Muhammad Faisal Naqvi

Senior Technical Engineer (Lead Cyber Security) at Qatar Aluminum, Qatar

Critical Infrastructure Security & Compliance

Session Title | Challenges to OT Security

The evolving and expanding nature of cyber threats. How do threats look like in future?
The future of connected OT (keeping industry 4.0 in mind) and the threats of the future.
Icebreaker: 5G as tool to hack – One may think that Factory is physically secured very tightly, so no external entity can hack internal Air Gaped wireless network. BUT landing drones on roof of factory is as if Russian/ Chinese Hacker is sitting right on your roof to hack your internal Air Gaped wireless network. In future we might need Radars to detect drones - another dimension of Intrusion Detection. Can’t predict where Offensive Security would lead in Prevention of this Intrusion.
IIoT – Industrial Internet of Things: sensors, actuators inviting more threats to OT networks
Consider Smart Cities, Rail, Roads, Stadiums etc. controlled with IIoT especially during Sports Events when whole country under lime light focus of the world while hearing recent (2021) news of OT Cyber Attacks Pipeline Operator in USA, Nuclear Facility in Iran, Power plant in India
Political regional situations igniting threats of Nation State and Activists as well as internal threats of disgruntled ex/ current employees due to Covid related economic situation
RDDOS - Ransom Distributed Denial-Of-Service Attack: Old School Ransomware are still at rise especially because of Bitcoin, but due to billions of cheap less secure IoTs, recently organizations are receiving mails from Threat Actors like: Fancy Bear (APT28), Lazarus, Armada about RDDoS or else their websites/systems will be D-DoSed up to 2Tbps DDoS attack
Threat from the Cyber Supply chain like recent famous incident (SolarWinds)
Securing threats targeting remote workforce
The challenges of the process network keeping remote workforce in mind
Mostly OT Networks should be Air Gapped from Internet or if required should be connected through Data Diode i.e. Unidirectional outbound communication only. Giving access to Remote workforce for OT environment is great challenge, especially for Vendor Support. Following are some Secure Solutions for Remote workforce/ support to meet the challenges:
Jump Servers
Digital Helmet (with camera, mic, headphones…)
Temporary Serial to Internet Connector (with VPN, Firewall etc.)
Remote configuration on isolated replica of production system in IDMZ and then replication of configurations from Replica to Production Systems
Workforce working from homes don’t have as many physical, and home network security controls so besides obvious solutions like Virtual Desktop Solutions, MFA - Multi Factor Authentication, VPN, Mobile Device Management (MDM), More focus on End Point Protection (HIPS), EDR- Endpoint Detection & Response, Application Whitelisting and User awareness to be considered.
How the changing nature of cyber-crime and app & data accessibility create risk and the essentials of application and data protection?
The importance of network segregation and robust BCP and DRP.
Remote Work force changed the security landscape totally in competition of providing each and every service to Mobile. This has increased the risks to application and data accessibility as well as privacy related compliance challenges such as GDPR.
But since cyber-crime is expanding it’s scope to OT/ ICS environment so beyond risk of data & application now we are facing the risk of loss of human life (the priceless asset), Plant Damage, Plant shutdown, production stoppage, and impacts may lead to much larger in case of cyber attack on critical infrastructure like power/ utility company, oil & gas.
Laying the Foundations for Zero Trust
Segregation again, along with IAM and PAM etc.
Long journey while balancing requirements of Availability especially environments where people work in shifts with shared credentials on legacy systems
Zero Trust with micro-segmentation, least privilege, MFA, IAM, User Behavior Analytics, Machine Learning, AI, Encryption is need of the day against threats like recent Supply Chan Cyber Attack (SolarWinds), Challenges of Remote Work, Insider Threat by disgruntled ex/ current Employees, Contractors as well as Compromised Service Providers. More focus required in cloud environment in terms of Zero Trust
Last but not the least, Zero Trust is not just technology; it’s about process and mindset as well
Digital hygiene: Key to outrun cyber threats?
The challenges related to an up-to-date infrastructure/Services and an efficient SNOC.
No silver bullet solution which fits all but top one aspect which return most in majority of the cases is Visibility.
Visibility of your all information/ IT assets and their importance/ classification
Visibility and clarity of all of your crown jewels
Visibility of all the vulnerabilities of your assets
Visibility and Intelligence of threats to your organization, similar organizations, industry, country
Visibility of your competencies & capabilities
Visibility of traffic, user behavior, machine routine & peak statistics
Visibility of deviations from routines (number of routine attacks/traffic vs abnormally increased number of attacks/ traffic)

Faisal with over two decades of experience, have implemented managed and audited OT/ICS Security, Governance, Risk & Compliance (GRC) for a number of organizations including blue chip and fortune 500 companies.

He is Author of Govt. Regulations, Standards, Policies and Procedures of Information Security & IS Audit for Certification Authorities. He has discovered many zero-day vulnerabilities including in Microsoft Windows Server 2012, 2008, Windows 8 & 7, for which Microsoft issued an important patch while acknowledging and thanking him. His article on this subject, has also been published in ISACA Journal.

He has held various positions including Manager - IT Risk & Assurance at Ernst & Young (1 of Big4); Senior Consultant - Information Security at NetSol Technologies Inc.; Research Consultant at E-Certification Accreditation Council, Ministry of IT & Telecom, Government of IRP.

He has delivered numerous large scale SOC and Cyber Security implementation and auditing projects for Enterprise wide information systems including all leading ERPs, Cloud Environments against standards like PCI-DSS, ISO27000, COBIT, NIST, ISO20000 (ITIL), SOX and BS25999 internationally.

Besides Gold medal in MS (IT) E-Commerce, Faisal has many industry's leading certifications such as CISSP, CISA, CRISCq, ISO27001 LA, AMBCI & ITIL. He is a regular speaker on Cyber Security & Audit at prominent conferences, seminars and workshops.

He has also done lots of conference presentations. Here are some of them:

Information Security Strategy from Big Picture to grass root, New York University
IoT – Rise of new Zombies Army, CISO Middle East, 9th Annual Conference
Recent Payment Card Industry (PCI) Hacks Techniques used; & possible Defense PCI - Dubai, AKJ Associates, UK
Integrating Multiple IT & Security Standards (ISO27000, PCI-DSS, SAS70 & ISO20000) for Audi tee & Auditor e-Crime Congress Dubai, AKJ Associates, UK
CISSP’s Domain of Cryptography, National Institute of Mgmt & Information Security (NIMIS)
CISSP’s Domain of App. Security, National Institute of Mgmt & Information Security (NIMIS)
Online Security, Threats & Countermeasures, NetSol Technologies Inc.
Role of Certification Authority, Bahria University
ISO27000 Information Security Management System (ISMS) Introduction, NetSol Technologies Inc.
Info Security Challenges & Opportunities, National Response Center for Cyber Crimes (NR3C), Federal Investigation Agency (FIA)
Information Security for E-Commerce, Bahria University
Response to Criticism on E Crime Law, Ministry of IT & Telecom