Digital transformation fuels data theft

Cyberattacks on critical infrastructure, combined with data theft in cloud services because of the advancement in technology is fueling worry across the Middle East 

The Middle East, with its patchwork of political rivalries and disputes, is suffering nation-state-sponsored cyberattacks on infrastructure such as utilities, oil and gas and transport hubs. Meanwhile, the move to cloud services and growth of digital commerce is fuelling a worrying rise in the theft of consumer data. Critical infrastructure must segregate and protect networks while Governments must bring forward new GDPR-style data protection. 

Across the Middle East, security teams at critical infrastructure plants are on maximum alert as a wave of politically-motivated cyberattacks targets their operations. 

Many of the attacks go undetected and those that are discovered are often unreported, which may disguise the nature and extent of the problem. Attackers target infrastructure such as water systems, oil and gas facilities, transport hubs and manufacturing plants. As Tarek Kuzbari, Middle East and Turkey director for security vendor Cybereason, says: “In the Middle East, the number of politically-driven cyberattacks is very high compared to other regions. 

“With all the politics in the region, such as the revolutions of the Arab Spring and tensions between different nations, each country has started to build their own cyber offensive capability and have launched their own operations.” 

A series of cyberattacks on Israel’s rural water infrastructure last year which disrupted water supplies is a recent case. Shortly after, a cyberattack shut down Iran’s Shahid Rajaee port for days. A Washington Post report attributed the attack to Israel, in retaliation for the earlier incursions into its water systems. This cycle of tit-for-tat attacks threatens the security of a wide range of industries. 

Shamoon 3 virus sabotages oil and gas installations 

A report by UAE cybersecurity company DarkMatter in 2019 showed that the oil and gas sectors, finance, transport and utilities have been targeted by state-sponsored groups seeking to undermine the economic and social stability of rival nations. Three quarters of oil and gas companies in the region had experienced cybersecurity breaches. 

DarkMatter’s analysis identified eight key “intrusion sets” — co-ordinated attacks — Bitter, Molerats, MuddyWater, Chafer, DarkHydrus, Shamoon 3, OilRig, and DNSpionage. Shamoon 3 in particular has been used to sabotage major organisations. 

According to Karim Sabbagh, CEO of DarkMatter Group, the lesson of these intrusions is clear: “Organisations in the region have a short window of time to transform their cybersecurity posture and demonstrate stronger resilience in the face of escalating and increasingly sophisticated cybersecurity threats.” 

But as infrastructure providers attempt to boost their protective measures, these are routinely circumvented by attackers, which are developing ever greater expertise in penetrating networks. As Kuzbari says: “The more you evolve as a defender, the cybercriminal will evolve too based on every measure you are taking.” Simply installing more sophisticated protection tools, whether firewalls or end-point protections, is insufficient. Cybereason’s approach involves closely monitoring all network data to identify any unusual activity, and if it is a potential threat, to neutralise it. 

Oil & gas infrastructure 

Stefan Schachinger, Product Manager, Network Security – IoT, OT, ICS at Barracuda discusses how recent events have been a wake up call for regional oil and gas producers as cybercriminals set sights on critical infrastructure in the Middle East.  

Just a few weeks ago, we saw pictures of people queuing at gas stations, as the news reported that airports could run out of jet fuel. While large parts of the population previously perceived cyber-attacks as something abstract without any real impact, the recent attack on the Colonial has challenged this perception, causing real problems. 

With the Middle East Oil & Gas sector historically being a prime target of cyber-attacks, there’s good reason for regional producers to take note of the Colonial Pipeline attack. Given its scale, and the fact that this was executed in the home nation of ‘big tech’, it is particularly concerning.  Most importantly, there are many lessons to be learned from this incident that can help Middle East Oil & Gas companies prevent themselves from similarly falling prey to ransomware. 

