. Cruise-missile and small-UAS attacks against a facility that processed roughly half of Saudi production exposed three things at once. The fixed perimeter, no matter how well engineered, was a known target with a known geometry. The detection envelope around that perimeter was tuned for ground-based intrusion and was thin in the low-altitude air domain. And the recovery posture assumed that the kinetic event would not coincide with a degradation of the surveillance and command layer itself.

The specification response inside Aramco was structural. The Saudi Aramco Engineering Standards governing physical security, principally the SAES-J series for instrumentation and the related SAES-M documents for security and telecommunications, were tightened around the perimeter use case. Mobile surveillance entered as a recognised category with its own requirements rather than as an exception to fixed-CCTV specifications. Vendors who had previously shipped construction-grade towers into the Kingdom found that the same units no longer cleared inspection. The new bar covered ingress protection, ambient temperature operating range to the upper bound of the Eastern Province summer, dust loading, optical performance under haze and fog, radio frequency hardening, autonomous power management with a defined reserve, and integration into the central command layer via documented interfaces rather than proprietary middleware.

The reference frameworks behind that tightening are not exotic. They sit at the intersection of IEC 62443 for industrial control system security, ISO 27001 for the information security wrap around the surveillance data, and the general guidance found in NIST CSF 2.0 on identify, protect, detect, respond and recover. CISA advisories on UAS threats to critical infrastructure feed the threat model. None of this is unique to Aramco. What is unique is the discipline with which the operator translates the framework into procurement clauses and inspection criteria. A tower that satisfies the framework in marketing material but fails the inspection at Ras Tanura does not stay in the compound past sunset.

SAES-J-901 and the perimeter standard stack

Within the Aramco standard architecture, the SAES-J series sets the engineering baseline for instrumentation and process measurement, while perimeter and physical-security provisions are layered through the SAES-M family and the related General Instructions. Operators outside the Kingdom often ask which single document governs mobile surveillance at field sites. The honest answer is that no single document does. The applicable stack is composite. SAES-J-901 and its sibling instrumentation standards govern the sensor and signal side. SAES-M documents address security systems, telecommunications and command integration. General Instructions cover access control, badge management and incident reporting. Project-specific schedules then narrow the stack to the asset class in question, whether that is a gas-oil separation plant, a tank farm, a wellhead cluster or a pipeline pump station.

For a manufacturer, the consequence is that a mobile tower must be specified as a system, not a product. The mast, the camera payload, the thermal channel, the radar or acoustic option, the edge compute, the power subsystem, the communications path and the command-layer integration all have to be traceable to clauses in the stack. The inspector who arrives for factory acceptance testing carries a checklist that reflects that composite, and a unit that excels on optical performance but cannot demonstrate the documented radio link redundancy will be rejected. The cost of that rejection is not just the unit. It is the slot in the deployment schedule, which at field-site scale is measured in tens of towers per quarter and is allocated months in advance.

The standard stack also defines the language in which the uptime conversation happens. Availability is expressed against a defined operating envelope, not against laboratory conditions. Detection performance is expressed against defined target classes at defined ranges under defined atmospheric conditions. Mean time to restore is expressed against a defined logistics chain inside the Kingdom, which means that a vendor without in-country spares and trained service technicians cannot meet the clause even if the hardware is sound. The book BOSWAU + KNAUER. From Building to Security Technology develops this point at length for the European construction market. The Aramco version of the same logic is harder because the operating envelope is harder and the consequences of a missed window are larger.

How uptime is actually measured

Uptime is the word that gets used most often and understood least often in this market. Aramco contracts for mobile surveillance at field sites typically express availability as a percentage of scheduled operating hours, with scheduled operating hours covering the full deployment period and with planned maintenance windows defined and bounded. The headline figure that operators quote in tender documents is usually in the range of ninety-eight to ninety-nine and a half percent. The number sounds clean. The measurement is not.

The measurement starts with the definition of an outage. A tower whose primary optical channel is operational but whose thermal channel has degraded below the contracted detection range is partially available, and the contract has to state whether that condition counts as uptime, downtime or weighted downtime. The same applies to communications. A tower whose local recording is intact but whose link to the central command layer has dropped is, in the post-Abqaiq frame, not delivering its primary function, which is to feed the integrated picture. Contracts that fail to specify this end up in dispute. Contracts that specify it well shift the burden onto the manufacturer to design for graceful degradation and to instrument the unit so that the degradation is visible to both sides in real time.

