Cyber Security
Geopolitical Tensions Have Given Rise to Targeted Attacks in the MEA Region
Michael Hoffman, the Certified Instructor at SANS Institute, says cyber attacks targeting critical infrastructure were sparse 15 to 20 years ago
Can you provide an overview of the current cybersecurity landscape for critical infrastructure in the MEA region?
The MEA region is largely focused on energy. It has invested significantly in oil and gas across upstream, midstream, and downstream functions and the utilities to support these environments and communities. This region has also seen one of the most threatening cyber attacks on equipment and human life, with the Trisis attack in 2017, which targeted a Triconix Controller at a refinery in Saudi Arabia. Therefore, there has been a significant focus on cybersecurity across the region. Due to this, governments such as Saudi Arabia have taken extensive measures to ensure critical infrastructure receives the needed cybersecurity focus from the OTCC controls.
What are the most notable trends in cyber attacks targeting these systems?
Cyber attacks targeting critical infrastructure were sparse 15 to 20 years ago, and control systems used to be more customized per facility. Many control and automation systems were starting to incorporate operating systems and network equipment similar to those on the IT side. Still, connectivity was limited, and the adversary’s capability of affecting these systems was also limited. Fast forward to today, SCADA and DCS systems are designed off more of a “standard template,” and the equipment used in one plant often closely resembles another plant. We now face a time when critical infrastructure is more homogenous, allowing adversaries to build complete ICS/OT-focused toolkits, such as PIPEDREAM, to compromise critical infrastructure across verticals.
Which sectors in the MEA region are most vulnerable to cyber attacks, and why?
Much focus has been placed on the energy sector, and rightly so, as the MEA region benefits from its significant oil and gas reserves. Even here, however, there are areas of focus to work on, such as increasing visibility into the industrial networks themselves. Nevertheless, from experience in the MEA, utilities and manufacturing sectors are the most vulnerable. Many of the utilities are undergoing upgrades to replace legacy equipment, and the newer systems are now more homogenous to other automation systems.
Utilities are embracing more remote monitoring and support and AI capabilities for energy loading and modelling. These new capabilities all increase the attack surface of the industrial systems. Manufacturing, by design, is tightly connected to IT and cloud systems to receive, produce, and fulfil orders. The data connectivity in manufacturing makes this sector vulnerable to IT and ICS/OT-focused attacks.
What are the primary motivations behind cyber attacks on critical infrastructure in the MEA region?
Geopolitical tensions have given rise to targeted attacks in the MEA region over the last number of years and increased significantly. Many conflicts brought about targeted attacks on the utilities, transportation, and energy sectors. The conflict also brought about an increase in hacktivism, where the Cyber Av3ngers group targeted Unitronics programmable logic controller (PLC) devices worldwide.
Numerous food and water systems outside of the MEA region in the US, Ireland, and other countries were disrupted due to these attacks. Ransomware is still a profitable business for adversary groups, and this threat will continue to earn significant income by targeting sectors, such as manufacturing, that are more susceptible to IT systems causing ICS/OT outages.
How important is employee training and awareness in preventing cyber attacks on critical infrastructure?
Employees are the front line of defence in critical infrastructure. These environments have skilled operations and maintenance personnel who are the eyes and ears of the process. Yet, having inherent process knowledge does not directly translate to cyber knowledge and the ability to decipher between a system disruption or cyber-physical attack. Therefore, the importance of providing awareness training to asset leadership, the boots-on-the-ground operations, and maintenance staff is more significant than ever in understanding the threats from a high level and who to call or what to do in the event of a suspect condition.
Those tasked with maintaining ICS/OT need specific training, such as provided in the SANS ICS Curriculum, to ensure they have a level of knowledge to prevent, respond to, and recover from adversaries targeting their environments. Without this training, individuals will struggle to maintain or understand the value of various security controls required to keep a defensive posture in their environments.
What role does proactive threat intelligence play in securing critical infrastructure systems?
Consuming threat intelligence for an owner/operator-specific requirement and use case is fundamental to understanding what threat groups have done in the past and what capabilities they could leverage to disrupt an environment. Understanding cybersecurity threats helps build preventative, detective, and recovery controls specific to the operational vertical. Threat intelligence helps to answer questions and look ahead at what is potentially coming vs. looking behind at standards and control frameworks, which are often more generic and lacking in specific tactics, techniques, and procedures (TTPs) that adversaries are currently using.
