As digital transformation efforts steadily bridge the gap between operational technology (OT) and information technology (IT), critical infrastructure is facing a rapidly evolving cyber threat landscape. No longer confined to data breaches and financial theft, today’s cyberattacks increasingly target the physical world – oil pipelines, water treatment plants, energy grids, and transport systems. For governments, industrial operators, and critical service providers, OT cybersecurity is now a national and economic security imperative.
Identifying the Threat
Operational technology governs the systems that power our cities and economies: airport traffic control towers, industrial control systems in power plants, traffic management infrastructure, myriad systems that keep the lights on, the traffic moving, and daily life flowing as normal. While impressive, these systems are traditionally air-gapped and designed for reliability, but not necessarily made to be resilient against sophisticated cyber threats.
Recent high-profile cyberattacks have exposed just how vulnerable OT systems can be:
- Triton Malware Attack (2017): By targeting safety systems at a Saudi petrochemical plant, this attack sought to sabotage industrial processes by remotely taking over physical systems. Though discovered and stopped before any harm could be done, the attack raised the spectre of “murderous malware” that could cause life-threatening catastrophes.
- Colonial Pipeline (2021): This ransomware attack hit one of the largest and most important oil pipelines in the US, leading to a shortage of fuel on across the East Coast for several days. Compromising the pipeline’s OT indirectly, the hackers forced the company to pay a ransom of 75 bitcoin ($4.4 million at the time) before unlocking control of operations.
- Oldsmar Water Plant Hack (2021): During the same year, in Florida (US), a hacker remotely attempted to poison a city’s water supply by manipulating chemical levels, attempting to inject heightened levels of sodium hydroxide (lye). Fortunately, the digital action was caught and reversed in time, before anyone could be harmed.
These incidents mark a shift in tactics – from data theft to disruption of essential services. Unlike IT systems, OT environments can’t afford downtime. Any breach may incur not only a loss of data integrity but a direct threat to lives, public safety, and national infrastructure. OT systems also tend to run on legacy equipment, often lacking patch management, and use proprietary protocols not designed with agile cybersecurity in mind.
As smart cities, energy grids, and transportation systems become more interconnected, attack surfaces expand, and supply chain vulnerabilities multiply.
Regulation Leads the Response
Addressing the rising threat to OT requires a careful coordination of actions at the regulatory, national government, local government, and individual organisational levels. Stronger regulations now focus on varying aspects of integrated cybersecurity, from risk assessment to standardisation of infrastructure control mechanisms and digital health checks.
- The UAE’s National Cybersecurity Strategy and Saudi Arabia’s National Cybersecurity Authority are driving investment in OT risk assessments and sector-specific controls.
- Looking westwards, The EU’s NIS2 Directive and US CISA guidelines include specific OT-focused policies for critical infrastructure operators.
- Standards like IEC 62443 and NIST SP 800-82 are quickly becoming the benchmark for securing industrial control systems.
OT Cybersecurity: The Middle East Context
With the Middle East investing heavily in mega projects, smart city infrastructure, and digital government services, the region is increasingly exposed to cyber-physical risks.
Initiatives like Dubai’s Cyber Security Strategy, NEOM’s integrated security-by-design approach, and ADNOC’s widening cybersecurity partnerships with the likes of Microsoft, G42 and others are setting the tone of collaboration between major infrastructure operators, government institutions and more agile cybersecurity tech players. However, even if new smart city infrastructure is being designed with OT security in mind, many sectors (particularly water, energy, and manufacturing) still face challenges in securing legacy OT systems.
While approaches must vary to accommodate sector-specific circumstances, industry-leading cybersecurity advisors now advocate for a multilayered approach to achieving OT resilience, involving:
- Detection: Maintain real-time monitoring and anomaly detection to flag unusual behaviour.
- Threat limitation: Use Zero Trust architecture, even within industrial environments.
- Segmentation of OT and IT networks to prevent lateral movement of threats.
- Preparation: Engage in comprehensive incident response planning and tabletop exercises tailored to OT scenarios.
- Verification: Leverage vendor risk assessments from outside your organisation to provide an unfiltered overview of OT security across your operations and overall supply chain.
A Fundamental Rethinking of Cybersecurity
As attacks on critical infrastructure grow in scale and sophistication, OT cybersecurity is no longer optional – it's foundational. For ME businesses and governments, protecting operational environments is not just about resilience; it's about maintaining public trust, ensuring regulatory compliance, and defending national interests.