The measurement continues with the definition of restore. Mean time to restore is meaningless without a defined logistics envelope. Inside the Kingdom, the working assumption for field sites in the Eastern Province is that a Tier 1 spare must be on site within hours, not days, and that a trained technician must be available within a comparable window. Vendors who try to service the contract from a regional hub in the Gulf without an in-Kingdom presence find that their measured MTTR is structurally higher than their contracted MTTR, and that the resulting service credits erode the margin that justified the contract in the first place. The operators know this. The mature suppliers have built the in-country footprint accordingly. The immature suppliers discover the gap during the first sandstorm of the deployment.

The measurement concludes with the definition of reporting. Aramco expects machine-readable availability data feeding into its own asset management and security operations layers. Manual monthly reports compiled from local logs are not acceptable past the pilot phase. The manufacturer who cannot expose a documented telemetry interface to the operator does not progress beyond the pilot phase. The manufacturer who exposes the interface but routes it through a proprietary cloud outside the Kingdom encounters a different problem, which is the subject of the next section.

Vendor lock-in inside a closed perimeter

Vendor lock-in in mobile surveillance at Aramco field sites is rarely the result of a deliberate strategy by the operator. It is the cumulative result of small decisions taken under time pressure. A pilot deployment uses a particular manufacturer because that manufacturer had units available and engineers cleared for site access. The pilot succeeds and is extended. The extension is built on the same telemetry interface, the same command-layer integration, the same spares pool and the same training pipeline. Two years later, the operator has fifty towers from the same manufacturer, and the cost of switching is not the cost of fifty new towers, it is the cost of fifty new towers plus the rebuild of the command-layer integration, the retraining of the operations team, the renegotiation of the service contract and the disposal of the existing spares pool. The switching cost dominates the unit cost by a wide margin.

The post-Abqaiq specification regime makes this worse before it makes it better. The tighter the specification, the smaller the qualified vendor pool, and the smaller the qualified vendor pool, the higher the dependency on any one supplier. Operators who have understood this dynamic are pushing back through three mechanisms. The first is the insistence on open, documented integration interfaces that are part of the specification rather than part of the commercial negotiation. The second is dual-sourcing at the platform level, which means that at any given field site, at least two qualified manufacturers are present, with deployment shares that prevent either from acquiring veto power. The third is the requirement that critical software components, particularly the analytics layer and the telemetry layer, are licensed on terms that survive the failure or withdrawal of the manufacturer.

The third mechanism is the hardest to enforce, and it is where the most significant lock-in remains today. Analytics for mobile surveillance at oilfield perimeters have moved decisively into machine learning. The models that distinguish a maintenance worker from an intruder, a vehicle on an access road from a vehicle on an unauthorised approach, a stationary object from a slowly moving one, are trained on data that the manufacturer holds and updates. The operator who depends on those models cannot easily reproduce them with a different supplier, even if the hardware is interchangeable. Aramco's response, consistent with broader trends in critical infrastructure under guidance from CISA and the ASIS International security management standards, is to require model documentation, performance baselining and the right to independent validation. This shifts the lock-in from invisible to visible. It does not eliminate it. The manufacturer who builds for this market builds with the assumption that the operator will audit the model the same way it audits the hardware, and that opacity is a disqualifying property.

Hardening after the strike

The hardening that followed Abqaiq was not limited to the obvious physical and air-domain measures. It extended into the surveillance layer itself, with a recognition that the layer is both a target and a dependency. A perimeter surveillance system that goes blind in the moments before or during a kinetic event has failed in its primary function, even if the kinetic event would have succeeded regardless. The post-strike specification therefore treats the surveillance layer as a hardened asset in its own right, with requirements that look more like those applied to industrial control systems under IEC 62443 than those applied to commercial security cameras.

The practical consequences are visible across the deployed fleet. Power subsystems are sized with reserves that assume an extended grid disturbance, with battery capacity and solar arrays specified against the worst-case insolation and temperature conditions of the deployment region rather than against the average. Communications paths are redundant, with primary fibre or microwave links backed by independent radio paths, and with the routing configured so that the loss of any single path does not silence the unit. Edge compute is hardened against electromagnetic interference and against the predictable forms of cyber intrusion, with secure boot, signed firmware and documented patch management aligned to NIST 800-53 controls. The unit itself is physically hardened against small-arms fire and against the blast overpressures associated with credible attack scenarios at field sites, within the limits that a mobile platform can carry.

