Dubai has become the first emirate in the UAE to put security standards on industrial control systems (ICS) as there is an increase in OT (operational technology) security incidents in the Middle East and the digital transformation drive is going to make it worse as the threat landscape is getting more sophisticated.
IT (information technology) systems are storage systems, computing technology, business applications and data analysis while OT systems are machinery equipment, assets monitoring systems, industrial control systems (ICS) and SCADA devices.
Dubai Electronic Security Centre (DESC), the regulatory authority in Dubai, is stepping in at the right time as IT and OT systems are merging and getting connected to the internet.
The Iranian malware Shamoon 1, in 2012, reportedly destroyed thousands of computers at Saudi Aramco and Qatar’s RasGas. Shamoon 2 made similar attacks in 2016 and 2017 while Shamoon 3 made a new wave of attacks against targets in the Middle East oil and gas plants in December 2018.
In 2017, cybercriminals behind Triton, also called Trisis, targeted Triconex safety instrumented system (SIS) controllers sold by Schneider Electric, leading to plant shutdown, due to flaws in security procedures.
In 2019, Triton once again targeted industrial control systems (ICS) at another company in the Middle East.
The first was Stuxnet, known to have developed by the US and Israel to sabotage Iran’s nuclear ambitions in 2009 while the second malware, Duqu was a reconnaissance programme and it contained 20 times more code than Stuxnet and is much more widespread than Duqu.
The Industroyer (also known as Crashoverride) is a malware framework considered to have been used in the cyberattack on Ukraine's power grid.
Havex is a remote access trojan discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries in the US and Europe.
According to research firm Gartner, the size of the stand-alone OT security market in 2018 was valued at $250 million, growing to $1.1 billion in 2022, representing an annual growth rate of 45.7%.
- UAE data protection law, similar to GDPR, likely landing this year
- Russia and Iran expected to conduct disruptive cyber-attacks in Middle East
- Healthcare is an attractive target for disruptive or destructive cyberattacks
Protecting digital infrastructure
Amer Sharaf, Director of Compliance, Support and Alliances at DESC, said that implementation of the standard, after benchmarking it against internationally recognised standards, by relevant government entities in Dubai will help provide a new and improved framework for industrial security and ensure minimal risk framework to fortify the industrial sector’s digital infrastructure against rise in cyberattacks on this sector globally.
Dr. Bushra Al Blooshi, Director of Research and Innovation at DESC, said that Enoc, Dubai Electricity and Water Authority (Dewa), Dubai Airports and The Roads and Transport Authority (RTA) were key in co-developing and implementing the new security standard.
She said that RTA will implement the standard in tram and metro; Dewa in water generation and water transmission, power generation and power transmission; Enoc in fuel transmission and airports.
“The standards were developed in collaboration with these four entities and they have till November to start deploying the standards. From April onwards, we will hold workshops with these entities and get feedback from them about the challenges they may face when implementing the standards,” she said.
When asked about the standard for private entities, she said that the standard for private sectors are pushed through the government entities but luckily, no private sector in Dubai is using ICS.
When asked whether there will a deadline to change legacy OT systems, he said that some of them have to put a plan and not an abrupt change. The risk assessment methodology will give flexibility, depending on high- to low-risk systems, and they can make a plan to reduce the risk.
DESC has the standard (Information Security Regulation) for the IT systems and was mandated in 2012.
Race towards digital transformation
In December 2019, DESC, in association with Dubai Health Authority (DHA), launched the security standard for electronic biomedical devices (EBMD) across the emirate in a bid to limit breaches within the healthcare sector and protecting sensitive patient information.
When asked whether there will be a unified UAE security standard for ICS, Al Blooshi said: “We are collaborating with TRA and Abu Dhabi Digital Authority to get it aligned across the UAE. If Dubai’s implementation is successful, then the same standard or after a little bit of fine-tuning will be implemented at a federal level. It is the TRA which will take it to the federal level.”
Moreover, she said that the UAE is committed to lead in the race towards digital transformation by adopting artificial intelligence (AI) tools, the application of internet of things (IoT) and other smart technologies, especially that rely on 5G networks.
“The latest security standard is a crucial step towards protecting digital data across all sectors and at all cost,” she said.
Sharaf said that auditors from DESC will go and assess the systems for security compliance in the government and semi-government organisations.
“There are different KPIs for the Dubai Government Excellence Programme and one of them is compliance. If an entity gets better scores, they can move up the ladder in the excellence programme, part of an incentivised mechanism,” he said.