The 2021 edition of SANS 2021 OT / ICS Cybersecurity Report of Nozomi Networks confirms that threats to industrial operations are increasing in both number and severity, but also finds that organizational capabilities are also stepping up to match them.
However, this readiness is not a widespread increase, even though 91% of these companies are now using some sort of cloud technology in the OT environment. 48% of organizations surveyed say they are not sure they haven’t been breached, and about 25% have not performed a security audit in the past year. In addition, around 23% say they do not have an operational budget for technology security.
ICS cybersecurity monitoring improves overall, but threat detection gap widens
As the acronyms indicate, the ICS Semi-Annual Cyber Security Report provides insight into how organizations using industrial control systems and operational technologies keep pace with the modern threat landscape.
This year’s report surveyed 480 companies that integrate ICS systems, across a wide variety of industries. This is a nearly 50% increase in the number of companies surveyed in ICS’s previous Cyber Security report (completed in 2019) and a 16% increase in respondents who hold a certification from ICS. security related to these systems.
The JBS and Colonial Pipeline incidents made it clear that the security of the ICS must be a top concern for these organizations, but the investigation indicates that awareness was already in place before these high-profile incidents. The business concern that rose the most up the list from 2019 was the need to secure connections between industrial equipment and external systems, climbing six places. There has also been a substantial increase in concerns regarding the prevention of information leaks and the creation / management of security policies and procedures.
However, improving awareness and security posture is far from universal. The survey found that over 23% of organizations do not have a security budget for industrial systems, up from just 9.9% in 2019. An additional 19.1% spend less than $ 100,000, also up by report to the 2019 ICS Cyber Security Report.
Another area of regression for some organizations is the connection between the Internet and industrial controls. 41.5% now report direct connectivity between the public Internet and these systems, compared to 11.5% in the 2019 ICS Cyber Security Report. Far fewer are isolated from the Internet; 8.2% today against 27.9% two years ago. There is a slight increase in the use of operational technology DMZ systems to protect people connected to corporate networks, but the number of companies using DMZs to protect Internet OT systems has increased from 43% to 23%. DMZs are generally recommended by security experts as a good practice when industrial systems need to be connected to the Internet.
15% of those surveyed said they had experienced an OT systems breach in the past year. Of those who had not, only 12% were fully convinced that they had not been infiltrated during this period (24% chose not to disclose due to company policy). 38.7% said they were not aware of a violation but could not be sure. About 3% suspected one but had no proof, and 2.5% said they had no telemetry to assess.
Figures provided in the current ICS cybersecurity report also indicate that attacks on industrial systems that cause operational disruption are underreported. 90% of survey respondents who reported a violation said it had some impact on the process of this system. 18.4% also said the breach was based on the engineering workstation, an item rarely included in the analysis of system breaches. The most common initial attack vectors were external remote services (36.7%), applications intended for the public (32.7%), and network connected devices accessible to the Internet (28.6%).
The biggest challenges and concerns in ICS cybersecurity
Organizations were also asked about the biggest challenges they face in securing their industrial and OT systems. The main concern, expressed by 59.4% of respondents, is that legacy and aging OT technology is difficult to integrate into modern systems. 56% have a workforce problem and 52% say IT staff are not familiar enough with these systems. 39.6% believe that their environment is too complex for traditional IT security technologies. Organizations rely heavily on external providers to respond when a breach or infection is detected; 48% make their first call to a cybersecurity solutions provider, 40% to an IT consultant and 32% to a control system provider. Only 44% said internal IT resources were seen as the first line of defense.
In terms of areas of concern, ransomware is unsurprisingly the leader of the pack. However, a growing number of companies are also concerned about becoming the target of advanced nation-state hacking teams, and they are also expressing relatively high levels of concern about connected Internet of Things (IoT) smart devices. to the network.
Chris Grove (Technology Evangelist for Nozomi Networks) expressed surprise at the move to cloud-based services (a positive development) but also the general lack of preparedness of so many companies. He recommended that the primary concern of ransomware be addressed through a combination of a systematic cybersecurity risk assessment, tabletop exercises, and a consequence reduction policy that creates a system of internal barriers to limit damage afterwards. initial penetration.
He also doesn’t view the relative lack of internal IT resources and security professionals to deal with incidents as a concern: “One thing I’ve been delighted to see is that most ICS security assessments are done. by the people most qualified to do them. ¾ of the people questioned either use their internal IT or OT teams, or have hired an external consulting firm specializing in OT security. Another good finding from the report is that almost 90% of respondents completed a cybersecurity assessment during the purchasing process for the products they were interested in. This will help improve the quality in the market, as suppliers will be stuck if they manufacture products with cybersecurity issues. . “
Report author Mark Bristow pointed out some particular highlights of the data: “I found three things particularly striking about the report results. 1) The level of adoption of cloud technologies for operational results was striking. Two years ago the adoption of the cloud was not seriously discussed and now 49% are using it. 2) Visibility and confidence of incidents is not high. 48% of respondents could not certify that they had not had an incident. Another 90% of these incidents had some level of operational impact. 3) 18% of incidents concerned the engineering position. This is a critical piece of equipment and the fact that it is involved in so many incidents is disturbing. “
Bristow suggested that organizations with industrial operations should focus on correlating IT and OT security telemetry and data processing, and establishing formal asset identification and inventory programs as first steps. .