Protecting the Gulf: ICS Cybersecurity Skills for Critical Infrastructure Protection

This blog is jointly authored by Dean Parsons and Michael Hoffman.

The Gulf region is home to some of the world's largest and most vital oil, gas, and energy infrastructure. Securing industrial control systems (ICS) and operational technology (OT) environments has never been more critical. With cities like Dubai leading in technological and infrastructural advancements, protecting these systems is key to maintaining economic stability and public safety. The Gulf's ICS/OT environments face distinct cybersecurity challenges that require specialized tools, tailored strategies, and training paths.

Copying and Pasting “What Works in IT” Can Disrupt ICS

Copying traditional IT security controls into ICS/OT environments is not only ineffective but also potentially harmful. IT security workflows, tools, and processes designed for business systems can disrupt industrial operations, compromise safety, and even cause outages by interfering with critical engineering processes. Protecting ICS/OT systems requires dedicated solutions prioritizing safety and operational continuity.

Applying IT security controls in ICS/OT environments can inadvertently cause operational disruptions, slowdowns, or unsafe conditions. Unlike IT systems, which prioritize data confidentiality, ICS/OT systems manage real-time physical processes where availability, reliability, and safety are paramount. Tools like traditional endpoint protection agents or automated patching, common in IT environments, can introduce latency, unpredictability, and unintended downtime. In some cases, these controls can pose a greater risk than the malware they aim to defend against.

This is why ICS-specific security solutions are crucial. These solutions are designed to safeguard systems while ensuring safety and uptime. They prioritize operational needs, ensuring that security measures don’t impede performance. The primary goal is to enhance safety—protecting both people and critical processes—without sacrificing the reliability of essential infrastructure.

SANS has recently released the Five ICS Cybersecurity Critical Controls white paper. This is an excellent starting point for embracing ICS-specific training or reinforcing concepts covered in SANS ICS courses. The white paper sets forth the five most relevant and effective critical controls for an ICS/OT cybersecurity strategy:

1. ICS/OT Specific Incident Response Plan
2. Defensible Architecture
3. OT Network Monitoring
4. Secure Remote Access
5. Risk-Based Vulnerability Management

These ICS-specific controls can be woven into an organization's risk model and implemented strategically. The control numbers indicate where to begin, though they can be applied in parallel. To implement these controls effectively, well-trained teams—with an understanding of both IT and ICS/OT risks—must ensure that security supports the core mission: the safe and reliable operation of critical infrastructure.

Defending Modern ICS Attacks - Living Off the Land Attacks

Modern attacks demand not just technology but also training defenders to use ICS-specific technology. Traditional cybersecurity tools are often inadequate for countering modern threats like "Living Off the Land" (LOTL) attacks. These attacks involve leveraging built-in tools, capabilities, and default or harvested credentials to blend into the environment.

ICS/OT environments are particularly vulnerable, as attackers exploit trusted connections, vulnerable ICS/OT protocols, and unmonitored hosts or networks. Detecting LOTL attacks in ICS/OT environment requires purpose-built tools and detection use cases, all managed, maintained, and monitored by trained staff.

Effective defense against these modern threats requires a human-driven approach. ICS defenders, armed with tailored security strategies and ICS-specific tools, must be able to recognize and respond to the subtle, context-specific signs of an attack. These teams need training to understand the unique vulnerabilities and operational dynamics of ICS/OT systems, ensuring they can detect and mitigate attacks without compromising safety or performance.

Assisting The Gulf Region's ICS/OT Cybersecurity Workforce

Upskilling the ICS/OT cybersecurity workforce in the Gulf region is imperative, given the critical role of infrastructure in economic stability and public safety. Defenders need specialized training that equips them to address both IT and OT threats while maintaining a steadfast focus on safety. This includes tactical team members and leadership roles, who must be trained to handle the distinct challenges posed by ICS/OT environments.

The SANS Institute’s ICS curricula offer a range of training courses to bolster defense in ICS/OT environments, addressing essential skills needed by ICS/OT engineering leadership and managers, cybersecurity professionals, and control system engineers:

• ICS410^TM: ICS/SCADA Security Essentials^TM provides foundational training for those supporting and defending industrial control systems, equipping them to begin securing critical operational environments.
• ICS456^TM: Essentials for NERC Critical Infrastructure Protection^TM helps students understand and implement evolving standards (versions 5/6/7) essential for safeguarding infrastructure in the electric sector.
• ICS515^TM: ICS Visibility, Detection, and Response^TM trains teams to identify assets, monitor threats, and conduct intelligence-driven responses to prioritize safety and maintain reliable operations against advanced persistent threats. The course includes real-world, hands-on technical defense labs using hardware-based programmable logic controllers (PLCs).
• ICS612^TM: ICS Cybersecurity In-Depth^TM immerses students in a practical lab environment that simulates an engineering setup, enabling practical, hands-on experience in defending networks with corporate connections, remote access, and data transfer functions.

Each course emphasizes relevant, practical experience, addressing the growing ICS cybersecurity challenges across critical infrastructure in the Gulf region.

SANS Cyber Academy

The SANS Cyber Academy revolutionizes cybersecurity training with customized programs tailored to any domain or curriculum. These academies address unique cybersecurity challenges by partnering with local government organizations to reskill and upskill professionals. Each academy is fully adaptable and can be tailor-made to meet specific organizational or regional needs, ensuring maximum relevance and impact. By providing targeted expertise, these academies help build the capabilities required to safeguard critical and digital infrastructures across the Middle East.

Investing in an ICS/OT-focused cyber academy enables regional teams to proficiently use the tools and strategies needed to defend these environments. Technical teams develop skills crucial for safeguarding operational systems, while leaders gain the insight required to support these teams. this collaboration fosters a unified approach and ensures effective cooperation with IT departments.

SANS GIAC certifications in the ICS410, ICS456 and ICS515 courses, validate these skills, empowering defenders and organizations to protect critical infrastructure, maintain safety, and ensure the continued reliability of essential services.

Interested in learning more about industrial control systems security? Check out SANS Institute’s ICS course offerings and free resources today!