The Middle East, with its patchwork of political rivalries and disputes, is suffering nation-state-sponsored cyberattacks on infrastructure such as utilities, oil and gas and transport hubs. Meanwhile, the move to cloud services and growth of digital commerce is fuelling a worrying rise in the theft of consumer data. Critical infrastructure must segregate and protect networks while Governments must bring forward new GDPR-style data protection.

By David Benady

IDG Connect | MAR 16, 2021 11:30 PM PDT

Across the Middle East, security teams at critical infrastructure plants are on maximum alert as a wave of politically-motivated cyberattacks targets their operations.

Many of the attacks go undetected and those that are discovered are often unreported, which may disguise the nature and extent of the problem. Attackers target infrastructure such as water systems, oil and gas facilities, transport hubs and manufacturing plants. As Tarek Kuzbari, Middle East and Turkey director for security vendor Cybereason, says: “In the Middle East, the number of politically-driven cyberattacks is very high compared to other regions.

“With all the politics in the region, such as the revolutions of the Arab Spring and tensions between different nations, each country has started to build their own cyber offensive capability and have launched their own operations.”

A series of cyberattacks on Israel’s rural water infrastructure last year which disrupted water supplies is a recent case. Shortly after, a cyberattack shut down Iran’s Shahid Rajaee port for days. A Washington Post report attributed the attack to Israel, in retaliation for the earlier incursions into its water systems. This cycle of tit-for-tat attacks threatens the security of a wide range of industries.

Shamoon 3 virus sabotages oil and gas installations

A report by UAE cybersecurity company DarkMatter in 2019 showed that the oil and gas sectors, finance, transport and utilities have been targeted by state-sponsored groups seeking to undermine the economic and social stability of rival nations. Three quarters of oil and gas companies in the region had experienced cybersecurity breaches.

DarkMatter’s analysis identified eight key “intrusion sets” — co-ordinated attacks — Bitter, Molerats, MuddyWater, Chafer, DarkHydrus, Shamoon 3, OilRig, and DNSpionage. Shamoon 3 in particular has been used to sabotage major organisations.

According to Karim Sabbagh, CEO of DarkMatter Group, the lesson of these intrusions is clear: “Organizations in the region have a short window of time to transform their cybersecurity posture and demonstrate stronger resilience in the face of escalating and increasingly sophisticated cybersecurity threats.”

But as infrastructure providers attempt to boost their protective measures, these are routinely circumvented by attackers, which are developing ever greater expertise in penetrating networks. As Kuzbari says: “The more you evolve as a defender, the cybercriminal will evolve too based on every measure you are taking.” Simply installing more sophisticated protection tools, whether firewalls or end-point protections, is insufficient. Cybereason’s approach involves closely monitoring all network data to identify any unusual activity, and if it is a potential threat, to neutralise it.

Keeping industrial networks segregated from IT

According to Vibin Shaju, director of presales at McAfee for EMEA Enterprise, defenders must avoid complacency. In the past, Operational Technology (OT) networks — the digital communication systems which connect industrial plants and machinery — have been kept segregated from corporate IT networks which interact with the outside world. Cyber attackers will typically try and gain entry to a company’s IT network — for instance through phishing emails — and from there seek to enter the organisation’s OT network which controls critical plant and machinery. Segregating networks has been a key defensive measure to stop attackers finding a way through.

But networks are growing more integrated as Internet of Things sensors are used to collect and emit data about plant and machinery. With the increasing data sharing between OT and IT networks, organisations are becoming vulnerable, he says.

“We need to make sure that every type of security monitoring tool that we have deployed for our enterprise (IT) network is going into the OT network. We need to make sure that there is the same level of monitoring for that OT network as for the IT network, because there is a bridge between them.”

Shaju adds that vendors such as Siemens, which create the OT systems used by critical infrastructure, are investing heavily in security and are partnering with cybersecurity providers to test their tools. Working together, they are creating new security blueprints and building them into critical infrastructure. “They were not looking at security 10 years back, but today they are really looking at those scenarios and providing solutions,” he says.

Consumer data theft on the rise

Politically-motivated cyberwarfare is not the only area of concern when it comes to network security. The region is also experiencing a wave of cyber-crime as its economy undergoes rapid digital transformation. Digital banking is on the rise triggering an explosion of digital launches from takeaway food to taxis. In a few years, Amazon has taken a huge share of e-commerce after buying local online marketplace Souq in 2017. This has been accompanied by a rapid shift to using cloud services, but many businesses are still in the process of developing their cybersecurity strategies.

Regulation and legislation in many Middle East states is lagging western nations – with laws such as Europe’s GDPR and the California Consumer Privacy Act  – leaving their economies unprepared for the challenges of cybercrime.

As Kuzbari says: “One of our major concerns in the region is that information tends not to go public. There are lots of regulators trying to change that, but currently if any financial institutions, airlines or government bodies gets compromised, they report to the local authority privately and no information goes out to customers.”

Meanwhile, Shaju warns that businesses are rapidly moving data to the cloud and this could create the potential for cyberattacks. “Knowing that this (cloud adoption) is going to be on a high curve for the next two or three years, will be a major area of concern that every CISO (chief information security officer) or transformation architect needs to be looking at,” he says.  

Pull your SOCs up

While tooling up with the latest security technology is vital — deploying firewalls, end- point protections and scans — organisations should not solely rely on these.

“Technology is one part, but I would always say invest in a good Security Operations Centre (SOC) and good people. All those attacks don’t happen in a day or two, they take months,” says Shaju. Attackers target networks over a long period, such as through repeated email scams, until they gain entry to a network. They can then either wait for the opportune moment to trigger an attack or gradually exfiltrate — transfer — data over a period.  

Organisations should create effective cybersecurity operations and SOCs that keep tabs on network traffic and identify any suspicious activity. And for industrial operations, OT and IT networks must be kept segregated as far as possible. The price of cybersecurity failure is too high.