A cybersecurity program should include consuming threat intelligence and using those insights to drive detection capability and implement cybersecurity controls. Then, threat intelligence is used to go back and verify that existing controls can prevent and detect adversarial activity. Organizations that do not consume threat intelligence are operating without the situational awareness needed to defend their critical environments.
Are there any technologies being deployed to safeguard critical infrastructure in the region?
The push for AI is happening across both IT and OT products and markets. Anyone who has attended GISEC Global in Dubai over the last few years has seen a significant uptake in vendors offering AI capabilities. For ICS/OT, AI has found its way into endpoint detection, network anomaly detection, SIEM analysis and detection, and incident response playbook generation, among other areas. MEA governments strongly advocate for adopting AI for cybersecurity and using AI to increase how businesses operate more effectively and efficiently. However, this requires more data connectivity to IT and cloud systems, with ample storage and compute capabilities needed to make better-informed operational changes.
This increase in IT/OT connectivity is a stark contrast from the previous mindset of isolating these environments entirely or partly using controls, such as data diodes between OT and IT, so traffic can only physically flow from operational systems to enterprise environments. Thus, AI is helping to secure these environments better while at the same time driving change, albeit potentially increasing ICS/OT cybersecurity risk, for more IT/OT data interconnectivity requirements.
What are the biggest challenges companies face in securing critical infrastructure in the MEA region?
The MEA region’s challenges in securing ICS/OT environments are not unique to the region for the most part. The public and private sectors are constantly updating outdated infrastructure, deploying new cybersecurity technologies, implementing new technologies, such as AI, merging with or acquiring organizations, divesting assets, etc. These changes bring about re-organizations, new roles and responsibility mappings, and technical skill reevaluation, among others.
Keeping up with these changes and the constant influx of new technologies within the automation and control equipment requires constant workforce training and skills building. Replacing outdated DCS and SCADA systems brings about new opportunities for optimization and reliability but also brings about completely different sets of technology stacks that must be defended against. Thus, a strong focus is needed towards investing in people to ensure they have the right technical acumen within ICS/OT cybersecurity.
What role do MEA governments play in regulating and enforcing cybersecurity standards for critical infrastructure?
Governments are actively involved and play a significant role in securing their country’s critical infrastructure. UAE, for instance, has developed the UAE National Cybersecurity Strategy, Federal Cybersecurity Law, The National Information Assurance Framework, and Critical Information Infrastructure Guideline. Saudi Arabia has a strong focus in this area and created the Saudi Cybersecurity Law, National Cybersecurity Strategy, and National Cybersecurity Authority (NCA. The NCA Operational Technology Cybersecurity Controls (OTCC) controls, in particular, focus on critical infrastructure and are in place to ensure those facilities achieve a minimum set of baseline security controls.
It is one of the region’s more well-known and referenced ICS/OT cybersecurity control frameworks. Qatar has created the Qatar National Cybersecurity Strategy, Qatar Computer Emergency Response Team (Q-CERT), and the recent Qatar Cybersecurity Framework (QCF) in response to the FIFA 2022 World Cup. Bahrain has created the National Cybersecurity Strategy and Bahrain Cybersecurity Framework. Many other MEA countries have or are in the process of creating similar standards and frameworks for protecting their critical infrastructure.
How can companies ensure business continuity while recovering from a cyber attack on their critical systems?
As companies in the region continually grow their cybersecurity maturity, many have created incident response plans and capabilities or have outsourced these to the region’s few dedicated ICS/OT cybersecurity companies. The SANS Five ICS Cybersecurity Critical Controls have also been discussed at many conferences and events, and the importance of developing an ICS-specific Incident Response Plan (IRP) is starting to take hold and resonate with owners and operators. Still, there is an existing need for asset owners and operators to develop a workable strategy for systematic recovery, reconstitution, and operational resumption in the event of a cyber attack. To develop such capabilities, asset owners and operators need to perform the following activities in their environments:
- Specifying disaster criteria
- Identifying cyber-specific loss scenarios that cause those disasters
- Specifying recovery team responsibilities starting from the activation phase followed by recovery and reconstitution
- Identifying automation and control system function recovery priority
- Performing a dependency analysis of recovery priority
- Documenting reconstitution steps to correct for any data deviation that has been introduced during recovery
- Developing assurance and handover qualifications for process restart
Critical infrastructure assets can be prepared to respond to cyber-attacks and resume operations quickly and effectively by performing such activities.
Vladimir Razov, an expert from the PT SWARM team, has discovered a vulnerability in several models of D-Link routers. According to Mordor Intelligence, D-Link is one of the top three Wi-Fi router manufacturers in the world. The vendor has been notified of the threat in line with the responsible disclosure policy and recommends that users switch to more recent devices.
