Turkish industrial cybersecurity: A view from outside the government

Turkey’s administration has its own cyber politics and policy.

But outside of the world of government, people in Turkey are also working to try to defend the basic infrastructure that keeps life moving — gas, power, water and more.

Now that nation-state attacks on Turkey appear to be increasing, the mission is becoming even more critical.

Watch here:

Prime Location

Long ago, the Silk Road wound from China to Turkey, trading flowing fabric, spices, paper, gunpowder and more.

Now, China is planning a new, modern Silk Road with a route once again through Istanbul.

But this time, route raiders can be digital.

“I was buying something. My credit card didn’t work,” said Erhan Yakut, software development team lead at industrial security company ICS Defense in Ankara.

On October 27, Yakut and many others in Turkey tried to access their money but could not.

A cyberattack was pummeling one of Turkey’s largest banks, Garanti BBVA, and communications giant Türk Telekom with Internet traffic in an attack known as a DDoS, or Distributed Denial of Service.

“Our bank was offline for one whole day,” Yakut said. “They didn’t give any money or any information to hackers, but they were disabled for one whole day.”


Customers use ATMs at Garanti BBVA bank in Istanbul, Turkey. Image: Istanbul Image

Going for the Money

Turkey faces the threat of financial cybercrime, said cybersecurity company FireEye.

“We believe that financially motivated cyber threat activity presents a persistent, moderate intensity threat to organizations operating in Turkey,” FireEye Intelligence Analysis Manager Kelli Vanderlee told Archer News.

But that is not the only threat.

Nation-State Attacks

Over the past decade, countries near Turkey have reported major cyberattacks, some on critical infrastructure like power plants, petrochemical plants and oil and gas companies.

The Stuxnet worm, identified in 2010, infected 200,000 computers and destroyed 1,000 centrifuges in Iran’s nuclear program.

The Shamoon wiper virus destroyed 30,000 at an oil and gas company in Saudi Arabia in 2012, then returned in a new version to attack again in 2017.

The Triton/Trisis malware took over the safety system at a petrochemical plant in Saudi Arabia in 2017, causing concern that the attack could lead to fatal consequences.

In Ukraine, cyber attackers shut off power in 2015 and 2016.


Countries around Turkey have reported major cyberattacks, some of them destructive attacks again critical infrastructure. Image: Archer News

On the Rise

But now, there are “limited indications” that state-sponsored cyber threats against Turkey’s industrial infrastructure are on the rise, according to Vanderlee.

For example, a major attack group targeted the website of a Turkish energy company, Turcas Petrol, in 2017 and injected malware, allowing the attackers to harvest passwords for people working in the Turkish energy industry.

Another attack group hit telecommunications and oil and gas companies in Turkey and other countries, Symantec reported in 2018.

“[O]ver the past two years, we have seen campaigns from Russian, North Korean, Chinese, Iranian, and other actors targeting Turkish entities, including critical infrastructure organizations,” said Vanderlee.


Cyberattackers inserted malware into the website of Turkish company Turcas Petrol in 2017 in order to harvest passwords, RiskIQ said. Image: RiskIQ

Ready for Attack?

But Turkey’s infrastructure may not be fully prepared for nation-state cyberattacks, according to cybersecurity experts.

“In Turkish mentality, we believe that cyberattacks and cyber warfare can happen the rest of the world, not to us,” said Can Demirel, information security technical lead at security company Biznet Bilişim, in an interview with Archer News in Ankara.

“We should understand it can happen to us [at] any time,” said Demirel.

Both Demirel and Yakut work to improve cybersecurity for critical infrastructure in Turkey.

They are concerned that the crucial machines that run the country’s power, water, gas and more may not be able to stop those nation-state attacks.

And cyberattacks can now cause physical harm.


High voltage towers in Turkey. Image: Naked King

Critical Mistakes?

Yakut sees industrial operators connecting industrial computers to the Internet to use social media, and other examples of cybersecurity blunders.

“When you see this, and when you are working in a company like this, you want to cry,” Yakut said. “How can this happen?”

However, Yakut said other countries have similar problems.

“Not only in Turkey, we think we’re back on critical infrastructure security all over the world,” he explained. “Because, although these systems have been installed and operated long ago, they are a potential target since cyber security measures are not considered during design and installation.”

The country’s Energy Market Regulatory Authority has been working on energy-specific regulations since 2016, he added.

“We hope that we will be in better situation for all industries in near future,” Yakut said.

What Could Attackers Do?

Yakut’s company built an industrial control system connected to a miniature city to see what real-life attackers will do.

The system is a honeypot, designed to lure attackers in so researchers can gather information on their attack goals and strategies.

Will they try to shut down the airport, building management systems for apartments, traffic lights, shipping, power plants and/or the military?

“When we talk about cybersecurity, you are thinking virtual. Everything was virtual, but now nothing is virtual,” Yakut told Archer News. “Everything is physical.”

Communications tower in ICS Defense’s model city & industrial control system in Ankara, Turkey. Image: Archer News

Focus on Turkey

The new Silk Road is not the only development bringing Turkey into the sights of attackers.

Turkey’s purchase of the Russian S-400 air defense system, despite objections from NATO allies, military activity in Syria, and drilling in the Mediterranean, will all draw in cyber spies, according to FireEye.

Yakut and Demirel want industrial companies and critical infrastructure operators in Turkey to focus on security — before attackers make a big, destructive move.

“We can’t even sleep when thinking about these attacks,” Yakut said. “We must protect these critical infrastructures in a better way.”

Historically, Turkish people have been adaptive and fearless, according to Demirel.

“We should have that mindset into cybersecurity, actually,” Demirel said. “We know how to fight, and we know to be adaptive, to be fearless. But we need the great mix of it to become surviv[ors] in cybersecurity, because we have lots of things to do as nations, as individuals and the companies.”


Full disclaimer: Can Demirel is the Turkey coordinator for the Centro de Ciberseguridad Industrial. A managing partner of Archer International, parent company of Archer News, is also a coordinator for the Centro de Ciberseguridad Industrial.


Main image: Sunset in Istanbul, Turkey. Image: Rudy Balasko

1 Comment

Leave a Reply