Following on from the success of the first two Forums of May 2012 and October 2013, the 3rd ICS Cyber Security Forum has been called to examine the issues of concern here in the region together with the growing number of international partnerships being formed around the world to tackle and address the increasing number of cyber attacks. According to a recent ICS-CERT report ,they highlighted that 53% of the cyber security incidents worldwide during the first half of 2013 were related to the energy sectors .When it comes to this region it has been reported that cyber attacks targeting key installations costs the Gulf countries $1B annually and is growing as exemplified by the recent Kaspersky report on the current activities of a new group of hackers called ‘Desert Falcons’ targeting businesses throughout the Middle East.
The focus of this forthcoming Forum will be expanded to include utilities as well as the hydrocarbon sector , both of which are of vital importance to the various countries in this region given their billion dollar expansion plans. As the GCC petroleum sector alone accounts for 49% of its GDP, effective cyber security protection of this premium part of their critical national infrastructures is mandatory.
Qatar named cyber security as one of its top 3 research priorities in 2014 together with Saudi Arabia and Bahrain. ictQATAR have recently spoken about the upcoming regulations to safeguard people and businesses against cyber risks and establishing a streamlined ecosystem with a robust legal and legislative framework including the Critical Information Infrastructure Protection Law. Kuwait has similarly entered into a $1B programme involving cyber security with the UK and Oman is enhancing its cyber security programmes across the country and particularly in the energy and the utilities sectors. Here in the UAE, according to a recent 3 year investigation by Symantec , data revealed that the UAE has the highest number of communication system breaches across the Middle East. Moreover the UAE budget for cyber security is expected to double to $10 B within the next decade.
In 2014 the UAE’s National Electronic Security Authority (NESA) announced a series of publications on a range of key strategies, policies and standards to align and direct national cyber security efforts throughout the country. These documents included the National Cyber Security Strategy (NCSS), Critical Information Infrastructure Policy (CIIP) and the UAE Information Assurance (IA) standard which collectively will work towards enhancing the UAE national cyber security and ICT infrastructure and will be mandatory in their compliance.
Within this region all countries are building national organisations to protect their assets as these countries are also among the most highly connected globally with high levels of internet usage for government , business and education and that is why cyber threats are growing in number and sophistication.
Historically most Operational Technology (OT) networks were isolated from the Enterprise Networks and operated independently . However with the advent of internet based ICS systems due to the increased demand for greater business insight in real time has lead energy and utility companies to integrate industrial control systems (ICS) and their enterprise IT systems in which potential problems can occur and have been demonstrated internationally in doing so .Therefore those responsible for cyber security within an organisation must understand the difference between ICS and IT system security in order for them to work together effectively. Moreover understanding the different needs of ICS and IT system security can only lead to cooperation and collaboration between these historically disconnected camps . What is therefore key to this is to properly facilitate Operational Security (OS) , in much the same way that IT Security has come about , yet with different and complimentary parameters as is appropriate.
It comes as no surprise therefore that the market for ICS security is expected to top $10.33 billion by 2018 . For example, designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate to the process control environment. Moreover the security of an organisation’s process control system can be put at significant risk by third parties and securing the supply chain is one major area of concern.
Recent examples of encountered problems include a cyber attack on an offshore platform that caused the tilting and resultant shutdown of the platform and significant production losses . In the utility sector particular attention should be paid to the cyber threats to the substation devices and most people advocate that that utilities and vendors work together to develop standardised processes to overcome these potential device issues.
As recently as 2 years ago, cyber security was not in the top 10 areas of concern for utilities management and is now rated as the fourth highest area of concern. A recent international review of utility executives concluded that 48 % did not have integrated cyber , physical , corporate and ICS security within their facilities. With regional plans for implementing smart grids , greater attention needs to be paid to their cyber security needs particularly as the 2014 Smart Grid Cyber Security Survey indicated 64 % of executives believe the grid is not yet ready for security.