Dubai Moves Forward with ICS Cybersecurity Standards

In response to an ever more sophisticated and dangerous threat landscape, Dubai has become the first emirate in the UAE to apply standardized cybersecurity to industrial control systems (ICS). The move was in response to a decade-long series of cyber attacks targeted at various companies. 

According to a representative of the Dubai Electronic Security Center (DESC), the new standards will lead to a safer, more secure country. For more details on this long-needed upgraded protection for the UAE industry, keep reading.

What is DESC?

DESC was created in 2014. Its reason for existence, as described by law, is to create strategies to repel cyber-crime targeted at governmental and quasi-governmental institutions in Dubai. The bottom line is to prevent death, destruction, and interruption to the economy. The stated goal of these efforts is "Establishing Dubai as a global leader in innovation, safety, and security." 

Some might feel compelled to point out that, as a Wikipedia-certified enemy of the internet, the UAE does not approach this topic with clean hands. Of course, we in the West need to be careful at any aspersions cast since both the UK and USA are members in "good" standing on the same list. 

After seven years of watching various state actors and private entities take potshots at their industrial infrastructure with a variety of malware, the recent announcement about new ICS security standards serves to let the world know Dubai industry is now prepared to flex muscles in its own defense.  

What is ICS?

Why the sudden focus on industrial controls? Well, it's not really sudden. The process of developing and rolling out comprehensive responses to cyber-attacks, unfortunately, takes time. And after a series of high-profile attacks that began in 2012 and continue today, the emirate realized that it was only a matter of time until something went bad in a big way. 

What exactly is the ICS? The term industrial control systems is a catch-all term used to refer to a variety of systems, networks, controls, and devices deployed to operate and automate industrial processes. 

In the modern world, ICS is an integral part of the critical infrastructure in almost every industry, including transportation, water treatment, energy, and most manufacturing facilities. As with other OPEC members, the health of the UAE and Dubai's economy goes hand-in-hand with oil production. It's no surprise that saboteurs have focused their efforts in this direction over the years. A single successful large-scale attack would have devastating effects.

That's why the DESC is focusing so intently on protecting ICS.  

Rolling Out Solutions

Since ICS is non-existent in Dubai in the private sector, the new cybersecurity standards are targeted strictly at four government entities, in this case, airports, the national oil company, electric and water authorities, and the road/transport authority.

Surprisingly, most ICS software and hardware for these institutions are independent of the internet, which is likely the reason there have been no catastrophic security incidents to date. But the world is changing and the security challenges of digital transformation are unavoidable. The day is not far off when these entities will face even more online risk. 

The reality is that it's hard to stay offline completely in the modern world. That's why DESC is taking proactive steps to guard against hackers at the gate. The new standards were developed by studying already existing guidelines like ISO 27001 for general information security standards and payment compliance guidelines like PCI DSS, which has increasingly been adopted to secure customer data by invoicing and payment platforms. Meetings to try and get ahead of any problems related to implementation will be held beginning in April and the new standard takes effect in November.

The five primary security threats addressed by the new standards are:

1. Phishing: This tried and true approach to tricking their way into a network through fake emails has gotten more sophisticated of late. Modern phishers use AI to recreate past successful breaches and even generate convincing voices to perpetrate phone scams. To keep pace, several enterprise-level virtual private networks have started combating phishing attacks by automatically detecting when you visit a malicious website – using AI.

2. Ransomware: Last year ransomware became a major player as hackers went after schools, colleges, hospitals, and even city governments. This is a brilliant move since these entities often pay the demand in order to keep public services functional. Expect the bad guys to continue this trend and likely up the ante. State and federal governments, consider yourself warned.

3. The IoT: The Internet of Things has brought a whole new level of connectivity to the world. The internet no longer includes only websites but now you have to consider the millions (billions?) of smart devices that have been added to the mix and – oh, by the way – created a pandemic of security issues along the way.

4. Inside threats: One of the biggest security threats to any organization comes from within. Some estimates say that as many as one-third of all breaches are a result of employee error or outright bad intentions.

5. AI hacking algorithms: Artificial intelligence advancements don't just mean the good guys are getting smarter. It also means that bad guys now have algorithms that are learning to attack networks without guidance.

Hackers have already enjoyed success for many years when it comes to breaches and attacks that undermine the indicators that define small business profitability but have yet to fully master the kind of enterprise-scale ICS penetrations that could upset the larger economies of a nation or even the globe. Below are a few notable incidents that we're unable to come to full fruition, though not for lack of effort.     

A History of Threats

One of the earliest and continuing threats to Middle Eastern oil and gas production has come from Iran in the form of the Shamoon virus, versions 1, 2, and 3. Shamoon 1 annihilated several thousand computers at oil and gas refineries in Saudi Arabia and Qatar. A wave of similar attacks was carried out in 2016 and 2017 by the updated Shamoon 2, and again in 2018 with Shamoon 3. 

The rogue code in an industrial virus known as Triton, deployed by hackers in 2017, sought to disable safety systems designed to prevent industrial accidents. Had this attack been carried out successfully, the end result could have been devastating explosions and loss of life. It was the first time that malware carried with it a threat to human life.

These are just a few examples of cyber-attack incidents that struck a little too close for comfort to the Dubai government, which decided it was time to act. Thus DESC was born.

The Bottom Line 

Even though the United States has become energy (oil) independent in recent years, it doesn't mean that attacks on Middle Eastern industry have no effect on the world. When Dubai takes concrete steps to fortify itself from enemies and hackers, it's a good thing for everyone. 

DESC is already consulting with other emirates in the UAE to bring their ICS up to specifications also. Though absolute security will never be achieved, the more people and organizations looking to thwart the bad guys, the better.