Targeting the low-hanging fruit 

The exact details of the attack method are still not known in that particular example, but it has become clear that it was not a highly sophisticated technical attack that was long planned on a military level. Both the hacker organization Darkside and its ransomware or ransomware-as-a-service (RaaS) offering have been known since mid-2020. 

According to media reports, the pipeline or its control systems were not attacked directly. Rather, the attack is likely to have originated in office IT systems and infected the billing system there, which is essential for the unfettered operation of a pipeline. 

It is not known whether there were incentives or indications from foreign government organizations for this attack, but it is certain that computers with a Russian or Eastern European system language will not be attacked by Darkside. 

When worldwide news media are looking at a critical infrastructure operator and waiting for them to decide whether to pay the ransom or to deal with significant restrictions in public life for a period of time that is difficult to estimate, the decision is obvious. The double extortion approach, in which data is not only encrypted, but the victim is threatened with publication, also increases the pressure. The question remains whether it was really a targeted attack or just an open vulnerability uncovered. 

Traditional attack vectors 

The most popular attack method is still email. The chances of success are good and — even if it fails — there is no risk of any consequences for the attacker. Of course, email-based attacks work better when cybercriminals are prepared.  

Widespread phishing mails with generic content have a lower chance of success than targeted and well-prepared attacks. Last year COVID-19 turned out to be perfectly suited as a hook for phishing emails. Above all, it is important that the recipient feels like they are being addressed personally, whether out of curiosity or financial promises, etc. When someone clicks on a malicious link, a piece of software is usually downloaded, and things take their unpleasant course. 

In Operational Technology (OT) networks, for example in industry, production, or infrastructure, remote maintenance accesses are often a problem. A large number of employees and external service technicians have to access devices for a wide variety of reasons, for which very often different methods are used. Just recently there was a critical incident at a water utility in Florida in which remote maintenance access could be abused to manipulate safety-relevant settings. 

The attack methods are diverse, and there are many different ways of penetrating a foreign network. The problem with OT networks is they are flat and open, and the devices are vulnerable. This means that attackers or malware that have found their way into the network can spread unhindered. 

Successful defence 

In order to successfully protect industrial networks, structured security measures are necessary. The example of Colonial Pipeline also shows that IT and OT systems are now closely connected and that there are dependencies here that require both sides to be protected accordingly. If an attack on a billing system or traditional ERP system causes a large-scale outage, it demonstrates a high degree of system interaction, as would probably be found in many similar companies. The air gap between IT and OT no longer exists, and both sides need to be protected accordingly. 

Protective measures include technical and organizational measures as well as employee training and user awareness. A comprehensive email security suite should definitely be part of a solution, as this is the most common attack vector. But even with the best technical solution, it must always be assumed that something could still slip through. For this reason, employees must also be trained in such a way that they are able to recognize an attempted attack. 

Email is not the only way into a company. Remote maintenance access is a major risk, especially in industrial networks. Instead of a proliferation of different remote access solutions from different vendors, a standardized method that is easy to use and extensively secured should be provided. Multifactor authentication is mandatory, and remote maintenance access should also be timed. And if a piece of malware or an attacker still manages to get into the network, segmentation is the key to protecting against the attack spreading to the company’s resources. 

Physical attack vectors such as social engineering or USB sticks and malware on mobile devices must also be considered. Therefore, organizations should always assume that security measures at the perimeter can be overcome or bypassed somehow. 

Segmentation separates the office IT network from operating technology, and within the OT network the control level is separated from the process level. Legitimate connections are allowed but restricted as much as possible and checked for malicious content with next-generation security, such as antivirus, IPS, and advanced threat protection. In order to prevent horizontal spread — for example from one machine to another — individual or small groups of assets are isolated from one another using micro-segmentation. With the additional use of anomaly detection, suspicious activities in the network traffic can be detected and automatically blocked on the firewalls. This way, in the event of a breach, at least containment can be achieved. 

