The post Understand The Cyber Attacks appeared first on mbuhamad cybersecurity.

This. report I wrote back in 2021 for an organization. I believe this entity still missing OT cybersecurity.

Introduction

In 2019, Dmitri Alperovitch, co-founder and former CTO of CrowdStrike, remarked:

“There are three types of companies: those that know they’ve been compromised, those that haven’t realized they’ve been compromised, and those who can defend themselves against a compromise.”

This post explores how critical infrastructure organizations—particularly those managing Operational Technology (OT)—can build the capabilities to defend themselves effectively in today’s evolving threat landscape.

The Economic Impact of Cybercrime

According to Cybercrime Magazine, the global cost of cybercrime surged to $6 trillion in 2021, up from $3 trillion in 2015. This staggering figure marks the greatest transfer of economic wealth in history and exceeds the profits of all major illegal drug trades combined. The impact is not just financial—it undermines innovation, deters investment, and threatens the global digital economy.

From Theory to Reality: OT Under Attack

Cyber warfare became a reality in 2010 with the discovery of Stuxnet, a sophisticated malware targeting SCADA systems in a nuclear facility. The attack caused physical damage to OT systems that were believed to be fully isolated (air-gapped) from the internet.

In today’s digitized environments, OT systems are increasingly connected—for monitoring, remote support, and analytics. This connectivity introduces new vulnerabilities. In 2021, a hacker gained access to a Florida water treatment plant’s OT system using stolen remote access credentials and attempted to poison the water supply.

Attacks on OT are no longer rare. Botnets have crippled communication networks. Ransomware has disrupted emergency services. Critical infrastructure, both regionally and globally, has suffered significant operational and financial losses.

What Is Cybersecurity in OT?

For the purpose of this article, cybersecurity in OT refers to the protection of the following:

• Confidentiality of operational data and systems
• Integrity of controls and processes
• Availability of services and infrastructure

Together, these three pillars—known as the CIA triad—form the foundation of any robust cybersecurity strategy.

Cybersecurity as Risk Management

Electricity grids, water systems, and industrial plants form the backbone of modern society. Disruptions to these systems can have cascading effects—impacting everything from hospitals and airports to telecommunications and energy production.

Cybersecurity risk management is not limited to technology purchases. It involves adopting structured frameworks such as:

• ISO/IEC 27001
• Zero Trust Architecture
• NIST Cybersecurity Framework (CSF)

These standards establish a security baseline—a collection of essential policies, controls, and best practices that help mitigate the most common and dangerous threats to OT systems.

The NIST Framework: A Global Benchmark

To address growing threats to critical infrastructure, the United States issued Executive Order 13636 in 2013. It tasked the National Institute of Standards and Technology (NIST) with developing a flexible, risk-based cybersecurity framework for critical sectors.

The result was the NIST Cybersecurity Framework, now widely adopted across industries and governments. It is organized into five core functions:

1. Identify – Understand the environment and associated risks
2. Protect – Implement safeguards for delivery of critical services
3. Detect – Monitor for cybersecurity events
4. Respond – Take action during an incident
5. Recover – Restore capabilities after a disruption

This structured approach enables organizations to assess maturity, prioritize resources, and strengthen resilience.

Regional and International Cooperation

In 2015, a high-level meeting between U.S. leadership and members of the Gulf Cooperation Council (GCC) underscored the importance of critical infrastructure cybersecurity. The outcomes included:

• Joint consultation on cybersecurity initiatives
• Sharing of best practices in policy, incident response, and resilience
• Technical assistance and capacity-building
• Cybersecurity exercises and workshops

These initiatives illustrate a shared commitment to improving cyber readiness across borders.

Final Thoughts

Cybersecurity in operational technology is no longer optional—it is a national imperative. The threats are real, the risks are rising, and the consequences of inaction are severe. Organizations managing critical infrastructure must treat cybersecurity as a continuous, strategic process supported by leadership, standards, and global collaboration.

Let me know if you’d like help with:

• Creating a featured image
• Optimizing SEO metadata (title, description, keywords)
• Adding call-to-action sections
• Embedding download buttons (for PDF version)
• Translating the post to Arabic for a bilingual audien

The post Building Cyber Resilience in Operational Technology Environments appeared first on mbuhamad cybersecurity.

Professionals in developing countries often face systemic challenges that severely limit their ability to contribute meaningfully to society. One of the most significant obstacles lies within the government sector, which is frequently plagued by entrenched bureaucracy, internal politics, and a culture that prioritizes appeasing superiors over delivering results.

A major issue is the appointment of managers based not on merit or capability, but on social connections. Many individuals in leadership roles lack basic managerial or even interpersonal skills. While such appointments may benefit a few personally, they are detrimental to workplace productivity, morale, and broader societal progress.

