Cybersecurity has become crucial for the continuity of businesses and services that the government and critical national infrastructure are providing for their community, said an executive from the Dubai Electronic Security Center (DESC), on Monday.
An increase in the rate of cybercrime was noticed globally, targeting new sectors that were never expected, such as attacks targeting research centers and vaccine manufacturers, said Dr. Bushra Al Blooshi, head of research and innovation at DESC, in her opening keynote at the second edition of the World Cyber Security Summit for the MENA region.
She highlighted the importance of having a proper cyber resilience plan and strategy across countries to guarantee the continuity of services, businesses and economies. Cyber resilience is a ‘purely business driven plan and the strategy to guarantee the resilience of the core services of the country, regardless of the attacks and the disruptions that might impact those services,’ she added.
She also identified the need for proactive measures, and maintenance of cyber resilience across different critical national infrastructure sectors. Proper crisis management, such as table top exercises, is also important in the operational plan, Al Blooshi said.
The DESC is responsible for cybersecurity for over 100 government and semi-government entities. Critical information infrastructure is made up of physical and virtual information that support the sustainability of the critical functions and services within a city. The disruption of those services would have a huge impact on society and economy, she added.
Ahead of developing its own cyber resilience strategy, Dubai benchmarked its own with the U.S. and U.K., E.U., Singapore and Australia standards, Al Blooshi said. Based on that it came up with its own model and their strategy for the city of Dubai, using a top-down approach that included identifying the critical sectors, finding the critical services in each sector, and then choosing an appropriate protection plan for the critical information infrastructure.
Dubai has identified 11 critical infrastructure sectors — ICT, transportation, oil and gas, health, finance and banking, emergency services, electricity and water, government, industry, real estate and tourism, according to Al Blooshi. While real estate and tourism sectors were not identified as critical infrastructure in the benchmark countries, they are important sectors for the city of Dubai, she added.
After identifying the critical infrastructure sectors, services supporting those sectors, systems supporting those services, the DESC went about identifying the interdependencies, Al Blooshi said.
Following the identification of the security gaps in the interdependent services and sectors, DESC picked an operational plan for working together to close the gaps. The operational plan will include the sector profile, main services, interdependencies, and sectoral risks and gaps.
The identification of the critical national infrastructure has also been a core element with all activities and initiatives at DESC, Al Blooshi said.
In November last year, the UAE Cabinet agreed to establish the UAE Cybersecurity Council with the aim of developing a comprehensive cybersecurity strategy and creating a safe and strong cyber infrastructure in the UAE.
Chaired by the head of cybersecurity for the UAE government, the council will contribute to creating a legal and regulatory framework that covers all types of cybercrimes, securing existing and emerging technologies and establishing a robust ‘National Cyber Incident Response Plan’ that brings about swift and coordinated response to cyber incidents in the country.
Commenting on the recent Oldsmar water plant hack, Al Blooshi explained that in Dubai, DESC issued its industrial control systems (ICS) security standard, specific for the ICS/ OT security, in order to guarantee that the ICS infrastructure is secure enough. “It is resilient and it can operate as the community is predicting it to operate.”
She sees the automation of the controls in the ICS standards as the next step, and the agency will do an audit after a certain time frame and make sure that they are compliant with the controls. “So it is not about the standard at the end of the day, it is about the implementation and controls that we are having in place,” she added.
The Middle East has had its fair share of ICS attacks. In a 2019 report on the ICS landscape and threat activity groups, industrial cybersecurity company Dragos identified Magnallium wiper malware targeting electric utilities between July and August 2019, coinciding with heightened tensions in the Middle East.
Dragos also discovered Killgrave malware associated with operations against the oil and gas industry in the UAE in July 2019, with links to the Magnallium activity group. Additionally, in December, IBM released public details on a wiper called ZeroCleare targeting unspecified industrial and energy environments in the Middle East.