There is an increase of OT (operational technology) security incidents in the Middle East and the digital transformation drive is going to make it worse as the threat landscape is getting more sophisticated, said an industry expert.
Wam Voster, research director for security and risk management at Gartner, told TechRadar Middle East on the sidelines of the Gartner Security & Risk management Summit, that business requirements drive increased connectivity between IT and OT domains.
What are IT and OT systems?
IT (information technology) systems are storage systems, computing technology, business applications and data analysis while OT systems are machinery equipment, assets monitoring systems, industrial control systems and SCADA devices. An IT system is replaced every two to three years but the OT systems sit for more than 20 years.
Breaches frequently undetected
“Cyber-physical convergence is accelerating and IT/OT security organisations are converging and due to that, OT and IT security share similar pains,” he said.
Moreover, he said that cybersecurity breaches in the Middle East are widespread and are frequently undetected, with 30% of the region’s attacks targeting OT.
According to a survey, he said that 60% of respondents believe the cyber risk to OT to be greater than IT while 75% of those questioned had experienced at least one security compromise resulting in OT environment in the last 12 months and 63% of companies consider it very likely that they will become the target of an OT/ICS (industrial control systems) related cyberattacks.
Moreover, he said that an attacker taking control of a smart city is very scary.
“He [hacker] can take control of the police, desalination plant, electric grid, traffic, etc. It is going to be worse in the coming years and in a few years, we will see few people getting killed in an OT environment by hackers overriding the pressure in a chemical reactor, for example,” he said.
However, he said that the majority of the OT threats are state-sponsored.
Most deadly malware
Triton is one of the notorious malware focused on disrupting physical equipment.
In 2017, cybercriminals behind Triton, also called Trisis, targeted Triconex safety instrumented system (SIS) controllers sold by Schneider Electric, leading to plant shutdown, due to flaws in security procedures.
In 2019, Triton once again targeted industrial control systems (ICS) at another company in the Middle East.
The first was Stuxnet, known to have developed by the US and Israel to sabotage Iran’s nuclear ambitions in 2009 while the second malware, Duqu was a reconnaissance programme and it contained 20 times more code than Stuxnet and is much more widespread than Duqu.
The Industroyer (also known as Crashoverride) is a malware framework considered to have been used in the cyberattack on Ukraine's power grid.
Havex is a remote access trojan discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries in the US and Europe.
The Iranian malware Shamoon 1, in 2012, reportedly destroyed thousands of computers at Saudi Aramco and Qatar’s RasGas. Shamoon 2 made similar attacks in 2016 and 2017 while Shamoon 3 made a new wave of attacks against targets in the Middle East oil and gas plants in December 2018.
Firewall between IP-based systems
In the OT environment, Voster said that “network segregation” is the key.
“All OT networks should be separated from the corporate network and each other; the traffic between OT and any other domain must be through a separate gateway solution; two-factor authentication and firewall needed between IP-based systems,” he said.
Moreover, he said that OT monitoring is simple to find anomalies and organisations need to spend a lot more energy on detection capabilities, monitoring and then to respond and recover in the cyberthreat landscape.
According to the research firm, the size of the stand-alone OT security market in 2018 was valued at $250 million, growing to $1.1 billion in 2022, representing an annual growth rate of 45.7%.
“All sites must have an accountable person for OT security appointed. Roles and responsibilities for all security roles must be clearly described and assigned. Organisations need to implement “specific” patch management procedures for each component in OT but ensure qualification by system vendors before installation,” he said.
“If you don’t have the proper technology, trained people, right processes, then attacks can penetrate through,” he said.