From my observation, government employees typically fall into three categories:

1. The Performers – These individuals are adept at talking and posturing. They often rise to top positions because they know how to play the system and say what those in power want to hear.
2. The Apathetic – Grounded in reality but disengaged, this group shows up to work physically, yet does everything possible to avoid meaningful contribution.
3. The Changemakers – These are the rare individuals genuinely committed to reform and improvement. Unfortunately, their efforts are often met with resistance. Many are forced out, sidelined, or simply choose to leave in frustration.

The result is a system that discourages innovation, demoralizes talent, and perpetuates inefficiency. For real progress to occur, there must be a shift toward merit-based leadership, accountability, and a culture that values competence over connections. As we say in Kuwait انطرني

Mashal Buhamad

The post The Silent Struggle: Navigating Government Work in Developing Countries appeared first on mbuhamad cybersecurity.

I once authored a technical report comparing IP-MPLS and MPLS-TP, outlining why IP-MPLS was the stronger long-term choice—technically, operationally, and economically. The head of the sector responsible for the technology reviewed and agreed with the assessment. The case was clear. The analysis was thorough. The direction was validated.

But the organization chose the opposite path.

It’s moments like this that remind you: sometimes, it’s not about the right technology. It’s about other factors.

In the evolution of communication technologies, two major paradigms emerged: time division multiplexing (TDM/SDH) and packet-based communication (IP). TDM technologies were historically favored for critical communication due to their reliability, predictable latency, and fixed routing. Packet-based technologies, while more adaptable and scalable, came with trade-offs—namely, variable delay and occasional packet loss—making them better suited for non-critical data transfer and local networking.

As modern network demands increase, new transport technologies are being evaluated to replace legacy TDM infrastructure. Two contenders stand out: MPLS-TP (Multiprotocol Label Switching – Transport Profile) and IP-MPLS (IP-based Multiprotocol Label Switching).

MPLS-TP: Purpose-Built for Deterministic Transport

MPLS-TP was developed specifically to mimic the predictable, reliable characteristics of TDM within a packet-switched framework. Its goal is to bring deterministic behavior to packet networks, maintaining consistent latency and providing guaranteed delivery paths. This makes MPLS-TP appealing for environments where strict timing and reliability are paramount.

However, MPLS-TP has limitations in terms of flexibility and interoperability. Variations in implementation among vendors can make multi-vendor integration challenging, potentially leading to vendor lock-in and increased operational costs.

IP-MPLS: Flexible and Future-Proof

IP-MPLS, in contrast, is a more flexible and broadly adopted technology. It supports a wide range of applications—from enterprise data to critical infrastructure traffic. IP-MPLS delivers many of the same reliability features as MPLS-TP while also enabling support for modern network requirements, including IoT integration, smart grid communication, and virtualization of infrastructure.

Standardization is a key advantage of IP-MPLS. Broad industry adoption has led to strong interoperability between equipment from different vendors, reducing both capital and operational expenses and simplifying network evolution over time.

Key Considerations

1. Versatility: IP-MPLS supports a diverse range of traffic types and can adapt to evolving use cases, making it more suitable for modern multi-service networks.
2. Reliability with Flexibility: It offers SDH-like reliability while maintaining the adaptability of IP networks.
3. Cost and Interoperability: Due to its standardization, IP-MPLS is more interoperable and cost-effective compared to MPLS-TP.
4. Industry Direction: The networking industry is shifting toward IP-MPLS, driven by its scalability, extensibility, and compatibility with emerging technologies.

Conclusion

While MPLS-TP serves a niche purpose for deterministic transport, the broader advantages of IP-MPLS—flexibility, reliability, cost-efficiency, and industry momentum—make it the preferred choice for modern networks. As communication infrastructure continues to evolve, technologies that can seamlessly bridge reliability and adaptability will define the next generation of critical networks.

The post Choosing the Right Path: IP-MPLS vs. MPLS-TP appeared first on mbuhamad cybersecurity.

Never pay someone to create your incident response plan, and don’t just copy a generic one. Instead, create a plan that makes sense for your organization. Ensure it is clearly understood by both the incident response team and top management. Ideally, the entire plan should fit on one A4 page—two pages at most.

Purpose

As the digital threat landscape continues to evolve in complexity and scale, organizations must adopt a structured, strategic approach to cybersecurity incident response. This guide outlines the framework, responsibilities, and protocols for managing security incidents. It aims to minimize damage, ensure timely response, preserve organizational integrity, and support recovery and future preparedness.

Definition of an Incident

An incident refers to any attempted or actual unauthorized access, disruption, misuse, or compromise of information systems, networks, or data. Incident handling is not merely reactive—it is a proactive strategy that ensures:

• Identification: Recognizing the presence and characteristics of a potential threat or breach.
• Analysis: Assessing the scope, severity, and potential impact.
• Prioritization: Categorizing incidents based on urgency and consequence.
• Response: Taking coordinated action to contain, investigate, mitigate, and prevent recurrence.