The vulnerability, which is registered as BDU:2024-06211 with a CVSS 3.0 score of 8.4, affects the following D-Link models: DIR-878, DIR-882, DIR-2640-US, DIR-1960-US, DIR-2660-US, DIR-3040-US, DIR-3060-US, DIR-867-US, DIR-882-US, DIR-882/RE, DIR-882-CA, and DIR-882-US/RE. At the time of the research, vulnerable routers could be discovered using search engines in the United States, Canada, Sweden, China, Indonesia, and Taiwan.
According to the manufacturer, these models are no longer supported. D-Link recommends retiring the outdated devices and replacing them with supported devices that receive firmware updates. “If this vulnerability is successfully exploited, a malicious user authorized in the router’s web interface can compromise the entire device and gain access to all traffic passing through it,” says Vladimir Razov, Web Application Security Analyst at PT SWARM, the offensive security department at Positive Technologies.
As a temporary measure to mitigate the threat, Vladimir Razov recommends using OpenWrt (an open-source embedded operating system based on the Linux kernel and designed specifically for routers) or changing the login credentials for accessing the router’s web interface. Previously, Positive Technologies helped address vulnerabilities in Zyxel routers and other Zyxel devices. Positive Technologies also enhanced its PT Industrial Security Incident Manager (PT ISIM) with an additional expertise pack, enabling cybersecurity teams to detect attempts to exploit vulnerabilities in MikroTik routers and Cisco switches.
Leading cybersecurity provider Sophos has released findings from a new study quantifying the financial impact of various cybersecurity controls on cyber insurance claims. The research compares the effect of endpoint solutions, EDR/XDR technologies, and MDR services on claim amounts, offering valuable insights for both insurers and organizations.
Sally Adam, Senior Director, Solution Marketing at Sophos, said, “Every year, organisations spend huge amounts of money on their cybersecurity. By quantifying the impact of controls on the outcome of cyberattacks, this study enables them to focus their investments on the most cost-effective options. At the same time, insurers have a major influence on cybersecurity spending through the controls they require of organisations wishing to be covered and the discounts they offer when a given scheme is in place. This study enables them to encourage investments that can make a real difference to incident outcomes and the resulting claim amounts.”
The Sophos study reveals a dramatic difference in cyber insurance claims: organizations using MDR services claim a median compensation of just $75,000, a staggering 97.5% less than the $3 million median claimed by organizations relying solely on endpoint solutions. This means that endpoint-only users typically claim 40 times more in the event of an attack. The study attributes this significant reduction to the rapid threat detection and blocking capabilities of MDR services, which can effectively prevent extensive damage.
The study also highlights a clear benefit to combining EDR or XDR with endpoint solutions, as the average insurance claim for users of these tools is just $500,000, which is one-sixth of the $3 million average claim for those using only endpoint solutions.
The Sophos study indicates that the predictability of cyber insurance claims varies significantly depending on the security controls in place. Claims from organizations utilizing MDR services show the highest predictability, suggesting consistent and reliable threat mitigation. This is likely due to the 24/7 expert monitoring, investigation, and response that allows for swift action against threats at any time. Conversely, claims from users of EDR/XDR tools are the least predictable, implying that their effectiveness in preventing major damage heavily depends on the user’s expertise and speed of response.
The Sophos study also reveals significant differences in recovery times from ransomware attacks. Endpoint solution users average a 40-day recovery, while EDR/XDR users take the longest at 55 days. In stark contrast, organizations using MDR services recover the fastest, with an average downtime of just three days. These findings underscore MDR’s effectiveness in minimizing the impact of cyberattacks and highlight the less predictable recovery experiences associated with EDR/XDR tools, whose success is dependent on user expertise.
Adam concludes, “The research confirms what many people instinctively know: the type of security solution used has a significant impact on cyber insurance claims. Cyberattacks are inevitable, but defences are not. These results are a useful tool for organisations wishing to optimise their cyber defence and their return on investment in cybersecurity. They will also be useful for insurers looking to reduce their exposure and offer suitable policies to their customers.”
Fortinet has enhanced its OT Security Platform to better protect critical infrastructure from modern cyberthreats. The upgraded platform offers more than basic OT visibility with the new FortiGuard OT Security Service, expanded hardened solutions for network segmentation and 5G in demanding environments, and an improved OT SecOps portfolio for automated threat response and compliance management.
