Geopolitical tensions have given rise to targeted attacks in MEA region

Can you provide an overview of the current cyber security landscape for critical infrastructure in the MEA region?

The MEA region is largely focused on energy. It has invested significantly in oil and gas across upstream, midstream and downstream functions and the utilities to support these environments and communities. This region has also seen one of the most threatening cyber attacks on equipment and human life, with the Trisis attack in 2017, which targeted a Triconix Controller at a refinery in Saudi Arabia. Therefore, there has been a significant focus on cyber security across the region. Due to this, governments such as Saudi Arabia have taken extensive measures to ensure critical infrastructure receives the needed cyber security focus from the OTCC controls.

What are the most notable trends in cyber attacks targeting these systems?

Cyber attacks targeting critical infrastructure were sparse 15 to 20 years ago, and control systems used to be more customised per facility. Many control and automation systems were starting to incorporate operating systems and network equipment similar to those on the IT side. Still, connectivity was limited, and the adversary’s capability of affecting these systems was also limited. Fast forward to today, SCADA and DCS systems are designed off more of a “standard template” and the equipment used in one plant often closely resembles another plant. We now face a time when critical infrastructure is more homogenous, allowing adversaries to build complete ICS/OT-focused toolkits, such as PIPEDREAM, to compromise critical infrastructure across verticals.

Which sectors in the MEA region are most vulnerable to cyber attacks, and why?

Much focus has been placed on the energy sector, and rightly so, as the MEA region benefits from its significant oil and gas reserves. Even here, however, there are areas of focus to work on, such as increasing visibility into the industrial networks themselves. Nevertheless, from experience in the MEA, utilities and manufacturing sectors are the most vulnerable. Many of the utilities are undergoing upgrades to replace legacy equipment, and the newer systems are now more homogenous to other automation systems.

Utilities are embracing more remote monitoring and support and AI capabilities for energy loading and modelling. These new capabilities all increase the attack surface of the industrial systems. Manufacturing, by design, is tightly connected to IT and cloud systems to receive, produce and fulfil orders. The data connectivity in manufacturing makes this sector vulnerable to IT and ICS/OT-focused attacks.

What are the primary motivations behind cyber attacks on critical infrastructure in the MEA region?

Geopolitical tensions have given rise to targeted attacks in the MEA region over the last number of years and increased significantly. Many conflicts brought about targeted attacks on the utilities, transportation, and energy sectors. The conflict also brought about an increase in hacktivism, where the Cyber Av3ngers group targeted Unitronics programmable logic controller (PLC) devices worldwide.

Numerous food and water systems outside of the MEA region in the US, Ireland and other countries were disrupted due to these attacks. Ransomware is still a profitable business for adversary groups, and this threat will continue to earn significant income by targeting sectors, such as manufacturing, that are more susceptible to IT systems causing ICS/OT outages.

How important is employee training and awareness in preventing cyber attacks on critical infrastructure?

Employees are the front line of defence in critical infrastructure. These environments have skilled operations and maintenance personnel who are the eyes and ears of the process. Yet, having inherent process knowledge does not directly translate to cyber knowledge and the ability to decipher between a system disruption or cyber physical attack. Therefore, the importance of providing awareness training to asset leadership, the boots-on-the-ground operations and maintenance staff is more significant than ever in understanding the threats from a high level and who to call or what to do in the event of a suspect condition.

Those tasked with maintaining ICS/OT need specific training, such as provided in the SANS ICS Curriculum, to ensure they have a level of knowledge to prevent, respond to and recover from adversaries targeting their environments. Without this training, individuals will struggle to maintain or understand the value of various security controls required to keep a defensive posture in their environments.

What role does proactive threat intelligence play in securing critical infrastructure systems?

Consuming threat intelligence for an owner/operator-specific requirement and use case is fundamental to understanding what threat groups have done in the past and what capabilities they could leverage to disrupt an environment. Understanding cyber security threats helps build preventative, detective and recovery controls specific to the operational vertical. Threat intelligence helps to answer questions and look ahead at what is potentially coming versus looking behind at standards and control frameworks, which are often more generic and lacking in specific tactics, techniques and procedures (TTPs) that adversaries are currently using.

