By Dean Parsons, Principal Instructor & Michael Hoffman, Certified Instructor at SANS Institute

The Gulf region is home to some of the world's largest and most vital oil, gas, and energy infrastructures, and securing industrial control systems (ICS) and operational technology (OT) environments has never been more critical. With cities like Dubai and other nearby communities that are at the forefront of technological and infrastructural advancements, protecting these systems is key to maintaining economic stability and public safety, as the Gulf's ICS/OT environments face distinct cybersecurity challenges that require specialized tools, tailored strategies, and training paths.

Copying & Pasting “What Works in IT” Can Disrupt ICS

Copying and pasting traditional IT security controls into ICS/OT environments is not only ineffective but can be harmful. IT security workflows, tools, and processes designed for business systems can disrupt industrial operations, compromise safety, and even cause outages by interfering with critical engineering processes. Protecting ICS/OT systems requires dedicated solutions prioritizing safety and operational continuity.

When IT security controls are applied in ICS/OT environments, they can inadvertently cause operational disruptions, slowdowns, or create unsafe conditions. Unlike IT systems, whose priority is often focused on data confidentiality, ICS/OT systems manage real-time physical processes where availability, reliability, and safety are paramount. Tools like traditional endpoint protection agents or automated patching, which are common in IT environments, can introduce latency, unpredictability, and unintended downtime. In fact, these controls can sometimes pose a greater risk than the malware they aim to defend against.

This is why ICS-specific security solutions are crucial. These solutions are designed to safeguard systems while ensuring safety and uptime. They prioritize operational needs, ensuring that security measures don’t impede performance. The primary goal is to enhance safety—protecting both people and critical processes—without sacrificing the reliability of essential infrastructure. SANS has recently released the Five ICS Cybersecurity Critical Controls. This is an excellent place to start on the path to embracing ICS-specific training or even to reinforce concepts covered in one of the SANS ICS classes. The whitepaper sets forth the five most relevant and effective critical controls for an ICS/OT cybersecurity strategy, namely:

1.       ICS/OT Specific Incident Response Plan

2.       Defensible Architecture

3.       OT Network Monitoring

4.       Secure Remote Access

5.       Risk-Based Vulnerability Management

These ICS-specific controls can be woven into an organization's risk model and used as a control implementation strategy, as the control number indicates which control to start with (although they can be worked in parallel). To effectively implement these controls, well-trained teams with an understanding of both IT and ICS/OT risks must ensure that security is implemented in a way that preserves the core mission: the safe and reliable operation of critical infrastructure.

(Left) Dean Parsons, Principal Instructor at SANS Institute and (Right) Michael Hoffman, Certified Instructor at SANS Institute

Defending Modern ICS Attacks - Living Off the Land Attacks

Modern attacks demand not just technology but training defenders to use ICS-specific technology. Traditional cybersecurity tools are often inadequate for countering modern threats like "Living Off the Land" (LOTL) attacks, where attackers leverage built-in tools, capabilities, and default or harvested credentials to blend into the environment. ICS/OT environments are particularly vulnerable to these sophisticated tactics, as attackers exploit trusted connections and vulnerable ICS/OT protocols and take advantage of unmonitored hosts and networks. Detecting LOTL attacks in the ICS/OT environment calls for purpose-built tools and detection use cases, all managed, maintained, and monitored by trained staff.

Effective defense against these modern threats requires a human-driven approach, where ICS defenders—armed with tailored security strategies and ICS-specific tools—can recognize and respond to the subtle, context-specific signs of an attack. These teams must be trained to understand the unique vulnerabilities and operational dynamics of ICS/OT systems, ensuring they can detect and mitigate attacks without compromising safety or performance.

Assisting The Gulf Region's ICS/OT Cybersecurity Workforce

In the Gulf region, where critical infrastructure is vital to both economic stability and public safety, upskilling the workforce in ICS/OT cybersecurity is imperative. Defenders need specialized training that equips them to address both IT and OT threats while maintaining a steadfast focus on safety. This includes tactical team members and leadership roles, who must be trained to handle the distinct challenges posed by ICS/OT environments.

The SANS Institute’s ICS curricula offer a range of training courses to bolster defense in ICS/OT environments, addressing essential skills needed by ICS/OT engineering leadership and managers, cybersecurity professionals, and control system engineers.

ICS410: ICS/SCADA Security Essentials provides foundational training for those supporting and defending industrial control systems, equipping them to begin securing critical operational environments.

ICS456: Essentials for NERC Critical Infrastructure Protection helps students understand and implement evolving standards (versions 5/6/7) essential for safeguarding infrastructure in the electric sector.

ICS515: ICS Visibility, Detection, and Response provides advanced visibility and industrial-level incident response capabilities, to train teams to identify assets, monitor threats, and conduct intelligence-driven responses to prioritize safety and maintain reliable operations against advanced persistent threats in any ICS/OT sector. The course includes real-world, hands-on technical defense labs using hardware-based PLCs (Programmable Logic Controllers).

ICS612: ICS Cybersecurity In-Depth immerses students in a practical lab environment that simulates an engineering setup, enabling even more direct hands-on practical experience in defending networks with corporate connections, remote access, and data transfer functions.

Each course emphasizes relevant, practical experience, addressing the growing ICS cybersecurity challenges across critical infrastructure in the Gulf region.

ICS418: ICS Security Essentials for Leaders is designed for leaders responsible for securing critical infrastructure who will greatly benefit as it empowers them to establish and guide the overall ICS security programs aligned with business objectives. ICS418 teaches leaders how to map industrial cyber risk to business outcomes, prioritizing safety and reliability and showcasing the differences between IT and ICS/OT. This course covers the people, processes, and technologies necessary to create and sustain lasting ICS cyber risk programs, promoting a culture of security, reliability, and safety.

SANS Cyber Academy

The SANS Cyber Academy revolutionizes cybersecurity training with customized programs tailored to any domain or curriculum. These academies address unique cybersecurity challenges by partnering with local government organizations to reskill and upskill professionals. Each academy is fully adaptable and can be tailor-made to meet specific organizational or regional needs, ensuring maximum relevance and impact. By providing targeted expertise, these academies help build the capabilities required to safeguard critical and digital infrastructures across the Middle East.

Investing in a SANS Cyber Academy focused on ICS/OT cybersecurity enables regional teams to proficiently use the tools and strategies needed to defend these environments. Technical teams develop skills crucial for safeguarding operational systems, while leaders gain the insight required to support these teams, ensuring effective collaboration with IT departments and fostering a unified cybersecurity approach. SANS GIAC certifications in ICS410, ICS456 and ICS515, validate these skills, empowering defenders and organizations to protect critical infrastructure, maintain safety, and ensure the continued reliability of essential services.