Author: Maher Jadallah, Regional Director – Middle East from Tenable
Without intervention, the Middle East is fast heading towards disruption to energy production and distribution systems. To address this, the emphasis on long term sustainability, investments into the generation of solar and wind power are already visible in GCC countries including UAE, Saudi Arabia, and Oman. Another area that has seen significant Investment is the introduction of smart grids across MENA, expected to reach $20B over the next seven years according to the Energy and Utilities Market Outlook Report 2020.
While grid system modernization is critical to manage the disruption taking place in energy production, distribution, and consumption, it is also opening up the front door of those control systems to malicious threat actors. Grid-based industrial cyberthreats present risks to safety, reliability and business continuity.
With cybercriminals typically looking to target low hanging fruit to gain entry, it is inevitable that we will continue to see attacks aimed at the perceived least defended infrastructure. This might include a smaller substation or transfer location rather than the core of any one grid. These smaller stations are frequently linked to a larger network, for example a regional grid, which could result in a domino effect whereby an attack compromises the entire network. Security initiatives must extend beyond core and HQ locations to encompass remote and distributed locations.
Here are four trends and what can be done to counteract them:
Industrial to IT attacks will become reality: As previously mentioned, it is highly probable that threat actors will look to compromise less defended industrial environments to traverse into IT data repositories — for example customer databases.
When protecting regular IT networks, security professionals are used to thinking in terms of exploits, malware and backdoors. While these risks are certainly relevant for power grids, industrial attacks can be as simple as issuing regular commands in a documented protocol.
Organizations should create an ecosystem of trust between industrial systems and IT security for information sharing to quickly detect this type of attack and prevent intrusion. When a security incident occurs, timely resolution depends on immediate availability of accurate inventory including every bit of information all the way from a device model down to the firmware version.
Shared responsibility for security: Energy organizations must recognize that security is a shared responsibility between industrial and IT teams. In a number of industrial markets, there has been a move for IT teams to take ownership for industrial security given their experience defending networks.
While industrial teams have objected to any IT intervention in control systems, this must change. That said, given the traditional approach to IT security differs from industrial security, there needs to be a melding of the two approaches.
Boundaries between systems dissolving: Whether or not systems are perceived to be air gapped, industrial attacks present a real and present danger. The mantra of set it and forget it is no longer the way to administer industrial environments. Failure to identify all systems creates blind spots where some systems are potentially insecure.
Energy providers can’t depend on costly, error-prone manual network inventories that may be out of date soon after they are collected. Instead, automated solutions are needed to identify and characterise converged IT/OT systems. A unified, risk-based view detailing what is exposed, where and to what extent across the combined IT and OT environments.
Industrial and IT skills gap: It’s recognised that there is a global shortage of skilled security professionals. Organizations should conduct a rigorous skills assessment of both their industrial and security teams and begin cross-training programs targeted to address each of the gaps. Embrace this as an opportunity. Recruit new talent from universities or hire less experienced candidates with a willingness to retrain.
While it might seem overwhelming, identifying weaknesses within Industrial environments is critical to understanding risk. Energy production and distribution organizations will need to look at technology, people, and culture to prepare for the disruption and transformation in the months ahead.