Depending on the nature of the threat, this may include external notification (e.g., law enforcement, regulatory bodies, or third-party incident responders).

Communication Channels

To maintain operational continuity during an incident—even in cases of full system compromise—a secure, out-of-band communication channel must be maintained. In this framework, messaging platforms that are external to the organization’s primary infrastructure (e.g., encrypted messaging apps) are used to ensure incident response teams remain connected and responsive.

Authorization and Decision-Making

The designated Incident Response Team (IRT) is empowered to:

• Act immediately and decisively to contain incidents (e.g., disconnecting systems, blocking traffic).
• Collaborate with external security vendors, governmental agencies, or law enforcement when necessary.
• Activate any formal incident response agreements or memorandums of understanding with partner organizations.

These authorities are designed to eliminate delay and ensure an efficient and effective response.

Incident Severity Classification

To standardize response efforts, incidents are classified into three tiers based on severity and impact:

Level 1 – Low Severity

These incidents pose minimal risk to critical operations but warrant documentation and periodic review.

Examples include:

• Unauthorized port scans on non-critical systems.
• Virus or malware detections successfully blocked before system compromise.
• Repeated failed login attempts to non-sensitive systems.
• Abnormal network behavior without clear malicious intent.
• Receipt of phishing emails or threat indicators from trusted sources.
• Non-critical data leaks involving public or low-sensitivity documents.

Level 2 – Moderate Severity

Moderate incidents could escalate if ignored. They require immediate attention, team consultation, and formal action planning.

Examples include:

• Unauthorized scans targeting critical infrastructure.
• Unexplained or unauthorized physical access attempts.
• Denial-of-Service (DoS) or Distributed DoS (DDoS) activity.
• Persistent failures in two-factor authentication.
• Detection of potential insider threats.
• Unauthorized website content alterations.
• Leakage of sensitive internal documents or credentials to external sources (e.g., dark web).

Level 3 – High Severity

Critical incidents that threaten the confidentiality, integrity, or availability of key systems or sensitive data. They demand an immediate, all-hands response and notification to senior leadership.

Examples include:

• Detection of ransomware or active malware infections.
• System-wide outages or failures.
• Attacks targeting industrial control systems or critical infrastructure.
• Evidence of internal malicious activity or data tampering.
• Exploitation of zero-day vulnerabilities.
• Breaches involving confidential, regulated, or personal data, or that could significantly harm the organization’s operations, reputation, or national interest.

Incident Response Team (IRT)

The IRT is composed of cross-functional members from IT, cybersecurity, legal, communications, and executive leadership. Roles include:

• Incident Commander: Leads response efforts and decision-making.
• Technical Analyst: Conducts forensic investigation and impact assessment.
• Communications Liaison: Coordinates internal and external messaging.
• Legal Advisor: Ensures compliance with regulations and manages legal exposure.
• Executive Sponsor: Provides leadership oversight and strategic alignment.

The IRT operates under clear protocols and meets regularly to review incidents and test response readiness through tabletop exercises or simulated attacks.

Conclusion

A robust incident response framework is essential for maintaining operational resilience in the face of growing cybersecurity threats. By clearly defining incident types, response authority, and communication procedures, organizations can respond swiftly and effectively—minimizing impact and reducing recovery time.

The post How to write incident response plan appeared first on mbuhamad cybersecurity.

The definitive answer is yes — AI is no longer a future consideration; it’s a present-day reality that’s transforming every sector. Whether you’re a government institution or a private enterprise, integrating AI into your core strategy is no longer optional — it’s essential. The time to start is now.

However, it’s critical to approach AI adoption with awareness. Public AI platforms like ChatGPT, while powerful, pose significant data security risks when misused. If your team is feeding sensitive or internal data into public AI tools, you may be unknowingly contributing to data leakage. Think carefully about how much confidential information may have already been exposed.

Meanwhile, malicious actors are already leveraging AI to enhance and automate their attacks — from phishing campaigns to deepfake generation to automated vulnerability discovery. If you’re not deploying AI-powered defense tools, you’re operating at a growing disadvantage. The threat landscape is evolving faster than ever, and without AI-enabled security capabilities, traditional defenses simply can’t keep up.

The post Do you we really need AI appeared first on mbuhamad cybersecurity.

There’s nothing quite like being on-site at an organization that has just been hit by ransomware — and I’ve been there. One of the most striking incidents I responded to involved a government entity that had invested millions in IT infrastructure and cybersecurity tools. Despite their significant spending, they lacked a cohesive cybersecurity strategy.

