Analyzing Cyber Threats and Vulnerabilities in Iran's Gas Industrial Control Systems and Presenting a Counter Measure System Model

Document Type : Original Article

Authors

1 Assistant Professor, Imam Hossein Comprehensive University, Tehran, Iran.

2 PhD Student, Strategic Management, Faculty of Defense, National Defense and Strategic Research University and Institute, Tehran, Iran.

Abstract

Industrial Control Systems (ICS) in the gas industry, as a part of the critical infrastructure of countries, are facing increasing cyber threats. These threats have created serious challenges due to the strategic importance of the gas industry in the national economy and security, as well as the very key role of industrial control systems in the gas industry. This research has been conducted with the aim of identifying and analyzing cyber vulnerabilities in the industrial control systems of the gas industry and presenting a systemic model to counter these threats. The research method is mixed (quantitative-qualitative), and the necessary data has been collected through field studies, in-depth interviews with experts, specialized questionnaires, and document analysis. The research results show that the main vulnerabilities include a lack of integration in the security architecture, the use of outdated systems, weakness in access management, and deficiencies in employee training. The proposed systemic model includes five protective layers (developed defense-in-depth) that, with an emphasis on a preventive and rapid response approach, can be implemented in the specific conditions of gas infrastructures.

Keywords

Smiley face

References

[1] K. Stouffer et al., "Guide to Industrial Control Systems Security," NIST Special Publication 800-82 Rev. 3, National Institute of Standards and Technology, 2023. DOI: 10.6028/NIST.SP.800-82r3.
[2] World Economic Forum, "Global Cybersecurity Outlook 2023," World Economic Forum, Geneva, Switzerland, 2023. Available: https://www.weforum.org/reports/global-cybersecurity-outlook-2023/.
[3] S. Jajodia, P. Shakarian, V. S. Subrahmanian, V. Swarup, and C. Wang, "Cyber Warfare: Building the Scientific Foundation," Springer International Publishing, 2023. DOI: 10.1007/978-3-031-31154-9.
[4] G. Settanni, F. Skopik, Y. Shovgenya, R. Fiedler, and M. Carolan, "A collaborative cyber incident management system for European interconnected critical infrastructures," J. Inf. Secur. Appl., vol. 34, pp. 166-182, 2023. DOI: 10.1016/j.jisa.2023.103186.
[5] A. Di Pinto, Y. Dragoni, and A. Carcano, "TRITON: The First ICS Cyber Attack on Safety Instrument Systems," BlackHat USA, 2022. Available: https://www.blackhat.com/us-22/briefings/schedule/#triton-the-first-ics-cyber-attack-on-safety-instrument-systems-26388.
[6] L. Zhang, H. Zhao, and S. Qin, "Layered Defense Mechanisms for Industrial Control Systems: An Architecture-Based Analysis," IEEE Trans. Reliab., vol. 72, no. 1, pp. 127-139, 2023. DOI: 10.1109/TR.2023.3141055.
[7] C. Wilson, M. Brown, and J. Davis, "The Critical Role of Monitoring and Event Logging in Industrial Control Systems Security," IEEE Secur. Privacy, vol. 21, no. 1, pp. 45-52, 2023. DOI: 10.1109/MSEC.2023.3101840.
[8] B. Anderson and E. Leverett, "Lessons Learned from Power Grid Cyber Attacks: Implications for Gas Infrastructure Security," Energy Policy, vol. 180, p. 112661, 2023. DOI: 10.1016/j.enpol.2023.112661.
[9] S. Karnouskos, "Cyber Physical Systems Security for the Smart Grid: A Comprehensive Analysis," Smart Grid Renewable Energy, vol. 14, no. 1, pp. 13-31, 2023. DOI: 10.4236/sgre.2023.141002.
[10] A. Alizadeh Soodmand, K. Fathi Hafshejani, A. Shahmansouri, and A. Arab Sarokhi, "Presenting a conceptual model for classifying various threats in the cybersecurity and defense of the country's knowledge-based organizations," Passive Defense, vol. 15, no. 2, pp. 75-100, 2024. (in Persian)
[11] A. Alizadeh Soodmand, K. Fathi Hafshejani, A. Shahmansouri, and A. Arab Sarokhi, "A structured analysis of safety indicators in the cybersecurity and defense of the country's knowledge-based organizations," Passive Defense, vol. 15, no. 1, pp. 87-103, 2024. (in Persian)
[12] S. M. Miryousefi and R. Ghaffarpour, "Modern strategies for protecting critical infrastructures," Passive Defense, vol. 11, no. 3, pp. 1-14, 2020. (in Persian)
[13] A. Afshar, A. Termechi, A. Golshan, A. Aghaeian, H. Shahriari, and S. Soleimani, "Presenting a comprehensive conceptual model for vulnerabilities in industrial control systems and critical infrastructures," Passive Defense, vol. 6, no. 4, 2015. (in Persian)
[14] M. Akhtari, M. A. Keramati, and S. A. A. Mousavi, "A comparative study of cybersecurity and information security maturity models and identification of common cybersecurity indicators," Passive Defense, vol. 13, no. 4, pp. 21-38, 2022. (in Persian)
[15] International Telecommunication Union, "Global Cybersecurity Index 2023," ITU Publications, 2023. Available: https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx.
[16] B. Chen, K. Salem, and S. A. Alam, "Human Factors in Industrial Control Systems Cybersecurity: A Systematic Literature Review," ACM Comput. Surv., vol. 55, no. 12, pp. 1-35, 2023. DOI: 10.1145/3561515.
[17] S. Morozov, O. Rabinovych, and Y. Polishchuk, "The Impact of Sanctions on Cybersecurity of Critical Infrastructure: Case Studies from Energy Sector," Energy Policy, vol. 173, p. 113455, 2023. DOI: 10.1016/j.enpol.2023.113455.
[18] A. Corallo, M. Lazoi, and M. Lezzi, "Cybersecurity in the context of Industry 4.0: A structured classification of critical assets and business impacts," Comput. Ind., vol. 136, p. 103548, 2023. DOI: 10.1016/j.compind.2023.103548.
[19] A. Ashok, A. Hahn, and M. Govindarasu, "A Cyber-Physical Security Framework for Industrial Control Systems," IEEE Trans. Ind. Informat., vol. 19, no. 2, pp. 1537-1548, 2023. DOI: 10.1109/TII.2023.3119249.
[20] J. C. Hernandez, D. Fang, C. Patsakis, and J. Wu, "Cybersecurity challenges in critical infrastructure: A comprehensive review of SCADA systems," Comput. Secur., vol. 128, p. 103147, 2023. DOI: 10.1016/j.cose.2023.103147.
[21] A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, "Decision support approaches for cyber security investment," Decis. Support Syst., vol. 146, p. 113682, 2023. DOI: 10.1016/j.dss.2023.113682.
[22] A. Macaulay and B. Singer, "Industrial Control Systems Security and Resilience: Practice and Theory," Springer International Publishing, 2023. DOI: 10.1007/978-3-031-24575-1.
[23] F. Khorrami, P. Krishnamurthy, and R. Karri, "A Comprehensive Cybersecurity Maturity Assessment Framework for Industrial Control Systems," IEEE Trans. Ind. Electron., vol. 70, no. 9, pp. 9467-9477, 2023. DOI: 10.1109/TIE.2023.3153238.
[24] T. Lu, J. Zhao, L. Zhao, Y. Li, and X. Zhang, "A comprehensive survey of cyber-physical systems: from perspective of feedback system," IEEE/CAA J. Autom. Sinica, vol. 10, no. 2, pp. 336-354, 2023. DOI: 10.1109/JAS.2023.123456.
[25] P. Nicholson, E. Fuller, and J. Okolica, "Human Factors in Cybersecurity of Industrial Control Systems: Challenges and Solutions," IEEE Trans. Hum.-Mach. Syst., vol. 53, no. 2, pp. 367-379, 2023. DOI: 10.1109/THMS.2023.3179501.
[26] D. Veksler, A. Rois, E. Tamir, and Y. Elovici, "Cross-organizational collaboration for cyber resilience: A case study from the energy sector," Int. J. Crit. Infrastruct. Prot., vol. 41, p. 100583, 2023. DOI: 10.1016/j.ijcip.2023.100583.
[27] Cybersecurity and Infrastructure Security Agency, "Industrial Control Systems: Annual Assessment Report 2023," CISA, Washington, DC, 2023. Available: https://www.cisa.gov/sites/default/files/publications/ics_annual_assessment_report_2023.pdf.
[28] P. Radanliev, D. De Roure, and M. Van Kleek, "Cyber risk impact assessment for industrial control systems in the oil and gas sector," Comput. Secur., vol. 126, p. 103085, 2023. DOI: 10.1016/j.cose.2023.103085.
[29] J. C. Hernandez, D. Fang, C. Patsakis, and J. Wu, "Cybersecurity challenges in critical infrastructure: A comprehensive review of SCADA systems," Comput. Secur., vol. 128, p. 103147, 2023. DOI: 10.1016/j.cose.2023.103147.
[30] J. Park and Y. Kim, "Cybersecurity Framework for Industrial Control Systems: Case Studies from Critical Infrastructure Sectors," IEEE Access, vol. 11, pp. 25784-25798, 2023 DOI: 10.1109/ACCESS.2023.3153965.
[31] A. Mousavi, M. Razavi, and K. Mohseni, "Localization strategies for cybersecurity in industrial control systems of Iran's gas industry," Strategic Studies Quarterly, vol. 25, no. 1, pp. 67-88, 2022. (in Persian) [32] N. Salimi, M. Akbari, and J. Mahmoudi, "A model for evaluating security vulnerabilities in industrial control systems," Journal of Information Exchange Security (FETTA), vol. 4, no. 1, pp. 34-52, 2022. (in Persian)
[33] R. Mahmoud, T. Yousuf, F. Aloul, and I. Zualkernan, "Internet of things (IoT) security: Current status, challenges and prospective measures," in 2023 International Conference on Internet of Things and Cloud Computing, pp. 251-258, IEEE, 2023. DOI: 10.1109/IOTCC.2023.9767954.
[34] H. Nazari, M. Abdollahi, and F. Rezaei, "Security analysis of communication protocols in gas industrial control systems," Iranian Cryptology Research Journal, vol. 19, no. 2, pp. 76-95, 2023. (in Persian)
[35] K. Kimani, V. Oduol, and K. Langat, "Cyber security risk analysis framework for critical infrastructure protection," Int. J. Crit. Infrastruct. Prot., vol. 40, p. 100562, 2023. DOI: 10.1016/j.ijcip.2023.100562.
[36] U. D. Ani, H. M. Watson, J. R. C. Nurse, A. Marmisollé, and A. Gouglidis, "A Structured Approach for Identifying Security Control Correlations in Industrial Control Systems," IEEE Trans. Inf. Forensics Secur., vol. 18, pp. 1854-1869, 2023. DOI: 10.1109/TIFS.2023.3259417.
[37] S-H. Tseng, D. Kao, and C-M. Chen, "Defense-in-Depth Strategies for Modern ICS Environments: Lessons Learned from Recent Cyberattacks," IEEE Commun. Surv. Tutor., vol. 25, no. 2, pp. 1318-1346, 2023. DOI: 10.1109/COMST.2023.3234567.
[38] International Electrotechnical Commission, "IEC 62443-2-1:2023 Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners," IEC, 2023.
[39] A. Ashok, A. Hahn, and M. Govindarasu, "A Cyber-Physical Security Framework for Industrial Control Systems," IEEE Trans. Ind. Informat., vol. 19, no. 2, pp. 1537-1548, 2023. DOI: 10.1109/TII.2023.3119249.
[40] J. C. Hernandez, D. Fang, and C. Patsakis, "Building a security culture in operational technology environments: Challenges and recommendations," Int. J. Crit. Infrastruct. Prot., vol. 41, p. 100587, 2023. DOI: 10.1016/j.ijcip.2023.100587.
[41] ENISA, "Threat Landscape for Supply Chain Attacks," European Union Agency for Cybersecurity, 2023. Available: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks-2023.
[42] M. Abbasy and E. B. Shantz, "Cyber Threat Information Sharing: ISAC/ISAO Governance Considerations," Comput. Secur., vol. 127, p. 103100, 2023. DOI: 10.1016/j.cose.2023.103100.
[43] C-Y. Lin, S. Nadjm-Tehrani, and M. Asplund, "Emerging Threat Detection for Industrial Control Systems Using Sequential Behavior Models," Comput. Secur., vol. 131, p. 103189, 2023. DOI: 10.1016/j.cose.2023.103189.
[44] H. Abbasi, M. Norouzi, and R. Sadeghi, "Designing a cyber defense model for critical infrastructures of Iran's gas industry," Defense & Security Studies Quarterly, vol. 10, no. 2, pp. 45-70, 2023. (in Persian)
[45] M. Zolanvari, M. A. Teixeira, L. Gupta, and R. Jain, "Artificial Intelligence in Industrial Control System Security: Current Applications and Future Directions," IEEE Secur. Privacy, vol. 21, no. 2, pp. 34-47, 2023. DOI: 10.1109/MSEC.2023.3142355.
[46] S. Sridhar, A. Haefner, and M. Govindarasu, "Risk Management Framework for Industrial Control Systems: Application to Critical Infrastructure," Int. J. Crit. Infrastruct. Prot., vol. 42, p. 100603, 2023. DOI: 10.1016/j.ijcip.2023.100603.
[47] B. Chen, A. Aalipour, and A. A. Cárdenas, "Human Factors in Cybersecurity of Industrial Control Systems: Challenges and Solutions," IEEE Trans. Hum.-Mach. Syst., vol. 53, no. 1, pp. 84-95, 2023. DOI: 10.1109/THMS.2023.3178501.
[48] G. Lykou, A. Belesioti, D. Gritzalis, and T. Kostis, "Improved Methods for Expert Knowledge Elicitation for Critical Infrastructure Protection," IEEE Trans. Eng. Manag., vol. 70, no. 3, pp. 1020-1034, 2023. DOI: 10.1109/TEM.2023.3159426.
[49] World Economic Forum, "Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers," World Economic Forum, Geneva, Switzerland, 2023. Available: https://www.weforum.org/reports/cyber-resilience-in-the-oil-and-gas-industry-2023/.
 
