homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Industrial Control Systems Cyber Threats & The Gulf Region: ICS Blog Series: 1 of 3
DeanParsons_340x340.png
Dean Parsons

Industrial Control Systems Cyber Threats & The Gulf Region: ICS Blog Series: 1 of 3

January 16, 2024

An Industrial Plant

Modern Attacks Against Critical Infrastructure

The evolution of targeted attacks against critical infrastructure in recent times sends a clear message to asset owners and operators. In industrial control systems - water management, oil and gas refineries and distribution operations, and power grids, etc. - that is, modern adversaries have illustrated brazen steps to defeat traditional security controls and have impacts to safety and engineering reliability. Today, proactive control system cyber defense requires dedicated ICS security teams with engineering knowledge to preserve safety of industrial control system (ICS) and operational technology (OT) operations.

ICS Security In The Field Experience

With my firm ICS Defense Force, I perform industrial control system (ICS) security assessments, incident response tasks, and incident response tabletops across multiple critical infrastructure sectors, globally. It is important to describe my practical field work in this context. It allows me to meet with security teams, engineering staff, and those leading the charge of cybersecurity risk management and defense. Including the decision makers, who are seeking technical solutions and tactical training to address their identified cybersecurity challenges.

ICS Threat Landscape In The Gulf Region

Recent threat landscape analysis for the Gulf Cooperative Council (GCC) indicates attacks against critical infrastructure are increasing in volume and sophistication. Critical infrastructure adversaries and cyber criminals alike are exploiting both ICS and IT environments to achieve malicious goals with impacts to the safety and engineering operations.

The Oil and Gas and Energy sectors specifically present valuable targets to modern advanced persistent threats (APTs) who are active and continue adjusting attack tradecraft to infiltrate multiple types of facilities and evade detection. Adversaries targeting facilities operating in GCC, in all energy sectors - electric, oil and gas, and related supply chain providers for equipment and software - are at increased risk then prior years. Adversaries consider cyber-attacks against critical infrastructure a legitimate component of warfare.

For example, industrial cyber incidents from active adversary groups target oil and gas operations across upstream, midstream, and downstream operations. Their purpose appears to have been consequences ranging from disruptive to destructive incidents, including potential personal safety and environmental impacts. 1This is evident with the discovered ICS targeted malware TRISIS/TRITON against oil and gas safety systems2.

Additionally, there has been a global increase of Ransomware events against ICS environments with no sign of slowing down. Ransomware impacting IT support services can also impact the ICS operations if the organization does not have suitable network segmentation in place to protect engineering networks from IT and the Internet. An example is the Colonial Pipeline3 incident in oil and gas, where other adversary groups are learning from such events to adapt and strengthen their own attack techniques. As well, ICS specific ransomware has been discovered in the form of EKANS4.

Common ICS Cybersecurity Challenges

Threat intelligence reveals critical infrastructure could be at increased unnecessary risk of cyber incidents with impacts if the following scenarios are present, but other gaps exist.

  1. Lack of ICS/OT Network Visibility - ICS Network visibility is a critical requirement for any ICS facility today. That is, specific ICS-protocol aware network intrusion detection systems deployed to monitor and alert on anonymous engineering commands and protocols.
  2. Dual-homed Assets between ICS and IT Networks - Connections between IT networks and ICS networks are a major concern for owners and operations as it presents a pathway from commonly targeted IT environments into critical engineering systems.
  3. Lack of Multi-factor Authentication for Remote Access - Multi-factor authentication is a best practice that strengthens remote access authentication. However, remote access has several other controls that must be in place, including but not limited to proper network access control and monitoring.
  4. Limited Logging Enabled and Monitoring for Engineering Systems - Legacy engineering assets may have logging disabled by default or assets may not be configured to log security events, or important engineering events such as logic updates.
  5. Unprotected End of Life Operating Systems, Engineering Hardware - Legacy systems require additional ICS specific security controls, processes, and mitigations to protect the safety and reliability of operations.

What About ICS Incident Response?

According to the recent SANS 2023 ICS/OT Cybersecurity Survey data, only 52%5 of ICS facilities have an ICS/OT-specific incident response plan that is documented, tested using engineering driven tabletop exercises, and is kept up to date. 17% are unsure whether they have such a dedicated ICS incident response plan. What's critical to understand is this is not your IT incident response plan. "Copying and pasting" IT security controls into an ICS/OT facility's incident response plan will not work. In fact, this approach is likely to cause serious unintended or disastrous consequences to safety and engineering operations.