Their environment was protected by multiple firewalls, which gave them a dangerous false sense of security. But the real issue was deeper: their internal team had limited understanding of how attackers think, and they had never performed a comprehensive vulnerability assessment. There was no proactive defense, no detection capabilities, and no incident response plan in place. It was a chaotic, sobering scene — and a powerful reminder that tools alone don’t secure an organization. Strategy, mindset, and continuous validation do.

The post There is no thing like being hit by a Ransomware appeared first on mbuhamad cybersecurity.

Proof of Concept (POC) with Nozomi and Dragos Report

Engr. Mashal Buhamad

Strategic Note

This report was prepared for a major regional operator responsible for critical infrastructure. It highlights the reality that cybersecurity transformation cannot occur in a vacuum—it must align with the unique constraints and architecture of the existing environment. The Proof of Concept (POC) with Nozomi Networks and Dragos made this evident, as key limitations in legacy systems and architectural inconsistencies directly impact visibility and threat detection capabilities.

The findings reinforce that a comprehensive cybersecurity strategy is no longer optional—it is essential. This strategy must orchestrate how the organization will overcome current equipment and protocol limitations, guide procurement decisions, standardize network architectures, and align stakeholders across departments and vendors. Only through a unified, forward-looking strategy can the organization achieve scalable, resilient, and effective OT cybersecurity.

Introduction

In the evolving landscape of industrial cybersecurity, we continually seek advanced solutions to safeguard organizations operating critical infrastructure, particularly in operational technology (OT) environments. One of the primary goals is to establish robust cybersecurity visibility. Two prominent players in this field are Nozomi Networks and Dragos. While other components such as SIEM are essential, these two form the cornerstone of any visibility-driven cybersecurity architecture. Conducting a Proof of Concept (POC) with these technologies is vital to evaluate their capabilities, strengths, and suitability for specific organizational needs. This report outlines the purpose and preliminary outcomes of the POC with Nozomi and Dragos.

Understanding Nozomi and Dragos

Nozomi Networks: Known for its comprehensive OT and IoT security solutions, Nozomi Networks offers extensive visibility, threat detection, and actionable insights to protect critical infrastructure. Its platform enhances situational awareness and streamlines incident response. It is deployed globally across utilities, aviation, oil and gas, and other industrial sectors. The Nozomi POC was conducted using a demo unit provided by the vendor at a selected industrial site.

Dragos: Specializing in OT cybersecurity, Dragos delivers a suite of capabilities including threat detection, incident response, and threat intelligence tailored for industrial control systems (ICS). Dragos is recognized for its deep expertise in identifying and mitigating advanced persistent threats (APTs) in OT environments. The Dragos POC was executed using packet captures collected from multiple sites, with support from a Dragos engineer. Notably, Dragos did not provide their appliance, which could suggest limitations in device readiness or maturity.

Purpose of a POC

Technical Assessment:
The POC enabled a direct evaluation of Nozomi and Dragos in real-world settings. This included assessing their ability to detect/respond to threats, integrate with existing infrastructure, and provide meaningful visibility into OT networks. On-site deployment proved invaluable, providing firsthand insight into practical deployment challenges. Two significant issues were observed:

• Existing network nodes in the field lack port mirroring capabilities, making passive monitoring difficult without alternative solutions such as network taps.
• OT network environments lack standardization, with legacy and modern protocols (e.g., IEC 101 and IEC 104) coexisting within the same location, creating architectural inconsistencies.

Feature Comparison:
The side-by-side evaluation allowed comparison of capabilities including asset discovery, anomaly detection, threat intelligence integration, and incident response workflows. This helps define the most suitable use cases and placements for each solution.

Accuracy:
Testing detection accuracy and the rate of false positives was critical. The POC offered clear insight into each solution’s ability to distinguish legitimate threats while minimizing noise. Additionally, asset detection capabilities were thoroughly evaluated, emphasizing the importance of post-deployment fine-tuning and enhancement.

System Integration:
Based on the POC findings, a comprehensive technical proposal review is necessary to address newly identified challenges. Collaboration with independent international consultants is strongly advised to ensure effective project execution. Given the complexity of industrial cybersecurity environments, this initiative will require seamless coordination among multiple stakeholders.

Conclusion

The POC with Nozomi Networks and Dragos provided actionable insights into their technical strengths and practical deployment within industrial OT settings. Both solutions excel in visibility, threat detection, and response—capabilities essential for protecting high-value critical infrastructure.

Key challenges identified during the POC—such as lack of port mirroring in field network devices and non-standardized communication architectures—must be addressed before full-scale deployment.

To move forward effectively, the technical proposal should be updated to reflect all POC findings. Engaging experienced external consultants will help align stakeholders, coordinate the project, and ensure its long-term success.

In summary, while Nozomi Networks and Dragos present solid options for industrial cybersecurity, overcoming existing environmental limitations and ensuring cohesive integration will be key to delivering a successful and secure implementation.

The post Proof of Concept (POC) appeared first on mbuhamad cybersecurity.