How does your company’s perception of ICS risk compare to that of other organizations? How are other asset owners defining the boundaries between OT systems and external systems? How do your ICS security roadblocks compare to others? Where does your company rank in terms of managing OT/IT convergence?
To find answers to those questions SANS Institute just released cybersecurity research that answers all these questions, and more. It’s one of the few sources of hard data on the state of industrial cyber security, and there is no cost.
Let’s look at the issues mentioned above, and find out where they stand in 2019, based on input from hundreds of industrial organizations.
Amongst the 338 survey respondents, just over 50 percent rated the level of ICS cyber risk to their organization’s overall risk profile as severe/critical or high. This is down from 69 percent in the last survey, conducted in 2017. With cyberattacks and data breaches on the rise and very much in the news, this finding might seem a bit surprising.
What those numbers indicate is the practice of ICS cyber security is maturing:
• 69 percent have conducted a security audit of their OT/control systems or networks in the past year
• 60 percent now proactively depend on internal resources to respond to an OT threat detection incident, up from 23 percent in 2017
• Between 2017 and 2019, the time to detect anomalous activity has decreased
This is perhaps giving organizations more confidence they can deal with threats, and possibly explains why the risk level is rated as lower than in the past.
At the same time, however, the challenge of securing OT systems is expanding with the size of the attack surface. The boundaries of ICS are becoming broader as they “… are interwoven and interdependent, while also exchanging information with a myriad of other systems and processes.”
Boundary challenges include the use of mobile and wireless devices, which respondents give a low level of risk. The report points out some mobile applications are replacing engineering workstation applications, so their risk level should be treated at a higher level. Also, wireless communication is becoming more widely used to transfer data from sensor networks. This further increases the attack surface and opens an organization up to severe consequences if compromised.
ICS Security Roadblock: Visibility
Having clear visibility into ICS devices and networking activity is a fundamental element of a robust cyber security program. And, the need to define and secure the OT boundary includes the need to see and monitor system assets within the boundary.
The SANS 2019 cyber security research indicates increasing visibility into controls systems’ cyber assets is the top initiative organizations are budgeting for in the next 18 months.
Indeed, the need to identify assets within an industrial control networks is a key business driver. It’s not unusual for teams to conduct a Proof of Concept (PoC) where the industrial operator has indicated that their network has, say 3,000 assets. But, when the asset discovery technology ends up installed, it quickly identifies 15,000 assets. After thousands of installations, it’s typical to uncover a large discrepancy between the number of perceived assets versus the real number.
The SANS 2019 survey provides insight into where the gaps in asset inventory are:
• 64 percent of respondents have identified and inventoried over 75 percent of the servers and workstations in their OT/control systems
• Less than have half of respondents have identified and inventoried control system devices and software applications
• The identification of embedded industrial devices is difficult, especially with porous system boundaries
People Challenge: IT/OT Convergence
The survey puts a big spotlight on the people challenges involved in improving ICS cyber security. Interestingly, organizations are increasing their reliance on internal staffing, versus consultants and vendors, for their cyber security programs. Growing confidence in employees’ abilities is another indicator of maturation of the processes surrounding industrial cyber security.
In-house OT cyber security requires that IT and OT work together. The age-old challenge of aligning priorities, and ensuring cooperation and communication between the teams, is not easy, however.
According to survey results, IT takes a leading role in managing corporate security policy and implementing the necessary controls, including into OT’s domain, while OT often controls the budget for safeguarding the ICS.
The goals and objectives of these two domains are not well aligned: IT governance and risk management centers on uptime and the protection of information and reputation (privacy), while OT focuses on the safety and reliability of cyber-physical processes.
To ensure collaboration and reduced risk to the organization, a common understanding of these key concepts is needed.
Since 2017, ICS security budgets have migrated from being primarily shared between IT and OT, to today where:
• 49 percent of respondents said their budget is controlled by OT, up 18 percent since 2017
• 32 percent of respondents said their budget is controlled by IT, up 15 percent since 2017
• 30 percent of respondents said their budget control is shared between IT/OT, down 9 percent since 2017
When budget is held by one side of the house or the other, it’s essential that the groups work together to prioritize the people, process and technology measures that will be the focus of an annual plan.
While most respondents rate the current level of collaboration as “moderate or better,” there is still a lot of progress to be made.
The SANS 2019 cyber security research is valuable to every OT/ICS security practitioner, and can likely help you advocate for stronger support and funding. It also clearly identifies where difficulties lie, reminding you that you are not the only organization struggling with the challenge of improving operational cyber resiliency.
Heather MacKenzie is director of marketing communications at Nozomi Networks.