The Attack That Targeted Physical Destruction
In 2017, a cyberattack hit a petrochemical facility in Saudi Arabia. Not the corporate network. Not the email server. The Safety Instrumented System — the engineered last line of defence designed to prevent explosions, chemical releases, and loss of life when process conditions exceed safe operating limits.
The malware was called Triton. Also known as TRISIS. It was purpose-built to compromise Schneider Electric’s Triconex safety controllers — systems installed in facilities precisely because they are supposed to be the failsafe when everything else goes wrong. The intent of the attack was not data theft. It was not ransomware. It was physical destruction of the facility and harm to the people working in it.
The only reason it did not succeed was a coding error in the malware that triggered a plant shutdown before the payload fully deployed. The attackers were sophisticated enough to develop malware targeting a specific safety controller platform. They made a programming mistake that triggered an emergency shutdown — which alerted the facility’s security team to the intrusion.
That was 2017. The capability that failed in 2017 has had eight years to improve.
This Is Not an Isolated Event
In 2021, an attacker gained access to the SCADA system of a water treatment plant in Oldsmar, Florida, and attempted to increase sodium hydroxide levels to 100 times the safe concentration. The attack was spotted by an operator watching his screen in real time. There was no automated alert. No intrusion detection system. No OT network monitoring. Just a human who happened to be looking at the HMI at the right moment.
In 2015 and 2016, coordinated cyberattacks on Ukraine’s power grid caused blackouts affecting hundreds of thousands of people. The attackers did not target the utility’s IT network primarily. They targeted the operational technology systems that control circuit breakers and distribution substations — the systems that physically switch power on and off across the grid.
These are not IT security problems that the IT department should have caught and prevented. They are attacks on the Operational Technology systems that control physical processes — and they are successful precisely because OT environments are almost never designed with cybersecurity as a requirement.
The Design Gap That Creates the Vulnerability
Most infrastructure facilities being designed, built, and commissioned today have the following in common: the engineering team designed the SCADA architecture. The controls integrator programmed the PLCs and DCS. The facility was commissioned and handed over. And at no point in that process did anyone assess whether the OT network is properly segmented from the corporate IT network, whether the HMI workstations are running patched operating systems, whether the remote access paths used by the controls vendor for ongoing support are secured against unauthorized access.
This is not a technology gap. The technologies for OT network segmentation, OT-appropriate access control, and OT network monitoring exist and are proven. It is a design gap. OT cybersecurity requirements are not included in project scope because they are not understood as engineering design requirements — they are perceived, incorrectly, as an IT operational concern that someone else will handle after commissioning.
Why the Middle East Is a High-Priority Target
The combination of factors that makes the Middle East a high-value target environment for OT-focused threat actors is well documented in the threat intelligence community. Concentration of critical infrastructure — energy, water, petrochemical, transport — in a geopolitically significant region. Rapid digitalization and connectivity of operational systems that were previously air-gapped. A geopolitical environment that motivates state-sponsored threat actors with the capability and patience to conduct sophisticated OT attacks.
Triton targeted a Saudi facility. The most capable OT malware ever publicly analysed was built specifically to attack infrastructure in this region. That is not a coincidence, and it is not a threat that has diminished since 2017.
What Infrastructure Engineers Need to Do Now
OT cybersecurity should be on every infrastructure project’s risk register, from early design through commissioning and into operations. Not as a future consideration. Now. Specifically, this means including OT security requirements in the project scope at the design stage, engaging OT security specialists to review the control system architecture before it is locked, and ensuring that commissioning procedures include OT security validation alongside process safety validation.
The frameworks exist. IEC 62443 provides the international standard for industrial control system security. In Saudi Arabia, the NCA’s Operational Technology Cybersecurity Controls (OTCC) establish the regulatory baseline that critical infrastructure operators are expected to meet. Understanding and designing to these frameworks is a professional responsibility for anyone delivering infrastructure in this region.
Concept Dash’s OT cybersecurity team — working through our partnership with a NACSA-licensed cybersecurity firm — provides OT gap assessments and security design services for infrastructure projects in Saudi Arabia and the GCC. The cost of an assessment at design stage is a fraction of the cost of a compliance finding, a breach, or a physical safety incident after commissioning.