Grading My 2018 ICS Security Predictions: Did They Come True?

Grading My 2018 ICS Security Predictions: Did They Come True?

Note: on July 23rd 2019, SCADAguardian was renamed Guardian, and SCADAguardian Advanced was renamed Smart Polling.

Going into 2018, the Nozomi Networks team and I believed that it would be the year ICS cyber security went mainstream. By that we meant that industrial cyber security practices would mature with developments such as increased IT/OT convergence, broad availability of OT security services and the adoption of AI technologies to facilitate threat monitoring.

As we kick off 2019, I reflect back on my five predictions for last year. Find out how I did, along with my thoughts on some of the notable ICS security developments of the year.

Reflections on My Five Cyber Security Predictions for 2018

1. The Era of Internet Prohibition for Industrial Networks Will End

Edgard’s Rating: A-

I predicted that air gap protection strategies would backfire, and progressive organizations would leverage internet connectivity and cyber security technologies to defend their ICS from cyber threats.

In 2018, Gartner, our customers and prospects, and pretty much everyone else recognized that OT and IT systems were vulnerable to the same threats. Protection by air gaps is a myth, outside of nuclear or military facilities. Critical infrastructure organizations acknowledged that while the adoption of IIoT created fantastic opportunities to gain operational visibility and automate processes, it also increased exposure to cyber risks.

In its 2018 research note “Why IIoT Security Leaders Should Worry About Cyberattacks Like WannaCry”, Gartner analysts proposed that IT and OT security silos that allowed malware like WannaCry to slip though the cracks could be eliminated. How? By bringing IT and OT security under a single risk management governance process.

Last year we saw large oil and gas operators, utilities and other major industrial players around the world significantly advance their efforts to converge IT and OT security. CISOs began to manage their IT and OT assets under the same protection model, and deploy more cyber security technologies like SCADAguardian and SCADAguardian Advanced for ICS network monitoring and threat detection. Take a look at our Executive Brief “Integrating OT into IT/OT SOCs” for details on how an IT/OT SOC reduces digital risk, and considerations for a SOC transition.

Lacking a formal bellwether to make this prediction official, I will take off half a grade and call it a partial win, A-.

2. Artificial Intelligence Moves Beyond its Buzz to Make a Real Difference in ICS Security

Edgard’s Rating: B-

I predicted that industrial organizations would begin leveraging technology that had been trained to deliver security insights, rather than relying on manual, time-intensive processes managed by scarce cyber talent. While artificial intelligence (AI) capabilities continue to grow, there is still more to do.

Take for example the Nozomi Networks hybrid threat detection capabilities. SCADAguardian uses behavior-based anomaly detection and multiple types of signature and rules-based detection. The results are correlated with operational context to provide rapid insight into what’s happening, reducing incident mitigation and forensic analysis time.

SCADAguardian Advanced takes it a step further, combining passive network analysis with Smart Polling, a precise, low volume, active technique that provides full asset inventory, exact vulnerability assessment and advanced ICS network monitoring. The system automatically discovers the entire industrial network, including assets, connections, protocols and topology. It monitors network communications and behavior for risks that threaten reliability and cyber security, and provides the information needed to respond quickly.

This functionality hasn’t fully tapped into the vast potential of AI to automatically detect and analyze new malware and take remedial action, but we’re heading in the right direction. And, while the adoption of AI in solutions like ours has started, we are in the early stages of awareness and deployment. AI is not yet “making a difference”, so my grade is between a C- and a B+. Given the strong interest in this area among our prospects and customers, let’s go with B-.

3. ICS Cyber Security Services Will Proliferate

Edgard’s Rating: A+

I predicted that IT security companies would introduce OT cyber security and other services designed specifically for OT monitoring, detection and incident management.

In 2018, the need for professional services capable of managing the growing interdependency between IT and OT picked up steam. Not only were in-house IT teams lacking available bandwidth to take on the management of OT security, they also lacked the specialized skills to do so.

2018 saw many examples of IT security firms, particularly those specializing in endpoint and network security like Carbon Black and Cisco, expanding their practices to include OT services. We also saw security and systems providers like Accenture, Schneider Electric and Siemens adding managed OT services, as well as partnering to add advanced cyber security capabilities to their offerings.

Nozomi Networks’ new partnerships with Accenture, Atos, IBM Security and other digital innovators are examples of how quickly the market is shifting.

Furthermore, OT vendors of automation equipment and services are expanding their cyber security offerings and capabilities. Examples include our partnerships with GE Power and others that will be announced shortly.

It looks like we nailed this prediction! A+

IBM Security

My prediction that IT security companies would introduce OT cyber security and other services came true, as demonstrated by our strategic alliances with these organizations.

4. ICS Malware Moves Beyond Windows Exploits to ICS-Specific Malware

Edgard’s Rating: A+

I predicted that malware attacks using OT-specific software, such as PLC software, would be added to the tidal wave of Windows-dependent attacks. Unfortunately, by the end of the year, my prediction about this game-changing development came true.

In December 2017 (after our predictions were published), the milestone TRITON cyber attack on a Middle Eastern oil and gas petrochemical plant was reported. It was the first known ICS cyber attack to directly interact with an industrial facility’s Safety Instrumented System (SIS) – its last line of automated safety defense.

Based on the significance of this attack, our team conducted an in-depth analysis on the malware to understand its communications and OT payload. Our research was presented at the Black Hat USA conference and published in the paper: TRITON: The First ICS Cyber Attack on Safety Instrument Systems. My grade: A+.

5. Security-by-Design Starts to Improve ICS Security, A Bit

Edgard’s Rating: B+

I believe that security is everyone’s concern, so I proposed that we would start to see cyber security tools embedded in ICS devices – aka “baked-in” security.  

In 2018, we did indeed see ownership for OT security shift from a sole reliance on the industrial operator to shared responsibility throughout the supply chain. The market called for, and vendors acknowledged, the need for security by design.

In his June 2018 blog “3 Steps Towards Cybersecurity in a Digital World”, Schneider Electric Chief Digital Officer Herve Couriel referred to this as a “layered approach” that goes beyond perimeter defense to include support across the network.

Nozomi Networks is enabling this with the release of our SCADAguardian Advanced Container Edition – an embedded container application for switches, routers and other security infrastructure commonly found in ICS networks. This fast, flexible deployment option leverages existing hardware units, rather than requiring the replacement or retrofitting of legacy platforms.

We’re also working with several automation vendors who want to ship their ICS products with embedded security as soon as possible. We will be announcing our embedded partners shortly.

These are all steps in the right direction, but they don’t come close to a secure-by-design world. Based on this caveated statement, let’s go with B+ on this one.

What Lies Ahead for ICS Security in 2019?

While malicious actors seem to be developing new ways to access industrial control systems all the time, I’m optimistic that collectively, industry, ICS device manufacturers and security service providers are fast-tracking many initiatives designed to enable proactive ICS defense.

Among positive developments like the global prioritization of cyber security and dedicated security budgets and resources, I predict that 2019 will be a year of immense progress toward securing our critical infrastructure against existing and emerging threats. For reference, please take a look at some of the informative resources below.