“Fortinet has been building an industry-leading OT Security Platform for 20-plus years and remains at the forefront of OT security innovation,” said Nirav Shah, Senior Vice President, Products and Solutions at Fortinet. “As cyberthreats against critical infrastructure and across industries such as energy, transportation, and manufacturing continue to grow, Fortinet remains committed to delivering comprehensive security solutions tailored for operational technology environments. These latest enhancements give organizations the tools they need to improve their OT security posture and adhere to regulatory requirements—all managed through a single, unified platform.”
The latest Fortinet OT Security Platform enhances OT security with:
- Advanced Threat Protection: New FortiGate Rugged NGFWs combined with the enhanced FortiGuard OT Security Service offer superior security enforcement, detecting threats using over 3,300 OT protocol rules, nearly 750 OT IPS rules, and 1,500 virtual patching rules. This protects against known exploited vulnerabilities and provides virtual patching for older OT systems. Secure remote access is also improved with updates to FortiSRA, including enhanced secrets and password management.
- Secure Segmentation: The new FortiSwitch Rugged 108F and FortiSwitch Rugged 112F-POE industrial-grade switches enable precise security control at the port level, preventing unauthorized lateral movement within OT networks. Built on Fortinet’s unified FortiOS, these switches simplify network and security management.
- Resilient Connectivity: Two new ruggedized 5G solutions are introduced: the IP67-rated FortiExtender Rugged 511G for secure, high-speed connectivity to remote OT sites, and the IP64-rated FortiExtender Vehicle 511G for fleet vehicles. Both feature embedded Wi-Fi 6 and new eSIM capabilities for easier carrier selection.
- Enhanced OT SecOps: Fortinet’s AI-driven security operations capabilities are strengthened with updates to FortiAnalyzer 7.6 and FortiDeceptor 6.1, offering deeper threat insights and simplified compliance reporting for OT security teams. FortiNDR Cloud now includes OT protocol support for threat hunting, while FortiNDR (on-premises) adds features like a Purdue Model view and a device inventory covering OT and the Mitre ATT&CK ICS Matrix.
The Fortinet OT Security Platform delivers a unified view and comprehensive security tools to simplify the management of OT and remote site security. It empowers organizations to easily assess, secure, and report on risks, including meeting complex regulatory compliance. Fortinet uniquely offers seamless segmentation and a complete ruggedized portfolio of OT security solutions all managed by a single operating system, FortiOS. Its deep integration within the Fortinet Security Fabric makes it a leading platform in the industry, providing an effective, efficient, and holistic approach to OT security and compliance that surpasses standard offerings.
Positive Technologies Discovery Leads D-Link to Recommend Router Replacements
Sophos Study: MDR Users Claim 97.5% Less in Cyber Insurance
Fortinet Strengthens OT Security for Critical Infrastructure
ManageEngine’s Open API Platform Enables Unified, Customisable Security Analytics
AI-Driven Deception: A New Face of Corporate Fraud
UAE Cyber Security Council and CPX Unveil Cybersecurity Report 2025
Proactive Threat Intelligence is Essential in Securing Critical Infrastructure
“We Can All Do Better By Treating Women in Tech as Equals”
Supply Chain Vulnerabilities Are Becoming a Growing Concern
“Having Mentors Who Believe in You Can Make All the Difference”
UAE Workforce in 2025: Cybercrime, Stress, and Burnout Take the Spotlight
Video: Toshiba Presents Latest Hard Drives and QNAP NAS System Live Demo at INTERSEC 2025
Video: Toshiba Showcases its Latest Hard Disk Drives Through Live Demos at Intersec 2025
Video: Interview with Meriam ElOuazzani of SentinelOne
Video: Interview with Fred Crehan of Confluent at GITEX Global 2024
-
Artificial Intelligence1 week ago89% of Companies Update AI Data Strategies, But Gaps Remain
-
News1 week agoMatrix Announces IoTSCS-ER Compliant Network Cameras Certified by STQC
-
Cyber Security1 week agoHalcyon Launches 24/7 Ransomware Detection and Recovery (RDR) Solution
-
Artificial Intelligence1 week agoKaspersky Detects Sophisticated Scam Using DeepSeek AI
-
Artificial Intelligence6 days agoUiPath Acquires Peak to Drive Next-Gen AI Decision Intelligence
-
Cyber Security1 week agoNew Research from Palo Alto Networks and Siemens on OT Security Risks
-
Cyber Security1 week agoForcepoint to Acquire Getvisibility
-
Cyber Security7 days agoGroup-IB Outs High-Tech Crime Trends Report 2025 for META