Talha Asif — Infrastructure & PMO Executive

Tag: IEC 62443

  • What an OT Security Assessment Actually Involves: A Practical Guide for Infrastructure Projects

    Making OT Cybersecurity Practical

    Over the past weeks I have made the case that OT cybersecurity is an engineering design problem, not an IT department problem. This article makes that case practical: what does an OT security assessment actually involve, what does it produce, and what does it mean for the way a project is designed and delivered?

    What an OT Security Assessment Is

    An OT security assessment is a structured evaluation of the cybersecurity posture of an operational technology environment. It covers the systems that control physical processes — PLCs (Programmable Logic Controllers), SCADA systems (Supervisory Control and Data Acquisition), DCS (Distributed Control Systems), SIS (Safety Instrumented Systems), HMI workstations (Human Machine Interfaces), and the network infrastructure that connects them.

    For infrastructure projects, the most relevant international framework is IEC 62443 — the international standard for industrial automation and control systems security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline. These two frameworks overlap significantly and together define what good OT security looks like in this region and market.

    Scope of a Comprehensive OT Assessment

    Asset inventory and identification is the starting point. This sounds simple; it rarely is. Most operational facilities do not have an accurate, current inventory of their OT assets — what controllers they have, what software versions they run, how they are connected, who has access to them. Building that inventory is a prerequisite for everything else. Without it, you cannot assess vulnerability, cannot prioritize mitigation, and cannot demonstrate compliance.

    Network architecture review examines how the OT network is structured and how it relates to the corporate IT network and external connectivity. The fundamental principle of OT network security is segmentation — the OT network should be separated from the IT network by a defined boundary (typically a demilitarized zone) that controls and monitors the flow of information between them. Many operational facilities, particularly those built before OT cybersecurity became a serious design consideration, have flat network architectures where IT and OT systems are on the same network segment. This is the condition that made the Triton attack possible: the attackers could reach the safety controllers from the corporate network because the segmentation boundary did not exist.

    Vulnerability assessment identifies specific known vulnerabilities in the OT assets identified in the inventory. OT systems run specialized software, including real-time operating systems, controller firmware, and HMI applications that often run on versions of Windows that are no longer supported by Microsoft — because the OT vendor’s engineering software has not been updated to run on current Windows versions and the vendor’s update schedule is not aligned with Microsoft’s. This creates a patching problem that is fundamentally different from IT security: in IT, the answer to an unpatched operating system is to update it; in OT, the update may break the process control application, and the update cycle is measured in years, not months.

    Access control review examines who has access to OT systems and how that access is managed. Remote access — used by controls vendors for monitoring and support — is one of the most significant and most undercontrolled access paths in OT environments. Many OT systems have remote access channels installed by vendors during commissioning that remain active, unmonitored, and without multi-factor authentication for the life of the system.

    Incident response assessment covers the organization’s capability to detect, respond to, and recover from OT security incidents. In most OT environments, this capability is underdeveloped or absent. There is no OT-specific incident response procedure. There is no OT network monitoring that would alert operations staff to anomalous activity. The water treatment attack in Oldsmar, Florida succeeded in reaching the SCADA system because there was no monitoring that would have detected the intrusion — it was caught by a human who happened to be watching.

    Assessment Output and Project Integration

    A properly scoped OT security assessment produces a risk-ranked findings report, a gap analysis against the applicable framework (IEC 62443 and/or NCA OTCC), and a remediation roadmap that prioritizes findings by risk level and provides specific technical and procedural recommendations for each.

    For projects in design or construction, the assessment findings translate directly into design specifications. Network segmentation requirements become network architecture drawings. Access control requirements become commissioning standards. Monitoring requirements become scope items for the control system integrator.

    This is where the design stage timing matters most. Incorporating OT security requirements into the design scope costs a fraction of retrofitting them after commissioning. A network segmentation architecture specified at 30% design becomes a standard part of the control system procurement. The same requirement identified after a system has been commissioned requires physical network modifications, software reconfiguration, and often a controls vendor engagement that costs 10-20 times what the original specification would have cost.

    Concept Dash’s OT cybersecurity team offers complimentary gap assessments for infrastructure operators in Saudi Arabia. If your facility or program has not addressed OT security in the design scope, reach out before the design is committed — not after.