A cyber security programme should include consuming threat intelligence and using those insights to drive detection capability and implement cyber security controls. Then, threat intelligence is used to go back and verify that existing controls can prevent and detect adversarial activity. Organisations that do not consume threat intelligence are operating without the situational awareness needed to defend their critical environments.

Are there any technologies being deployed to safeguard critical infrastructure in the region?

The push for AI is happening across both IT and OT products and markets. Anyone who has attended GISEC Global in Dubai over the last few years has seen a significant uptake in vendors offering AI capabilities. For ICS/OT, AI has found its way into endpoint detection, network anomaly detection, SIEM analysis and detection, and incident response playbook generation, among other areas. MEA governments strongly advocate for adopting AI for cyber security and using AI to increase how businesses operate more effectively and efficiently. However, this requires more data connectivity to IT and cloud systems, with ample storage and compute capabilities needed to make better-informed operational changes.

This increase in IT/OT connectivity is a stark contrast from the previous mindset of isolating these environments entirely or partly using controls, such as data diodes between OT and IT, so traffic can only physically flow from operational systems to enterprise environments. Thus, AI is helping to secure these environments better while at the same time driving change, albeit potentially increasing ICS/OT cyber security risk, for more IT/OT data interconnectivity requirements.

What are the biggest challenges companies face in securing critical infrastructure in the MEA region?

The MEA region’s challenges in securing ICS/OT environments are not unique to the region for the most part. The public and private sectors are constantly updating outdated infrastructure, deploying new cyber security technologies, implementing new technologies, such as AI, merging with or acquiring organisations, divesting assets, etc. These changes bring about re-organisations, new roles and responsibility mappings, and technical skill reevaluation, among others.

Keeping up with these changes and the constant influx of new technologies within the automation and control equipment requires constant workforce training and skills building. Replacing outdated DCS and SCADA systems brings about new opportunities for optimisation and reliability, but also brings about completely different sets of technology stacks that must be defended against. Thus, a strong focus is needed towards investing in people to ensure they have the right technical acumen within ICS/OT cyber security.

What role do MEA governments play in regulating and enforcing cyber security standards for critical infrastructure?

Governments are actively involved and play a significant role in securing their country’s critical infrastructure. UAE, for instance, has developed the UAE National Cybersecurity Strategy, Federal Cybersecurity Law, The National Information Assurance Framework and Critical Information Infrastructure Guideline. Saudi Arabia has a strong focus in this area and created the Saudi Cybersecurity Law, National Cybersecurity Strategy and National Cybersecurity Authority (NCA. The NCA Operational Technology Cybersecurity Controls (OTCC) controls, in particular, focus on critical infrastructure and are in place to ensure those facilities achieve a minimum set of baseline security controls.

It is one of the region’s more well-known and referenced ICS/OT cyber security control frameworks. Qatar has created the Qatar National Cybersecurity Strategy, Qatar Computer Emergency Response Team (Q-CERT), and the recent Qatar Cybersecurity Framework (QCF) in response to the FIFA 2022 World Cup. Bahrain has created the National Cybersecurity Strategy and Bahrain Cybersecurity Framework. Many other MEA countries have or are in the process of creating similar standards and frameworks for protecting their critical infrastructure.

How can companies ensure business continuity while recovering from a cyber attack on their critical systems?

As companies in the region continually grow their cyber security maturity, many have created incident response plans (IRP) and capabilities or have outsourced these to the region’s few dedicated ICS/OT cyber security companies. The SANS Five ICS Cybersecurity Critical Controls have also been discussed at many conferences and events, and the importance of developing an ICS-specific IRP is starting to take hold and resonate with owners and operators. Still, there is an existing need for asset owners and operators to develop a workable strategy for systematic recovery, reconstitution and operational resumption in the event of a cyber attack. To develop such capabilities, asset owners and operators need to perform the following activities in their environments:

• Specifying disaster criteria.
• Identifying cyber-specific loss scenarios that cause those disasters.
• Specifying recovery team responsibilities, starting from the activation phase followed by recovery and reconstitution.
• Identifying automation and control system function recovery priority.
• Performing a dependency analysis of recovery priority.
• Documenting reconstitution steps to correct for any data deviation that has been introduced during recovery.
• Developing assurance and handover qualifications for process restart.

Critical infrastructure assets can be prepared to respond to cyber attacks and resume operations quickly and effectively by performing such activities.

For more information about SANS, please click here : https://www.sans.org/u/1Axh.