In the ongoing fight against cyber threats and global hackers, one of the newest risk frontiers involves the industrial control systems (ICS) of public utilities, manufacturing plants, and other entities comprising the nation’s critical infrastructure. With that in mind, Tripwire, a global provider of security and compliance solutions for large industrial organizations, recently surveyed more than 263 ICS security professionals to get a current read on the state of ICS security. The results were extremely sobering, with 93% of cybersecurity professionals saying that they were concerned about potential cyber attacks shutting down operations or leading to customer-impacting downtime.
The need for greater investment in ICS security
The ICS cybersecurity professionals surveyed as part of the Tripwire study also made abundantly clear that their organizations – which included a mix of energy, manufacturing, chemical, nuclear, water and transportation facilities – were not doing enough to prevent future cyber attacks from taking place. While nearly three-quarters (77%) of these organizations have made ICS security investments over the past two years, the level of ICS security investment is simply not keeping up with the pace and scope of new threats on horizon.
For that reason, nearly one-half of those cybersecurity professionals feel that current investments are not enough. In fact, 68% of those dissatisfied with the current level of ICS cybersecurity investments suggested that it would take a “significant attack” for their organizations to start spending more. And, somewhat alarmingly, it is precisely this type of significant attack that seems to be growing more likely with every passing month. Global hackers from rogue nations such as Iran and North Korea increasingly appear to be targeting U.S. industrial targets, which they perceive to be soft targets.
Cybersecurity professionals reveal weaknesses in ICS security systems
One major theme that emerged from the Tripwire survey of cybersecurity professionals was the lack of visibility into industrial control systems. For example, many of the nation’s largest industrial organizations simply have no idea of what types of ICS assets they need to secure. Only 52% of cybersecurity professionals surveyed said that a majority (70% or more) of their assets were tracked in an asset inventory system. Without any tracking of these ICS assets, of course, it increases the likelihood of an attack carried out against weak links in an organization’s ICS security system.
And visibility was not the only problem cited by cybersecurity professionals. Another issue that came up was the lack of any baseline of normal behavior for operational technology (OT) devices and networks. In fact, nearly one-third (31%) of cybersecurity professionals surveyed said that they do not have a baseline of normal behavior for their OT systems. In layman’s terms, they don’t know what’s normal and what’s not normal, and therefore really can’t benchmark their overall activity and determine the requirements for securing OT. That makes it much more likely that rogue hackers could probe ICS security systems for weaknesses and not be detected for a long period of time.
Finally, the survey of cybersecurity professionals pointed out that 39% have not utilized log management solutions for OT devices. Without log management, it is also very difficult to monitor ICS assets for potential weaknesses and vulnerabilities, or to establish the unique needs and requirements of ICS assets.
The first step towards improved ICS security is greater visibility
According to Tripwire, the survey results lead to the following inevitable conclusion: ICS security professionals need to be doing more to secure the assets of their plants and utilities. And it all starts with greater visibility into the overall ICS security system. One big first step, suggests Tripwire, is at least passive monitoring of network traffic in order to spot abnormalities and aberrations. The next step would be establishing a baseline of overall network activity, accompanied by regular analysis of log data for possible early indicators of intrusions or attacks.
Once this hard first step has been taken, that’s when industrial organizations can start to put into place protective controls, such as industrial firewalls. It would also make it much easier to align the work of both information technology (IT) and operational technology (OT) teams. Over the past decade, one common complaint in ICS security circles has been the lack of collaboration between OT and IT in securing OT environments.
The good news from the Tripwire report is that roughly half (49%) of survey respondents thought that collaboration between IT and OT had improved over the past two years. Going forward, 79% of cybersecurity professionals said that there should be increased training of IT and OT staff on the finer points of ICS security, with a focus on eliminating the gap in training for OT staff. Such training could also help to establish who takes the lead on ICS security within an organization.
Utilities remain vulnerable to cyber attacks
In a recent survey carried out by Ponemon Institute on behalf of Siemens, one big takeaway is that utilities’ operational networks continue to be extremely vulnerable to outside cyber attacks. According to a survey of 1,726 utility professionals, nearly one-half have suffered an outage or data loss in the course of the past 12 months. Moreover, 50 percent expect an attack on critical infrastructure within the next 12 months.
Against this dire backdrop, however, utilities appear to be doing very little to boost their overall spend on ICS security. Only 42% of utility professionals said that they were ready for a future cyber attack. And, most alarmingly, nearly one-third said that they do not even have a plan in place to respond to a cyber attacks. The takeaway lesson is clear: utilities need to be doing more to prevent a potentially catastrophic cyber attack that would result in physical damage. As evidence to support this idea, consider that the infamous WannaCry and NotPetya viruses impacted almost 25% of utilities, according to Siemens. In a worst case scenario, U.S. utilities might be facing the same sort of scenario faced by Ukrainian grid operators a few years ago, when malware from Russia was used to produce energy blackouts.
An uncertain future for ICS security
At the end of the day, cyber attacks pose a real threat to the safety, productivity and quality of operations of ICS assets and large, Fortune 500 industrial organizations. If they fail to invest in ICS security going forward, even a modest cyber attack could have implications far beyond the virtual world with real-world consequences. Protecting operations from disruption should be a top priority.
