Turkish industrial cybersecurity: A view from outside the government
- December 12, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid, Power Grid
Turkey’s administration has its own cyber politics and policy.
But outside of the world of government, people in Turkey are also working to try to defend the basic infrastructure that keeps life moving — gas, power, water and more.
Now that nation-state attacks on Turkey appear to be increasing, the mission is becoming even more critical.
Long ago, the Silk Road wound from China to Turkey, trading flowing fabric, spices, paper, gunpowder and more.
Now, China is planning a new, modern Silk Road with a route once again through Istanbul.
But this time, route raiders can be digital.
“I was buying something. My credit card didn’t work,” said Erhan Yakut, software development team lead at industrial security company ICS Defense in Ankara.
On October 27, Yakut and many others in Turkey tried to access their money but could not.
“Our bank was offline for one whole day,” Yakut said. “They didn’t give any money or any information to hackers, but they were disabled for one whole day.”
Going for the Money
Turkey faces the threat of financial cybercrime, said cybersecurity company FireEye.
“We believe that financially motivated cyber threat activity presents a persistent, moderate intensity threat to organizations operating in Turkey,” FireEye Intelligence Analysis Manager Kelli Vanderlee told Archer News.
But that is not the only threat.
Over the past decade, countries near Turkey have reported major cyberattacks, some on critical infrastructure like power plants, petrochemical plants and oil and gas companies.
The Stuxnet worm, identified in 2010, infected 200,000 computers and destroyed 1,000 centrifuges in Iran’s nuclear program.
The Shamoon wiper virus destroyed 30,000 at an oil and gas company in Saudi Arabia in 2012, then returned in a new version to attack again in 2017.
The Triton/Trisis malware took over the safety system at a petrochemical plant in Saudi Arabia in 2017, causing concern that the attack could lead to fatal consequences.
In Ukraine, cyber attackers shut off power in 2015 and 2016.
On the Rise
But now, there are “limited indications” that state-sponsored cyber threats against Turkey’s industrial infrastructure are on the rise, according to Vanderlee.
For example, a major attack group targeted the website of a Turkish energy company, Turcas Petrol, in 2017 and injected malware, allowing the attackers to harvest passwords for people working in the Turkish energy industry.
Another attack group hit telecommunications and oil and gas companies in Turkey and other countries, Symantec reported in 2018.
“[O]ver the past two years, we have seen campaigns from Russian, North Korean, Chinese, Iranian, and other actors targeting Turkish entities, including critical infrastructure organizations,” said Vanderlee.
Ready for Attack?
But Turkey’s infrastructure may not be fully prepared for nation-state cyberattacks, according to cybersecurity experts.
“In Turkish mentality, we believe that cyberattacks and cyber warfare can happen the rest of the world, not to us,” said Can Demirel, information security technical lead at security company Biznet Bilişim, in an interview with Archer News in Ankara.
“We should understand it can happen to us [at] any time,” said Demirel.
Both Demirel and Yakut work to improve cybersecurity for critical infrastructure in Turkey.
They are concerned that the crucial machines that run the country’s power, water, gas and more may not be able to stop those nation-state attacks.
And cyberattacks can now cause physical harm.
Yakut sees industrial operators connecting industrial computers to the Internet to use social media, and other examples of cybersecurity blunders.
“When you see this, and when you are working in a company like this, you want to cry,” Yakut said. “How can this happen?”
However, Yakut said other countries have similar problems.
“Not only in Turkey, we think we’re back on critical infrastructure security all over the world,” he explained. “Because, although these systems have been installed and operated long ago, they are a potential target since cyber security measures are not considered during design and installation.”
The country’s Energy Market Regulatory Authority has been working on energy-specific regulations since 2016, he added.
“We hope that we will be in better situation for all industries in near future,” Yakut said.
What Could Attackers Do?
Yakut’s company built an industrial control system connected to a miniature city to see what real-life attackers will do.
The system is a honeypot, designed to lure attackers in so researchers can gather information on their attack goals and strategies.
Will they try to shut down the airport, building management systems for apartments, traffic lights, shipping, power plants and/or the military?
“When we talk about cybersecurity, you are thinking virtual. Everything was virtual, but now nothing is virtual,” Yakut told Archer News. “Everything is physical.”
Focus on Turkey
The new Silk Road is not the only development bringing Turkey into the sights of attackers.
Turkey’s purchase of the Russian S-400 air defense system, despite objections from NATO allies, military activity in Syria, and drilling in the Mediterranean, will all draw in cyber spies, according to FireEye.
Yakut and Demirel want industrial companies and critical infrastructure operators in Turkey to focus on security — before attackers make a big, destructive move.
“We can’t even sleep when thinking about these attacks,” Yakut said. “We must protect these critical infrastructures in a better way.”
Historically, Turkish people have been adaptive and fearless, according to Demirel.
“We should have that mindset into cybersecurity, actually,” Demirel said. “We know how to fight, and we know to be adaptive, to be fearless. But we need the great mix of it to become surviv[ors] in cybersecurity, because we have lots of things to do as nations, as individuals and the companies.”
Full disclaimer: Can Demirel is the Turkey coordinator for the Centro de Ciberseguridad Industrial. A managing partner of Archer International, parent company of Archer News, is also a coordinator for the Centro de Ciberseguridad Industrial.
Main image: Sunset in Istanbul, Turkey. Image: Rudy Balasko