Major Trends in ICS Cybersecurity
- ICS cyberattacks involving cyber criminals, hacktivists, and nation states are on the rise
- Most organizations recognize risks to their ICS and are taking numerous initiatives to address these risks
- The ICS cyber workforce/skills gap is widening
- Governments are declaring cyber as a national security threat, and enacting more laws and regulations (NERC CIP, NIS Directive, CFATS, Nuclear, etc.)
According to a report from the World Energy Council, most technology executives feel they are losing ground to attackers and lack the facts to make effective decisions. The report also mentions that most companies have difficulty quantifying the impact of risks and mitigation plans.
Many organizations feel that they are not prepared for cyber exploits and security breaches. A study conducted by Siemens and Ponemon Institute found that only 35 percent of respondents rate their organization’s cyber readiness in the operational technology (OT) environment as high, and 61 percent of respondents say their organization’s industrial control systems (ICS) protection and security are not adequate.
ICS cyberattacks often go undetected due to lack of visibility, monitoring, and forensics capabilities. In the case of the cyberattack on the Ukrainian utilities in 2015, attackers gained initial access in July 2015 and remained in their network undetected until they caused a power outage on 23 December 2015.
Phishing attacks via email are one of the top attack vectors for initial point of entry. Other ICS cyberattacks include USB/removable media, remote access, and supplier networks. USB and social engineering vectors were used for STUXNET, and surprisingly, these are still two of the top 10 risks to ICS networks.
Cyber risks, especially across the supply chain, are challenging to address. According to a recent survey of the energy sector, 69 percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain, and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.
The biggest vulnerability to organizations is outdated and aging ICS. This is also the most difficult and time-consuming to address, and could adversely impact ICS due to compatibility issues, so mitigation requires careful planning and adequate testing.
Most organizations have realized 100% effective security is not practically possible, and they need to build incident response capabilities. Many organizations are taking the first step toward that goal by building visibility and baselining ICS networks.
Hopefully, the facts and data presented in this blog series will help in cracking a false sense of security created by age-old beliefs and myths and expose the ground reality of ICS cybersecurity.
ICS cybersecurity issues cannot be solved by adding new technologies and processes alone. It will require a huge change in culture that challenges the old beliefs and myths and bridges the gaps between business objectives and ICS cybersecurity needs. Boards need to provide leadership by facilitating strong governance, risk management, and collaboration among all functions within their organizations—including OT, IT, ERM, and EHS.
The very first step required is understanding of the threat landscape and gaining visibility into assets. The MITRE ATT&CK framework for ICS can be leveraged for understanding threats. New systems should be designed with built-in security. A documented and tested incident response plan should be in place to handle emergency situations in the event of a cyberattack.
– This originally appeared on ISA Global Cybersecurity Alliance’s website. ISA is a CFE Media and Technology content partner.