This blog is the first in a two-part series reviewing the top insights from the recent SANS report, “The State of ICS/OT Cybersecurity in 2022 and Beyond.” Read the full report here.
The world of operational technologies (OT), where cyber and physical systems meet, is an increasingly tantalizing target for cybercriminals. Multiple major cyberattacks in recent years have focused on critical infrastructures and industrial systems, the most high profile being the 2021 ransomware attack on the Colonial Pipeline. But they were hardly alone; a 2022 Sophos report found that 55% of manufacturing and production organizations were impacted by a ransomware attack in 2021.
Capturing the latest trends and offering essential insights into the world of OT/ICS cybersecurity is a new report produced by the SANS Institute and sponsored by Cyolo, “The State of ICS/OT Cybersecurity in 2022 and Beyond.” The report collates and analyzes responses from 332 individuals working in operations, management, and cybersecurity within industrial settings across the world. The report covers 63 core industry sub-sectors within the energy, chemical, nuclear, water, and critical manufacturing.
We will split our examination of the report’s findings into two posts:
Part 1: People and challenges
Part 2: Attacks, vectors, budget, and security measures
The SANS report begins by establishing how IT security differs from the needs of an ICS/OT environment. One of the most important differences between the two environments is that IT deals exclusively with the digital, whereas OT systems live at the juncture of digital and physical. Put simply, where traditional IT considers data at rest or in transit, in an ICS/OT environment, data is used in real-time to control physical systems and machinery – to generate reactions and outputs. This creates considerations above and beyond the protection of digital data; the cyber-physical security measures focus on safety and must consider other important factors, including:
Prioritization of passive asset discovery
Passive threat detection
Low-bandwidth sites
Critical legacy devices
Proprietary engineering
Non-traditional endpoint operating systems
Engineering hardware working in field conditions
A strong thread throughout the report emphasizes the convergence of security and safety. The culture of safety should be connected to the culture of security within an ICS environment. Within the sectors impacted by ICS/OT cybersecurity issues, the impact can be devastating to life, not just systems and processes.
“There is an opportunity here to recall, leverage, and tie in the strong physical safety culture shared across many engineering sectors to keep employees and people safe, and then to remind ourselves that cybersecurity incidents (targeted or otherwise) can directly impact the safety of people and the environment.”
These extraordinary factors should form the basis for more appropriate cybersecurity measures for ICS/OT.
At the cutting edge of ICS/OT security are people and their experience working within an OT environment and maintaining its safety. Below are some data points about the people who work in ICS/OT cybersecurity:
Threat levels: Almost two-thirds (63%) of SANS survey respondents believe that the threats towards ICS are either high or critical.
Convergence of responsibilities: Cyber-threats are systemic across an organization. As such, responsibility for mitigation and response to threats is reflected in 80% of respondent roles being related to ICS operations.
Skillset: ICS qualifications are at a premium. The report suggests that employees are looking for certification in ICS security.
Industry investment in security qualifications: In 2021, 54% of respondents held control system security qualifications. However, this jumped to 80% in 2022, revealing a significant investment in certifications.
In industries where control systems reign, operations, engineering, and business operations are inexorably connected. As the report puts it, “ICS/OT IS the Business.”
The top business concerns highlight the importance of the intrinsic link between controls systems technologies and business outcomes:
Ensuring reliability and availability of control systems (53.6%)
Lowering risk/improving security (39.9%)
Preventing damage to systems (30.4%)
Preventing information leakage (29.1%)
Meeting regulatory compliance (22.9%)
One of the most critical and challenging aspects of securing control systems and associated processes is using legacy ICS/OT technologies. Lack of legacy support is not an uncommon challenge in traditional IT. However, IT systems are not designed to interoperate with control systems technologies. The report stresses the very real disruption potential of this challenge.
When asked, “What are the biggest challenges your organization faces in securing OT technologies and processes?” respondents came up with four top answers:
The disruption caused by implementing traditional IT security measures in an OT environment.
A need for a greater understanding of the issues of OT disruption by IT staff.
A need for more skills and staff to implement security measures.
These four challenges come from understanding the environmental factors that make operational technologies unique. The report highlights the importance of not using a ‘copy/paste’ approach to securing ICS/OT.The result of not using tailored measures for the environment could result in severe outcomes, including safety issues. Also, poorly thought-through security measures could result in operational problems, interruptions in manufacturing, and false positive alerts that shut-down engineering operations.
Considering the challenges of traditional IT and ICS/OT, SANS suggest using the approach of people, process, and technology (PPT). The PPT framework is a respected approach to balancing the needs of cybersecurity:
People: Support for ICS training
Process: ICS security supports safety
Technology: Vendors and measures must have demonstrable capability for security OT
We continue our examination of “The State of ICS/OT Cybersecurity in 2022 and Beyond” report in this follow-up blog. We also invite you to read the full SANS Report on OT/ICS Cybersecurity.
Author
Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the OT Technical Lead at Cyolo.