  • The Blind Spot in Infrastructure Delivery: OT Cybersecurity and the Triton Attack

    The Attack That Targeted Physical Destruction

    In 2017, a cyberattack hit a petrochemical facility in Saudi Arabia. Not the corporate network. Not the email server. The Safety Instrumented System — the engineered last line of defence designed to prevent explosions, chemical releases, and loss of life when process conditions exceed safe operating limits.

    The malware was called Triton. Also known as TRISIS. It was purpose-built to compromise Schneider Electric’s Triconex safety controllers — systems installed in facilities precisely because they are supposed to be the failsafe when everything else goes wrong. The intent of the attack was not data theft. It was not ransomware. It was physical destruction of the facility and harm to the people working in it.

    The only reason it did not succeed was a coding error in the malware that triggered a plant shutdown before the payload fully deployed. The attackers were sophisticated enough to develop malware targeting a specific safety controller platform. They made a programming mistake that triggered an emergency shutdown — which alerted the facility’s security team to the intrusion.

    That was 2017. The capability that failed in 2017 has had eight years to improve.

    This Is Not an Isolated Event

    In 2021, an attacker gained access to the SCADA system of a water treatment plant in Oldsmar, Florida, and attempted to increase sodium hydroxide levels to 100 times the safe concentration. The attack was spotted by an operator watching his screen in real time. There was no automated alert. No intrusion detection system. No OT network monitoring. Just a human who happened to be looking at the HMI at the right moment.

    In 2015 and 2016, coordinated cyberattacks on Ukraine’s power grid caused blackouts affecting hundreds of thousands of people. The attackers did not target the utility’s IT network primarily. They targeted the operational technology systems that control circuit breakers and distribution substations — the systems that physically switch power on and off across the grid.

    These are not IT security problems that the IT department should have caught and prevented. They are attacks on the Operational Technology systems that control physical processes — and they are successful precisely because OT environments are almost never designed with cybersecurity as a requirement.

    The Design Gap That Creates the Vulnerability

    Most infrastructure facilities being designed, built, and commissioned today have the following in common: the engineering team designed the SCADA architecture. The controls integrator programmed the PLCs and DCS. The facility was commissioned and handed over. And at no point in that process did anyone assess whether the OT network is properly segmented from the corporate IT network, whether the HMI workstations are running patched operating systems, whether the remote access paths used by the controls vendor for ongoing support are secured against unauthorized access.

    This is not a technology gap. The technologies for OT network segmentation, OT-appropriate access control, and OT network monitoring exist and are proven. It is a design gap. OT cybersecurity requirements are not included in project scope because they are not understood as engineering design requirements — they are perceived, incorrectly, as an IT operational concern that someone else will handle after commissioning.

    Why the Middle East Is a High-Priority Target

    The combination of factors that makes the Middle East a high-value target environment for OT-focused threat actors is well documented in the threat intelligence community. Concentration of critical infrastructure — energy, water, petrochemical, transport — in a geopolitically significant region. Rapid digitalization and connectivity of operational systems that were previously air-gapped. A geopolitical environment that motivates state-sponsored threat actors with the capability and patience to conduct sophisticated OT attacks.

    Triton targeted a Saudi facility. The most capable OT malware ever publicly analysed was built specifically to attack infrastructure in this region. That is not a coincidence, and it is not a threat that has diminished since 2017.

    What Infrastructure Engineers Need to Do Now

    OT cybersecurity should be on every infrastructure project’s risk register, from early design through commissioning and into operations. Not as a future consideration. Now. Specifically, this means including OT security requirements in the project scope at the design stage, engaging OT security specialists to review the control system architecture before it is locked, and ensuring that commissioning procedures include OT security validation alongside process safety validation.

    The frameworks exist. IEC 62443 provides the international standard for industrial control system security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline that critical infrastructure operators are expected to meet. Understanding and designing to these frameworks is a professional responsibility for anyone delivering infrastructure in this region.

    Concept Dash’s OT cybersecurity team — working through our partnership with a NACSA-licensed cybersecurity firm — provides OT gap assessments and security design services for infrastructure projects in Saudi Arabia and the GCC. The cost of an assessment at design stage is a fraction of the cost of a compliance finding, a breach, or a physical safety incident after commissioning.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by