A new report has found that cybersecurity breaches in the Middle East are widespread and frequently undetected, with 30 per cent of the region’s attacks targeting operational technology.

The study, by Siemens and research and consulting firm Ponemon Institute, reveals that while firms have begun to invest in protecting their assets from cyber threats, more needs to be done to increase awareness and the deployment rate of technology if they are to secure their operating environments.

Launched in Dubai today, the study highlights that until recently, cyberattacks generally targeted information technology environments such as PCs and workstations.

But with the acceleration of digitalization and the convergence of IT and OT, the region is now seeing a rising amount of attacks aimed at the OT environment.

IN-DEPTH: New cybersecurity laws that the energy sector cannot ignore

The report investigates the readiness of the Middle East’s energy sector to identify and protect against cyber threats. It also assesses what measures need to be taken to close the gaps, surveying around 200 individuals in the Middle East who are responsible for overseeing cyber security risk within their organizations.

“The convergence of IT and OT has become a key opportunity for attackers to infiltrate an organization’s critical infrastructure, disrupting physical devices or operational processes,” said Leo Simonovich, Global Head of Industrial Cyber at Siemens Energy.Middle East cyber attacks ‘widespread’ and target OT

“We know that attacks are becoming more frequent and increasingly sophisticated, and firms quickly need to assign dedicated ownership of OT cyber, gain visibility into their assets, demand purpose-built solutions and partner with experts who have real domain expertise.”

The report found that 60 per cent of respondents believe the cyber risk to OT to be greater than IT, and in 75 per cent of cases those questioned had experienced at least one security compromise resulting in confidential information loss or operational disruption in the OT environment in the last 12 months.

The study also found that despite awareness of rising OT cyber risk, budgets for OT cyber services and solutions have not kept pace with the threat.

At present, energy organizations in the Middle East dedicate only a third, on average, of their total cybersecurity budget to securing the OT environment. This suggests that organizations are not aligning their cyber investments with where they are most vulnerable and highlights the urgency to address OT cyber security.

IN-DEPTH: Cybersecurity: How utilities can prepare the next generation smart grid

The report outlines six key principles which underlie the most effective OT cyber programmes: assigning and empowering dedicated ownership for OT cyber security; organizations must overcome the fear of connectivity and gain continuous visibility into their OT assets; the operating environment needs to be secured all the way to the edge; analytics should be leveraged in order to make smarter, faster decisions; organizations should demand purpose-built OT cyber solutions; and it is crucial to partner with OT cybersecurity experts with real domain expertise.

Cyber Charter of Trust

Last month, Siemens and seven industry partners signed the first joint charter for greater cybersecurity.

The Charter of Trust calls for binding rules and standards to build trust in cybersecurity and further advance digitalization.

The signatories were Siemens, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom. Earlier this month they were joined by AES Corporation, Atos and Enel.

“Confidence that the security of data and networked systems is guaranteed is a key element of the digital transformation,” said Siemens President Joe Kaeser.

“That’s why we have to make the digital world more secure and more trustworthy. It’s high time we acted – not just individually but jointly with strong partners who are leaders in their markets. We hope more partners will join us to further strengthen our initiative.”

The charter calls for responsibility for cybersecurity to be assumed at the highest levels of government and business, with the introduction of a dedicated ministry in governments and a chief information security officer at companies.

It also calls for companies to establish mandatory, independent third-party certification for critical infrastructure and solutions – above all, where dangerous situations can arise, such as with autonomous vehicles or the robots of tomorrow, which will interact directly with humans during production processes.

In 2017, the US Department of Energy reported that America’s electricity infrastructure was in “imminent danger” from cyberattacks that are “growing more frequent and sophisticated.” 

And according to a recent report from the Council of Economic Advisors, malicious cyber activity against government and industry cost the US economy between $57bn and $109 bn in 2016 – approximately one-half of US GDP.

READ CYBERSECURITY EXPERT OPINION

Cybersecurity: building armour for critical apps

The anatomy of ICS cybersecurity