Only 52% of OT/ICS Have a Response

It Is Not OT/ICS - Key Differences

It is imperative top facility leadership, and engineering teams know the differences between traditional IT security and industrial control system security. ICS/OT assets are often incorrectly compared to traditional IT assets. Traditional IT assets focus on data at rest or data in transit, user data and user applications. Whereas ICS/OT are engineering assets, equipment, that focus on real-time systems for physical input values and controlled output physical action that have an effect in the real-world. It is this primary difference between IT and ICS/OT that drive differing cybersecurity design, security assessment approaches, risk surface understanding, safety, strategy, support, cyber tactical defense, and industrial incident response practices. "Standard cyber incident remediation actions deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents, if prior thought and planning specific to operational ICS is not done."6

ICS Leaders' Defense Actions:

Those responsible for ICS/OT cybersecurity and infrastructure defence can position their facility to meet best practices by having an engineering-driven ICS-specific incident response plan. They can regularly exercise that plan by running ICS tabletops facilitated by ICS experts with realistic scenarios derived from sector specific threat intelligence. Ensure all the right teams are included.

ICS Practitioners' Defense Actions:

Tactical practitioners working on the front lines to defend engineering operations should embrace the fact that IT and ICS/OT are different. Discover what can be adapted from IT security to actively respond to ICS specific threats using ICS specific controls, technologies, and processes, while prioritizing safety first. Realize that ICS Security is not a "copy and paste" of IT Security into the ICS. In many cases what works for IT will cause disruptive or disastrous consequences if applied to ICS.

Engineering And Cyber Security Training In Gulf Region

I am very fortunate to be strengthening the SANS relationships in the region with senior leadership, decision makers, engineering, and security staff. I was recently in Dubai at the SANS EMEA Gulf Region event in November teaching both ICS515 and ICS418, meeting great people from the local sectors in oil and gas, energy, and manufacturing. It was fantastic being in-person delivering best-in-class practical risk management to leadership teams, and hands-on tactical ICS cybersecurity training to those in day-to-day operations.

Students sitting in a class while a teacher teaches

Teaching in Dubai at the SANS EMEA Gulf Region event in November 2023

During the break and networking sessions it gave us a wonderful opportunity to share experiences and assistance to facilities to help address some of the ICS/OT cybersecurity challenges they have today.

Computer Parts

Teaching students in the Gulf region how to protect ICS systems using the ICS515 included student PLC hardware kit.

Professional Development and Practical Defense

The SANS course, ICS515: ICS Visibility, Detection, and Response meets several modern ICS security challenges head-on. ICS515 teaches students how to perform tactical ICS incident response by leveraging hands-on labs. Labs include assembling and running a programmable logic controller (PLC) like you'd see on a plant floor. Students keep the PLC kit for continued learning after class is over. Students from IT, ICS, engineering, etc., will detect and defend against threats in several realistic ICS environments.

Conclusion

It's critical for critical infrastructure owners and operators to ensure they have their teams attend, complete and being certified in ICS specific security training, in order to defense against the latest threat groups that mean to cause disruption, downtime and safety impacts.

On behalf of myself and the EMEA team, thank you for taking the time to review this important topic as is relations to the protection of critical systems in the Gulf region. We look forward to seeing you all at our regional SANS training events! Stay tuned for additional ICS blogs in this series in a dedicated effort to provide actionable information to protect critical infrastructure in this region.

Be safe from industrial incidents!

Best,

Dean

References

1 https://www.dragos.com/industries/oil-gas-industrial-cybersecurity/

2 https://en.wikipedia.org/wiki/Triton_(malware)

3 https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack

4 https://attack.mitre.org/software/S0605/

5 https://www.sans.org/white-papers/ics-ot-cybersecurity-survey-2023s-challenges-tomorrows-defenses/

6 www.cisa.gov/uscert/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • ICS612: ICS Cybersecurity In-Depth™
  • LDR419: Performing A Cybersecurity Risk Assessment
  • SEC549: Cloud Security Architecture

Tags:
  • Cybersecurity and IT Essentials

Related Content

Blog
N2C - Blog - A Beginner’s Guide to Cybersecurity_340 x 340.jpg
Cybersecurity and IT Essentials
December 4, 2024
A Beginner’s Guide to Cybersecurity: Start with the ABCs
Get up to speed on industry’s terms and meanings to jumpstart your cybersecurity career.
SANS_social_88x82.jpg
SANS Institute
read more
Blog
Cybersecurity and IT Essentials
November 26, 2024
The 21 Best Cybersecurity Podcasts for 2025
Whether you're a security professional or just someone who wants to learn more about cybersecurity, these podcasts are sure to keep you informed.
Emily_Neuens_370x370.png
Emily Neuens
read more
Blog
SANS_-_Blog_-_What_Is_Cybersecurity_Protecting_Our_Digital_Tomorrow_340_x_340.jpg
Cybersecurity and IT Essentials
October 29, 2023
What is Cybersecurity? Protecting Our Digital Tomorrow
This guide explores the nuances of cyber security, shedding light on its importance without the tech jargon.
Rich Greene
Rich Greene
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn