Fortifying the Future: Cyber-Kinetic Risks in Kingdom of Saudi Arabia’s (KSA) Technological Zeitgeist
It’s a good time to be in construction, especially if you happen to operate in Saudi Arabia. Even in the context of a generally positive global outlook for the sector, KSA stands out as an epicenter of civil, commercial and infrastructural investment. Driven by massive upgrades to the nation’s capital and giga-projects like NEOM, Qiddiya, and the Red Sea development, the Kingdom’s ambitious Vision 2030 is setting the stage for an unprecedented construction boom.
In Riyadh alone, the government hopes to invest up to US$1 trillion in the development of residential and commercial real estate, partly in preparation for its bid to host the 2030 World Expo. That event could draw up to 30 million visitors – almost equivalent to the population of KSA itself. A further US$687bn worth of major projects are underway in western Saudi Arabia.
All this building and development is not only transforming the physical landscape of the country, it’s reshaping the techno-social landscape too. In NEOM, for example, a quest for more efficient and sustainable social and business ecosystems translates into heavy reliance on AI and robotics for predictive intelligence and decision-making. Many have written this US$500 billion enterprise off as a fantasy, but the project has already seen more than 45% of construction delivered. Even detractors are finding it difficult to deny that Vision 2030 is rapidly moving towards becoming Reality 2030.
Core to this evolution is an emphasis on integrating digital technologies, such as AI, the Internet of Things (IoT), and smart city solutions, into everyday life. Digital transformation also underpins a strategic approach to sustainability: the government intends to boost renewable energy capacity from 4.9GW in 2021 to 27.3GW by 2023 and 58.7GW by 2030. A flagship example of this focus is the Red Sea project, which aims to set new standards for eco-tourism with its smart resort management processes and progressive environmental management.
These initiatives are not just about building new cities or lifestyle centers; they’re about reimagining what human living can look like in an emerging digital future. As a result, there’s a significant uptick in IT spending, with investments aimed at supporting the development and implementation of cutting-edge solutions across these giga-projects. By 2027, IT spending is expected to reach US$663.3 million, an almost 50% increase from 2023. But these are not only plans for the future – high-tech solutions are already driving construction projects today, with drones, automated vehicles, AR/VR technology and digital twins actively involved in operations.
Like many, I find the rate and scale of this development thrilling, but it also comes with a bold warning label. The concomitant growth of physical domains and related digital solutions means we are seeing rapid expansion in a network of cyber-physical systems and, therefore, cyber-kinetic risks which see the threat of damage or disruption in the physical realm created by attacks in the digital.
Accelerated by the rollout of 5G and amplified by AI, cyber-physical systems (CPS) security risks are on the rise globally. But in KSA it is an elevated concern. The kingdom is one of the world’s most targeted nations for cyber attacks; with the economic and strategic significance of its resources and geographic location, it is an attractive target for cybercriminals and state-sponsored actors alike. It ranked sixth globally between 2016 and 2018 for cyber-attack prevalence and by 2019, the average cost per data breach in the Kingdom was 69% above the global average. A more specific cyber conflict with Iran is also ongoing.
Iran itself was on the receiving end of what is widely regarded as the world’s first digital weapon when, in 2010, the Stuxnet targeted Iranian nuclear facilities and other centers, wreaking havoc on physical systems. Not long after, in 2012’s Shamoon virus attack – still one of the world’s biggest cyber attacks ever – Iranian agents were blamed for hacking 30,000 computers at Saudi Aramco in an attempt to compromise oil and gas production. Then, in 2016, a new strain of Shamoon was released, ostensibly also from Iran, targeting multiple organizations in Saudi Arabia. Iran’s cyber capability is constantly improving and as tensions in the Middle East continue to rise, the friction between Iran and KSA is unlikely to ease. Thinking back to 2021’s Colonial Pipeline ransomware attack – the largest cyberattack on an oil infrastructure target in the history of the United States – it’s not hard to imagine the fallout if a similar attack were to be successful in the Kingdom.
At the heart of KSA’s infrastructural revolution is the integration of cyber-physical systems (CPS) in everything from energy grids and transportation networks to healthcare systems and urban management. While these systems promise enhanced efficiency, sustainability, and citizen welfare, their reliance on digital technologies makes them susceptible to cyber attack. Such threats could range from disruptions in utility services to compromised safety in public spaces.
A case in point: NEOM exemplifies how advanced technologies can redefine living and governance but its very foundation on CPS and IoT devices also maps it as a potential hotspot for cyber-physical attacks. The interconnectedness required for its smart functionalities could be exploited to disrupt essential services or even endanger lives, highlighting the critical need for embedded cybersecurity measures from the outset.
But it’s not just NEOM or THE LINE or OXAGON – the push towards smart city projects across KSA widens the cyber-kinetic risk landscape. As urban infrastructures become more connected, the potential for cascading effects from cyber-kinetic attacks grows.
Understanding Cyber-Physical Systems and Cyber-Kinetic Risk
Cyber-physical systems (CPS) are all about integration. They use sensors to collect data from the physical world (like monitoring the temperature in a home), before processing that data through computational algorithms (deciding if it’s too hot or too cold), and then acting on the outcomes in the physical world (like automatically adjusting the thermostat). This constant loop of sense, analysis, and response makes CPS incredibly powerful. From smart home technologies, to driver-assist cars, to wearables that tell you when your heart rate is erratic, they have already made our private lives safer, easier and more efficient.
However, most CPS operate outside our field of awareness. Though out-of-sight, they are at the heart of the major public and commercial systems that regulate civil operations, and the production and supply of goods and services. Cyber-physical systems are the backbone of numerous modern conveniences and essential services, ranging from smart grid technologies to medical monitoring devices and industrial control systems (ICS). They are also fundamental to, or deeply integrated with, most emerging technological advancements, enabling innovations in healthcare, transportation, industry, energy production and management, and water management. They are embedded throughout our daily lives and society is increasingly dependent on them.
At a basic level, CPS such as a smart lawnmower, a home thermostat system or an agricultural irrigation system can read conditions in the surrounding environment and respond accordingly. In more advanced scenarios, like autonomous vehicles or smart grids, CPS can handle much more complex tasks, such as marshaling traffic safely or managing the distribution of electricity to optimize energy consumption across a city. They represent a merging of the physical world’s resources with the digital world’s intelligence, leading to smarter, more connected environments. But this incredible value is built on inherent vulnerability. By leveraging digital capabilities, physical systems are opened to a new type of adversarial command and control that never existed before.
Cyber-physical risk refers to the potential for harm or adverse effects resulting from any exploitation of vulnerabilities in cyber-physical systems, but usually when I use this term I am talking about a subset of cyber-physical risks, namely cyber-kinetic risks, or the potential for cyberattacks to cause physical damage or harm through these systems.
Unlike traditional cyber threats, which primarily target data theft, privacy breaches, or service disruptions, cyber-kinetic attacks aim to co-opt CPS into triggering destructive real-world consequences impacting lives, well-being, or the environment. These could range from the manipulation of industrial machinery to cause accidents, the disruption of critical infrastructure like power grids resulting in widespread blackouts, or the compromise of medical devices leading to patient harm. The scale of cyber-kinetic risks covers the macro (geo-political or national systems), down to the individual, and everything in-between.
We should pay special attention to cyber-kinetic risks, as their consequences are much more severe than those of a “traditional” data breach. Addressing these risks requires a much wider range of knowledge, including safety and engineering, and involves a broader array of stakeholders compared to “traditional” cybersecurity efforts.
Cyber-kinetic damage does not necessarily result from malicious actions – it can be caused by malfunction or be collateral damage from untargeted attacks too – but targeted attacks are on the rise globally. A review of key cyber-physical attacks, incidents & research shows targeted attacks go back long time. (I stopped tracking them in 2017 due to the huge growth in volume of such incidents since.)
Since then, thousands of cyber-physical events have been recorded, with some researchers claiming to be able to link more than 1,000 deaths to failures and vulnerabilities in CPS. There could have been many more, though. In 1998, a 12 year-old boy hacked into the computer system running Arizona’s Roosevelt Dam and gained full control of the floodgates that were holding back 489 trillion gallons of water – enough to cover the downstream city of Phoenix to a depth of five feet. A 2014 attack on a German steel mill caused massive infrastructural damage and highlighted the vulnerability of industrial control systems (ICS). In 2015 in the Ukraine, the first publicly acknowledged digital attack on a power grid caused power outages for hundreds of thousands by remotely accessing and controlling electrical substations. In 2017, in KSA, the Triton malware attack targeted safety instrumented system (SIS) controllers that managed the safety systems at a petrochemical plant, potentially allowing unsafe conditions to go undetected. This was particularly chilling as the SIS controllers that were targeted are commonly found at critical infrastructures sites – disabling them could be catastrophic for national transport systems, chemical plants, power production facilities, major factories and more.
The evolution of CPS, and therefore cyber-physical risk, has been driven by advancements in technology, but the recent expansion of 5G networks and explosion of AI has accelerated this growth. 5G enhances CPS by offering faster data transmission speeds, lower latency, and the ability to connect a massive number of devices simultaneously. This facilitates more efficient and responsive control of physical systems but it also broadens the attack surface for potential cyber-kinetic threats. The enhanced connectivity and speed of 5G networks can, paradoxically, enable cyber-attacks to be executed with unprecedented precision and scale, making the potential physical impacts more severe.
Artificial intelligence adds another layer of complexity to cyber-physical security. While AI can improve the efficiency and autonomy of cyber-physical systems through predictive maintenance, real-time decision-making, and anomaly detection, it also introduces novel vulnerabilities. Malicious actors can exploit these AI systems, manipulating data or algorithms to cause unintended or harmful actions. The dynamic and often opaque nature of AI systems can make such vulnerabilities even more challenging to predict and mitigate. With 2024 already being declared the “year of AI robots”, this category of risks deserves careful consideration.
5G and AI: high reward, elevated risk
KSA has ambitious plans for a technology-driven societal renaissance: national elevation on the world stage, redefinition of social and professional ways of being, recoding of the relationship between humankind and the environment. Appropriately, the technology required to deliver these goals did not exist when Vision 2030 was first announced back in 2016. 5G, the network capability that will be instrumental in delivering on the promises of Crown Prince Mohammed bin Salman’s grand plan, was only rolled out commercially for the first time about three years later. The growth trajectory since then has been dramatic, though.
It took 5G a year less than 4G to reach 1 billion subscriptions globally. By 2025, 5G networks are likely to cover one third of the world’s population – in Saudi Arabia that proportion is already in sight. Despite not being the first MEA country to roll out commercial 5G, KSA already has the largest number of 5G subscribers – more than twice as many as South Africa, the country in second place. By the end of 2022 – just three years after 5G was launched in the kingdom – a quarter of the population was using a 5G network.
That is an admirable implementation rate, but if Vision 2030 is to be achieved, rapid 5G expansion will need to continue. It is the only existing network configuration that can meet the scale, complexity and sheer number of use cases that need to be satisfied in the realization of the Kingdom’s giga-projects and urban renewal. KSA has embraced this fact, in the same way it has identified AI as a core catalyst of future development. Individually, these technologies have tremendous power. Together, they open up previously unseen, perhaps even unimagined, possibilities. But it’s not all good news.
Enhanced connectivity and expanded attack surfaces
While 5G’s core attributes – its ability to connect more devices over larger areas with faster data transmission rates – are beneficial, they also increase the complexity and expand the attack surfaces of CPS. With its software-based network architecture, 5G increases the number of hackable entry points for cyberattacks, enabling adversaries to exploit new vulnerabilities that do not exist in legacy networks.
The attack surface is also widened by the integration of AI in CPS and the proliferation of IoT devices on 5G networks. AI algorithms, designed to optimize and control CPS operations, can themselves become targets of manipulation, leading to adverse outcomes in the physical systems they manage.
Similarly, the exponential increase in IoT devices connected via 5G networks creates numerous points of vulnerability that can be exploited to orchestrate large-scale cyber-kinetic attacks. This has always been a concern in models of smart cities, but as KSA moves at high speed towards building ubiquitous smart environments, concern becomes real-world danger.
Reduced latency and increased speed of cyber-kinetic attacks
One of 5G’s most celebrated qualities is its dramatically reduced latency, but while this enables real-time data analysis and decision-making, it also means that cyber-kinetic attacks can be executed with unprecedented speed. The network’s astonishingly quick response time (0.001 seconds) limits the window for detecting and mitigating attacks before they can cause physical damage, presenting a challenge to existing cybersecurity frameworks that may not be equipped to respond swiftly enough to 5G-enabled threats. One solution to this problem is increased use of AI in cybersecurity, though this is not a magic bullet.
