Critical Infrastructure: Batten down the hatches

Recent cyberattacks and exploits of vulnerabilities have had a profound impact on critical infrastructure and are worth studying to secure systems against future attacks 

Critical infrastructure systems like those driving power generation, water treatment, electricity production and other platforms are interconnected to form the energy “grid”. Although beneficial to the public, this grid is vulnerable to cyber-attacks by “hacktivists” or terrorists. Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors.  

Recent years have seen growing concern about the vulnerability of industrial control systems (ICS), which are used to monitor or control processes in industrial and manufacturing sectors. An attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption, says Nigel Pearson, Global Head of Fidelity, AGCS. “A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue,” he explains.

In addition, ICS are also vulnerable to both technical failure and operator error as well, which can be much more frequent and severe in terms of impact and are often not captured in cyber reports, adds Georgi Pachov, Global Practice Group Leader Cyber, CUO Property AGCS.

While ICS are a particular issue for the energy sector, similar cyber-related physical damage and business interruption risks exist in other industries. For example, car manufacturing plants rely on robots to make and assemble vehicles. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day. And the potential cost of damages could be even higher from an incident involving security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals. 

The time to secure critical infrastructure is now. Security Buyer catches up with Maher Jadallah, Senior Director Middle East & North Africa, Tenable to find out why. 

Cyberattacks have been grabbing headlines across the Middle East for all the wrong reasons in recent years. Help AG’s Middle East-focused ‘State of the Market Report 2021’ revealed: DDoS attacks have become the norm with a 183% increase in the UAE alone; ransomware incidents were on the rise due to a high rate of success; VPNs were attacked monthly as work from home continued; over 18,343 vulnerabilities were identified per the NIST National Vulnerability Database (NVD). Unfortunately, the increase in attacks isn’t limited to just the Middle East.  

What is the current landscape of critical infrastructure? 

In the United States, the 2021 Colonial Pipeline ransomware attack showcased how the surge in vulnerabilities in IT systems can severely impact operations, and the US economy at large. The attack is a stark reminder for Middle Eastern organisations to protect their critical infrastructure or risk a similar fate. 

Globally, to automate workflows and find efficiencies, organisations are investing in Supervisory Control and Data Acquisition (SCADA) systems. According to the Middle East SCADA Market 2021-2027 report by Research and Markets, the market will reach US$2.68bn by 2027. Operational technology (OT) systems like SCADA offer a number of benefits to businesses but the process of securing them can have an impact on operations. Despite this, they absolutely must be secured against cyberattacks. 

Generally speaking, IT and OT systems have common touch points, however each faces a diverse set of challenges. With OT systems, patching vulnerabilities can be challenging because small errors can shut down entire plants and facilities, resulting in loss of time and money. Challenges also arise here because, often, OT involves legacy systems that require specialised knowledge, the absence of which makes working with these systems complicated. 

That said, securing these systems is a must because the impact cyberattacks can have on critical infrastructure and the supply chain will be far more challenging and costly to recover from. 

Are these cyberattacks a modern precedent?  

Attacks against critical infrastructure are not a modern age reality, the first attacks in the 1960s involved phone hacking mechanisms exploiting public phone systems. The introduction of ‘ARPANET’ – the first public packet-switched computer network – in 1969 was followed by the first computer ‘worm’ in 1971 (CREEPER) – it was also the first instance of a Denial of Service attack as it took control of printers. In the early 1980s, the 414s become hacking pioneers when they broke into institutions’ computer systems. 

With the growing adoption of the internet and greater number of cyberattacks, organisations needed a platform to share vulnerability data so others could protect themselves. So, in 1999, MITRE introduced the Common Vulnerabilities and Exposures (CVE) list system, which was followed by the National Institute of Standards and Technologies’ (NIST) National Vulnerability Database (NVD) in 2005. 

From a cybersecurity standpoint, 2014 is associated with the Heartbleed vulnerability, which made its mark on industrial control systems. More recently, vulnerabilities such as Ripple20 have proven to be of significant concern, as it can affect software libraries that are used by OT, IoT and IT devices. 

With the arrival of the 2020s, cyberattacks have continued to grow; the 2020 breach of the SolarWinds Orion platform signaled the start of attacks on the software supply chain. In this case, the attack targeted the auto-update features of the vendor’s software.  

It’s worth highlighting here that attacks don’t always need to target OT systems directly to have a significant impact on critical infrastructure. This was proven b…

To read the full exclusive see our latest issue here.

Never miss a story… Follow us on:
LinkedIn Security Buyer
Twitter logo @SecurityBuyer
Facebook @Secbuyer

Media Contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Christina Alexander Judge - SecurityBuyer

Christina Alexander Announced as Security Buyer Awards Judge

Security Buyer is proud to announce Christina Alexander as the latest addition to the distinguished judging panel for the Security…
Milestone - SecurityBuyer

Milestone Systems updates across XProtect, BriefCam, Arcules

Milestone Systems today announced updates across its complete security technology portfolio with releases for XProtect
Big Interview Abdullah Tanoli

Big Interview – Hero of Leicester Square

Rebecca Spayne of Security Buyer has the privilege of speaking with a real-life hero, Abdullah Tanoli, the hero of Leicester Square..
Altronix - SecurityBuyer

Altronix POE367 Delivers 277VAC Support

Altronix has expanded its power product line with the new POE367 power supply/charger designed specifically for 277VAC input environments.
IFPO x GSA - Security Buyer

New Corporate Members for IFPO

The Global SecurAlliance (GSA)summer meeting on 16 June was held again at the stunning Château de Méry-sur-Oise on the outskirts of Paris.
Product Spotlight - HID

Product Spotlight – HID

Access control is evolving into a smart, responsive platform—integrating embedded apps, IoT, and cybersecurity to deliver…
Genetec

Genetec brings new capabilities to Security Center SaaS

Genetec announced new updates to Security Center SaaS, the company’s enterprise-grade Security-as-a-Service (SaaS) solution..
I-Pro

i-PRO Launches Revamped EMEA Partner Program

i-PRO announced a major expansion of its EMEA Partner Program. The move supports i-PRO’s long-term growth strategy and…
ASIs international

ASIS International Introduces New ANSI-Approved Investigations Standard

ASIS International, a leading authority in security standards, is excited to announce the release of its revised American National Standards.
Gallagher Security and Yusuf Bin Ahmed Kanoo Company Limited sign MOU in Riyadh

Gallagher Security MOU with Yusuf Bin Ahmed Kanoo Company

Gallagher Security is proud to announce the signing of a Memorandum of Understanding (MOU) with Yusuf Bin Ahmed Kanoo Company…
Scroll to Top