The cybersecurity dimension deserves particular attention because it is the dimension where the gap between specification and reality is widest across the industry. Operators inside the Kingdom, advised by BSI guidance and by the cybersecurity provisions embedded in the Aramco standard stack, expect mobile surveillance vendors to demonstrate the same maturity in software supply chain management, vulnerability disclosure and incident response that is now standard for industrial automation suppliers. Many vendors who entered the market from a traditional CCTV background have struggled with this transition. The ones who have not made the transition are being filtered out. The ones who have made it find that the cybersecurity posture is now as decisive in the procurement decision as the optical performance, and that the audit of the posture is conducted with the same seriousness as the audit of the physical specification. This is the structural change that Abqaiq accelerated. It will not reverse.

What holds

What holds, after the noise around the post-Abqaiq market has settled, is a small number of structural facts. Mobile surveillance at Aramco field sites is now a primary perimeter layer, not a supplement. The specification regime is composite, demanding and enforced with discipline that exceeds what most international vendors are accustomed to. Uptime is contracted, measured and reported in machine-readable form, with definitions that punish vendors who optimise for the datasheet rather than for the site. Vendor lock-in is real, is recognised by the operator, and is being addressed through specification rather than through commercial negotiation alone. Hardening of the surveillance layer itself is now standard, with cybersecurity treated as decisively as physical performance.

For manufacturers, the implication is that this market rewards seriousness and punishes improvisation. A mobile video tower deployed at a gas-oil separation plant in the Eastern Province is not the same product as the tower deployed at a European construction site, even if the bill of materials looks similar. The operating envelope is harder, the integration burden is heavier, the consequences of failure are larger and the procurement cycle is more disciplined. Manufacturers who attempt to serve this market with construction-grade products and construction-grade service postures do not survive past the first inspection. Manufacturers who build for the actual envelope earn positions that are difficult to displace.

For operators outside the Kingdom who are looking at this market as a reference, the lesson is that the discipline scales down. The same questions that Aramco asks of its mobile surveillance suppliers can be asked, in proportionate form, by any operator of critical infrastructure or high-value industrial sites. The discipline of defining uptime, of specifying integration interfaces, of dual-sourcing at the platform level and of treating the surveillance layer as a hardened asset is available to anyone willing to write the contract that requires it. For operators who want to test that discipline against their own deployment without committing to a full procurement cycle, the structured ninety-day pilot described in Path III of BOSWAU + KNAUER. From Building to Security Technology is the format that produces the data on which a serious decision can be taken. The pilot produces availability figures, detection performance figures, integration evidence and a cost basis that the operator owns. Whether the operator continues with the manufacturer that ran the pilot or takes the data to a different supplier is a question that the operator answers, not the manufacturer.

Frequently asked questions

What did Abqaiq change?

Abqaiq changed the hierarchy of perimeter security at Saudi Aramco field sites. Fixed perimeter assets, previously treated as primary, were exposed as insufficient against the cruise-missile and small-UAS threat envelope. Mobile, redeployable surveillance moved from supplement to primary layer. The specification regime tightened across optical performance, environmental hardening, communications redundancy, autonomous power and cybersecurity. Uptime entered procurement contracts as a measured and reported quantity rather than a marketing claim. The surveillance layer itself was reclassified as a hardened asset, with requirements drawn from industrial control system practice under IEC 62443 rather than from commercial CCTV practice.

Which SAES governs perimeter?

No single Saudi Aramco Engineering Standard governs perimeter mobile surveillance in isolation. The applicable stack is composite. SAES-J-901 and related instrumentation standards govern the sensor and signal side. SAES-M documents address security systems, telecommunications and command integration. General Instructions cover access control and incident reporting. Project-specific schedules narrow the stack to the asset class. For manufacturers, this means that compliance is demonstrated against a system of clauses rather than against a single document, and that inspection covers integration evidence as rigorously as it covers component performance.

How is uptime measured?

Uptime is measured as a percentage of scheduled operating hours against a defined operating envelope. The definition of an outage includes partial degradation, such as loss of a thermal channel or loss of the link to the central command layer, with weighting specified in the contract. Mean time to restore is measured against a defined in-Kingdom logistics envelope, which requires local spares and trained technicians. Reporting is machine-readable and feeds into the operator's asset management and security operations layers. Manual reports are not acceptable beyond the pilot phase.

Who supplies today?

The qualified vendor pool for mobile surveillance at Aramco field sites is narrower than the broader Gulf security market suggests, because the specification regime filters aggressively. Suppliers present today combine industrial-grade hardware, documented integration with the operator's command layer, in-Kingdom service footprint and demonstrated cybersecurity posture. The pool includes established international manufacturers with regional operations and a smaller number of specialised suppliers who have built specifically for the post-Abqaiq envelope. Operators increasingly require dual-sourcing at the platform level to limit lock-in, which means that no single supplier holds a dominant position at the field-site level.