Nozomi Networks and the SANS Institute released a survey showing that companies are investing more in industrial control system (ICS) cybersecurity to match the increasingly elaborate cyber threat landscape.
The 2021 SANS ICS/OT survey got 480 responses, with 47% reporting that their ICS security budgets increased over the past two years. Another 32% said there had been no change.
Nearly half of respondents said they did not know if their organizations had suffered from a cybersecurity incident while just 15% admitted that they had one in the last 12 months.
Of those who did say they dealt with cybersecurity incidents, more than half said they were able to detect compromise between 6-24 hours. Thirty percent were able to detect compromise in under six hours.
Almost 20% said the engineering workstation was an initial infection vector. About half cited “external connections” as the dominant access vector while 36% mentioned remote access services as a prevalent reported initial access vector for incidents.
Surprisingly, nearly 70% of respondents rated risk to their environment high or severe, a significant increase compared to the 51% seen in 2019. More than half cited ransomware, cybercrime and nation-state attacks as the top threat vectors. More than 31% of respondents said unprotected devices were also a major concern.
Thankfully, about 70% of respondents said they have some form of monitoring program in place for OT security and nearly 76% said they have conducted a security audit of their OT/control systems or networks in the past year.
Nearly 30% have put in place a continual assessment program and 50% of respondents said they use a vendor-provided ICS-specific threat intelligence feed.
The cloud is also playing a bigger role in OT environments, with 40% of respondents saying they use some form of cloud-based services for OT/ICS systems. More than 90% are using cloud technology for remote monitoring configuration and analysis, OT support as well as remote control/logic.
Every respondent using cloud technology said they use it for at least one kind of cybersecurity function.
Mark Bristow, cyber defense coordination branch chief at CISA and SANS Institute Certified Instructor, authored the report and told ZDNet that three things stood out to him: the level of adoption of cloud technologies for operational outcomes, the lack of incident visibility and the number of incidents involving engineering workstations.
“Two years ago, cloud adoption was not being seriously discussed and now 49% are using it. The implication of engineering workstations in so many incidents is highly concerning. These devices are what are needed to develop predictable repeatable effects operations against control systems and the targeting and successful exploitation of these systems indicates significant current and future risk,” Bristow said.
“It’s great that we now have monitoring programs in place, but we are still mostly looking at the IT aspects of our OT environments. We need to be correlating our IT and OT security telemetry as well as process data to truly understand potential impacts to safety and operations. Focus on fundamentals. Too many respondents do not have a formal program for asset identification and inventory. Without this foundational step, further security investments may be invalid or misplaced. Ransomware is a huge risk, but it’s not one that is specifically targeting ICS. A malicious actor who is specifically targeting your ICS environment will not be as blunt or noisy as ransomware is, and we are struggling to defend against ransomware.”
Bristow added that he was encouraged to see that some respondents are using continuous patching of the OT environment.
“A few years ago, this was considered impossible and seeing implementation is really encouraging,” Bristow noted.
Nozomi Networks technology evangelist Chris Grove, who worked on the report with Bristow, echoed many of the assessments cited by his co-author, touting the industry acceptance of cloud-base services.
Grove told ZDNet that he believes ICS organizations will continue to adopt cloud technologies and the adoption of cloud-base security solutions will grow significantly over the next few years.
But he noted how alarming it is to see that detection and response is still a significant issue for organizations.
“In almost all cases, increased visibility makes everything easier to manage. From having a detailed asset inventory, to monitoring network traffic patterns, to inspecting traffic for attacks or operational anomalies…visibility is a crucial component of successfully defending operations,” Grove said.
“As part of a post-Breach mindset, operators should consider the fact that eventually the attackers will breach the perimeter, and one should be prepared for that day. How do we limit the blast radius of the attack? How do we hold them at bay, and subsequently eradicate them from the system? How do we carefully maintain, safely shutdown, or restore operations potentially affected by the breach? These are tough questions to be asked before that day comes.”