The 2021 edition of the SANS 2021 OT/ICS Cybersecurity Report from Nozomi Networks confirms that threats to industrial operations are rising both in number and severity, but also finds that organizational capability is also scaling up to match them.
However, this state of preparation is not an across-the-board increase, even as 91% of these companies now use some sort of cloud technology in the OT environment. 48% of responding organizations say that they cannot be sure that they have not been breached, and about 25% have not conducted a security audit in the past year. Additionally, about 23% say they have no operational technology security budget.
ICS cybersecurity monitoring up overall, but threat detection divide widens
As the acronyms imply, the biannual ICS cybersecurity report provides insight into how organizations that make use of industrial control systems and operational technology are keeping pace with the modern threat landscape.
This year’s report surveyed 480 companies that incorporate ICS systems, across a wide variety of industries. This was a nearly 50% increase in companies surveyed in the prior ICS cybersecurity report (conducted in 2019) and a 16% increase in respondents that hold a security certification related to these systems.
The JBS and Colonial Pipeline incidents made clear that ICS security needs to be a priority concern for these organizations, but the survey indicates that awareness was up even prior to these high-profile incidents. The business concern that moved up the list the most from 2019 was the need to secure connections between industrial equipment and external systems, shooting up six spots. There were also substantial increases in concern about preventing information leakage and creating/managing security policies and procedures.
Awareness and security posture improvement are far from universal, however. The survey found that over 23% of organizations do not have a security budget for industrial systems, up from only 9.9% in 2019. An additional 19.1% are spending less than $100,000, also up from 2019’s ICS cybersecurity report.
Another area of backsliding for some organizations is in the connection between the internet and industrial controls. 41.5% now report direct connectivity between the public internet and these systems, up from 11.5% in the 2019 ICS cybersecurity report. Far fewer are isolated from the internet; 8.2% today as opposed to 27.9% two years ago. There is a small increase in the use of operational technology DMZ systems to protect those connected to corporate networks, but the number of companies using DMZs to protect OT systems from the internet dropped from 43% to 23%. DMZs are generally recommended by security experts as a best practice when industrial systems must be connected to the internet.
15% of the respondents said that they had experienced a breach involving the OT systems in the past year. Of those that had not, only 12% were fully confident they had not been infiltrated in that time (24% opted not to disclose due to company policy). 38.7% said they were unaware of a breach but could not be certain. About 3% suspected one but did not have proof, and 2.5% said they did not have telemetry to assess.
The numbers provided in the current ICS cybersecurity report also indicate that attacks on industrial systems that lead to operational disruptions are being underreported. 90% of the survey respondents that reported a breach said that it had some level of impact on that system’s process. 18.4% also said that the breach leveraged the engineering workstation, an element that is rarely included in the analysis of system breaches. The most common vectors of initial attack were external remote services (36.7%), public-facing applications (32.7%) and network-connected internet accessible devices (28.6%).
Biggest challenges and concerns over ICS cybersecurity
Organizations were also asked about the biggest challenges they face in securing their industrial and OT systems. The leading concern, expressed by 59.4% of respondents, is that legacy and aging OT technology is difficult to integrate with modern systems. 56% have a labor issue, and 52% say that IT staff is not familiar enough with these systems. 39.6% feel that their environment is too complex for typical IT security technologies. Organizations are largely relying on outside providers for response when a breach or infection is detected; 48% make their first call to a cybersecurity solution provider, 40% to an IT consultant and 32% to a control system vendor. Only 44% said that internal IT resources were considered the first line of defense.
In terms of the areas of concern, ransomware is the unsurprising leader of the pack. An increasing amount of companies are also now worried about becoming the target of advanced nation-state hacking teams, however, and they are also expressing relatively high levels of concern about Internet of Things (IoT) smart devices that are connected to the network.
Chris Grove (Technology Evangelist for Nozomi Networks) expressed surprise at the move to cloud-based services (a positive development) but also the general lack of preparedness by so many companies. He recommended that the leading concern of ransomware be addressed with a combination of a systematic assessment of cybersecurity risks, tabletop exercises, and a consequence reduction policy that creates a system of internal barriers to limit damage after an initial penetration.
He also does not see the relative lack of internal IT resources and security practitioners to deal with incident response as much of a concern: “One item I was pleased to see is most ICS security assessments are being done by those most qualified to do them. ¾ of the respondents either use their internal IT or OT teams or hired a specialized outside OT security consultancy. Another good finding in the report is that almost 90% of respondents did cybersecurity evaluation during the procurement process for products they were interested in. This will help drive quality in the marketplace up, as vendors will get locked out if they produce products with cybersecurity issues.”
The report author Mark Bristow pointed to some particular highlights from the data: “I found three things particularly striking in the report results. 1) The level of adoption of cloud technologies for operational outcomes was striking. Two years ago, cloud adoption was not being seriously discussed and now 49% are using it. 2) Incident visibility and confidence is not high. 48% of respondents could not attest that they didn’t have an incident. A further 90% of these incidents had some level of operational impact. 3) 18% of incidents involved the engineering workstation. This is a critical piece of equipment and having this involved in so many incidents is troubling.”
Bristow suggested that organizations with industrial operations should focus on correlating IT and OT security telemetry and data processing, and establishing formal asset identification and inventory programs as first steps.