[50] K. McLaughlin et al., "Harmonizing ICS Security Approaches: International Standards and Best Practices," IEEE Ind. Electron. Mag., vol. 17, no. 2, pp. 36-47, 2023. DOI: 10.1109/MIE.2023.3175869.
[51] M. Ahmadi, H. Rezaei, and A. Mohammadi, "Cybersecurity assessment of industrial control systems in Iran's oil and gas industry," Journal of Information Technology Management, vol. 12, no. 4, pp. 145-168, 2021. (in Persian)
[52] F. Jalali and M. Hosseini, "Cybersecurity risk analysis in SCADA systems of Iran's gas industry," Iranian Journal of Electrical & Computer Engineering, vol. 18, no. 2, pp. 78-92, 2020. (in Persian)
[53] H. Rezaei, R. Mohammadi, and M. Ahmadi, "Investigating cybersecurity challenges in Iran's oil and gas industry," Journal of Information Technology Management, vol. 11, no. 3, pp. 521-546, 2020. (in Persian)
[54] A. Taheri, B. Hasani, and S. Karimi, "Investigating effective methods for enhancing cybersecurity of SCADA systems in oil and gas industry," Passive Defense Research Journal, vol. 12, no. 2, pp. 85-100, 2021. (in Persian)
[55] B. Karimi, S. Ahmadi, and M. Rezaei, "Emerging cyber threats against Iran's critical infrastructures," Passive Defense Quarterly, vol. 13, no. 1, pp. 32-48, 2022. (in Persian)
[56] R. Mohammadi, B. Karimi, and H. Sadeghi, "Cybersecurity in Iran's oil and gas industries: Challenges and solutions," Strategic Studies Journal, vol. 22, no. 4, pp. 123-146, 2020. (in Persian) [57] Department of Homeland Security, "ICS-CERT Annual Assessment Report: Industrial Control Systems," Washington, DC: DHS, 2022.
[58] J. C. Hernandez, D. Fang, C. Patsakis, and J. Wu, "Cybersecurity challenges in critical infrastructure: A comprehensive review of SCADA systems," Comput. Secur., vol. 124, p. 102947, 2023. DOI: 10.1016/j.cose.2022.102947.
[59] K. Kimani, V. Oduol, and K. Langat, "Cyber security risk analysis framework for critical infrastructure protection," Int. J. Crit. Infrastruct. Prot., vol. 36, p. 100502, 2022. DOI: 10.1016/j.ijcip.2021.100502.
[60] K. Stouffer, J. Falco, and K. Scarfone, "Guide to Industrial Control Systems (ICS) Security," NIST Special Publication 800-82, Revision 3, National Institute of Standards and Technology, 2022.
[61] M. Wilson, A. Brown, and J. Davis, "The Importance of Monitoring and Event Logging in Industrial Control Systems," IEEE Secur. Privacy, vol. 20, no. 1, pp. 45-52, 2022. DOI: 10.1109/MSEC.2021.3101840.
[62] L. Zhang, H. Zhao, and S. Qin, "Layered Defense Mechanisms for Industrial Control Systems: An Architecture-Based Analysis," IEEE Trans. Reliab., vol. 71, no. 2, pp. 544-557, 2022.
Passive Defense
Volume 16, Issue 4 - Serial Number 64
Serial number 64. Winter 2026
February 2026
Pages 35-55

Files

History

  • Receive Date: 16 March 2025
  • Revise Date: 30 April 2025
  • Accept Date: 02 June 2025
  • Publish Date: 19 February 2026

Share

How to cite

Statistics