Protective measures must therefore always be diverse or multi-layered, and each individual measure must claim to be insurmountable. If this is taken seriously, your own network is no longer an easy target for attackers. 

The recent events of the Colonial Pipeline ransomware attack have likely captured a lot more attention than the hackers wanted. That can be seen as a wake-up call that will certainly prompt many companies, especially those in the Middle East, to carefully review their own security measures. 

Keeping industrial networks segregated from IT 

According to Vibin Shaju, Director of Presales at McAfee for EMEA Enterprise, defenders must avoid complacency. In the past, Operational Technology (OT) networks — the digital communication systems which connect industrial plants and machinery — have been kept segregated from corporate IT networks which interact with the outside world. Cyber attackers will typically try and gain entry to a company’s IT network — for instance through phishing emails — and from there seek to enter the organisation’s OT network which controls critical plant and machinery. Segregating networks has been a key defensive measure to stop attackers finding a way through. 

But networks are growing more integrated as Internet of Things sensors are used to collect and emit data about plant and machinery. With the increasing data sharing between OT and IT networks, organisations are becoming vulnerable, he says. 

“We need to make sure that every type of security monitoring tool that we have deployed for our enterprise (IT) network is going into the OT network. We need to make sure that there is the same level of monitoring for that OT network as for the IT network, because there is a bridge between them.” 

Shaju adds that vendors such as Siemens, which create the OT systems used by critical infrastructure, are investing heavily in security and are partnering with cybersecurity providers to test their tools. Working together, they are creating new security blueprints and building them into critical infrastructure. “They were not looking at security 10 years back, but today they are really looking at those scenarios and providing solutions,” he says. 

Commentary: Stefan Schachinger, Product Manager, Network Security – IoT, OT, ICS at Barracuda 

The most popular attack method is still email. The chances of success are good and — even if it fails — there is no risk of any consequences for the attacker. Of course, email-based attacks work better when cybercriminals are prepared.  

Widespread phishing mails with generic content have a lower chance of success than targeted and well-prepared attacks. Last year COVID-19 turned out to be perfectly suited as a hook for phishing emails. Above all, it is important that the recipient feels like they are being addressed personally, whether out of curiosity or financial promises, etc. When someone clicks on a malicious link, a piece of software is usually downloaded, and things take their unpleasant course. 

In Operational Technology (OT) networks, for example in industry, production, or infrastructure, remote maintenance accesses are often a problem. A large number of employees and external service technicians have to access devices for a wide variety of reasons, for which very often different methods are used. Just recently there was a critical incident at a water utility in Florida in which remote maintenance access could be abused to manipulate safety-relevant settings. 

The attack methods are diverse, and there are many different ways of penetrating a foreign network. The problem with OT networks is they are flat and open, and the devices are vulnerable. This means that attackers or malware that have found their way into the network can spread unhindered. 

Commentary: Peter Selway, Marketing Manager at Schneider Electric 

When it comes to outages, attention is generally, and understandably, focused on the rules and procedures once the issue has arisen. Clearly, an outage that has or is taking place is far more visible that those yet too and will likely draw more attention from external parties. 

However, in critical applications, being reactionary is simply not an option. Outages at a defence base have wide-ranging, even life-critical, implications. It’s not enough to have a response plan – there must be a comprehensive strategy that utilises the latest technologies for preventative detection and proactive response. 

The only means to shutdown risk, minimise damage and optimise output is to integrate passive and active protection prevention technology and develop a prevent first culture. New technology has been introduced which not only acts as a barrier to electrical issues, but also helps to prevent causes from originating, through trip status and real-time measurement updates. 

Culture also plays a crucial role. Developing and auditing electrical safe work practices policy, conducting a risk assessment and safety training, and strategies for mitigation is crucial and cannot be overlooked. 

 

 

To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922
Email: editor@securitybuyer.com

Subscribe to our newsletter

Don't miss new updates on your email
Scroll to Top