Potential cyber-kinetic threats associated with AI-driven CPS
AI’s role in cybersecurity is paradoxical. On one hand, it augments cybersecurity measures by identifying and responding to threats with a speed and precision unattainable by human operators. On the other, it introduces new vulnerabilities through its very operation. AI models can be deceived; the vast data sets used by machine learning to make decisions can be manipulated and poisoned. Increasingly sophisticated adversarial attacks deliver inputs designed to misdirect AI models, potentially leading to harmful AI decisions that cause physical damage or endanger lives without any overt breach of traditional cybersecurity defenses.
The complexity of AI algorithms also contributes to these dangers. The “black box” nature of many AI systems means that understanding exactly how decisions are made can be challenging, complicating efforts to secure these systems against attacks. This opacity can hinder the detection of malicious manipulations until after they have caused significant harm.
Mitigating the cyber-kinetic risks associated with AI-driven CPS requires a multifaceted approach. First, there is a need for robust AI security measures, including techniques to detect and defend against adversarial attacks and data poisoning. Ensuring the transparency and explainability of AI decision-making processes is also crucial, as it enhances the ability to audit and verify AI-driven actions within CPS.
Second, developing AI systems with an inherent understanding of their physical context could help mitigate risks. By embedding safety and security constraints directly into AI models, it may be possible to limit the scope of actions AI can take if they are compromised, though I am not convinced we can win this particular battle.
Finally, collaboration between AI and cybersecurity researchers, along with cross-disciplinary efforts, will be vital in developing these solutions. Regulatory frameworks must also evolve to address the unique challenges posed by AI-driven CPS, ensuring that safety and security considerations are integrated from the design phase through to deployment and operation.
Keeping KSA CPS safe
To fortify its cyber-kinetic defenses in line with growing digital transformation and infrastructural expansions, Saudi Arabia must adopt a multi-layered approach that encompasses regulation, technology, and human capital. To this end, the Kingdom has already embarked on a comprehensive strategy to fortify its cybersecurity posture in the 5G/AI era.
The country established the National Cybersecurity Authority (NCA) to oversee and enhance the protection of its ICT infrastructure. This authority is responsible for setting cybersecurity standards, ensuring compliance, and facilitating coordination among various sectors to bolster the nation’s cyber defenses.
In the financial domain, the Saudi Arabian Monetary Authority (SAMA) introduced a cybersecurity framework aimed at safeguarding the financial services industry from cyber threats, including those that could have physical impact. The Kingdom has also enacted stringent cybersecurity laws that impose severe penalties for cybercrimes.
Understanding the global nature of cyber threats, KSA has engaged in international collaborations, participating in global forums, sharing threat intelligence, and adopting best practices from around the world to strengthen its cybersecurity posture. The country has also made significant investments in cutting-edge cybersecurity technologies designed to detect, prevent, and respond to cyber-kinetic threats, particularly those targeting critical infrastructure.
And, recognizing the importance of a well-informed public and workforce, Saudi Arabia has launched extensive training and awareness programs. These initiatives aim to educate government employees, the private sector, and the general public about the risks associated with cyber attacks and the importance of adhering to cybersecurity best practices.
Finally, to specifically protect critical infrastructure from potential cyber-kinetic attacks, Saudi Arabia has developed targeted strategies and frameworks. These include advanced surveillance and monitoring systems, along with robust incident response capabilities, ensuring that sectors such as energy, water, and transportation remain secure.
KSA’s focus on updating and refining its cybersecurity strategies is vital in addressing the ever-evolving nature of cyber threats, but ongoing vigilance, adaptation, and international collaboration are needed. As the country continues to navigate its ambitious path towards a digitally-enabled future, the balancing act between leveraging technological advancements and mitigating cyber-physical risk remains a crucial challenge.
For 30+ years, I've been committed to protecting people, businesses, and the environment from the physical harm caused by cyber-kinetic threats, blending cybersecurity strategies and resilience and safety measures. Lately, my worries have grown due to the rapid, complex advancements in Artificial Intelligence (AI). Having observed AI's progression for two decades and penned a book on its future, I see it as a unique and escalating threat, especially when applied to military systems, disinformation, or integrated into critical infrastructure like 5G networks or smart grids. More about me, and about Defence.AI.