Metrics, Mandates, and Management: Trends & Predictions for OT Security in 2024

Metrics, Mandates, and Management: Trends & Predictions for OT Security in 2024

It’s that time of year, where we as an industry reflect on our Spotify wrapped of trends and analysis and prophesize an unknown future. Will IoT take over the world? Are AI-enabled SBOMs the silver bullet? Is OT continuous network monitoring worth the hype? Industrial cybersecurity boils down to mitigating operational risk – any situation which could cause a loss of view or loss of control to your connected processes and functions, where view and/or control cannot be recovered automatically or remotely from manipulation.

Last year, the main theme for industrial security was that “trust and verification for OT cybersecurity are not mutually exclusive.” The recent SCADAfence and Verve Industrial acquisitions, by Honeywell and Rockwell Automation respectively, further underscore this theme. Since then, governance has set new precedent, information sharing has taken a front seat role in security programs, and innovative analysis continues to set OT cybersecurity solutions apart.

However, beyond ransomware campaigns that can impact processes and production, there are still very few identical attack paths across industrial control system environments. With this in mind, the 2023 SANS ICS/OT survey notes the top initial access vectors for OT/control systems incidents remain:

  • Compromise in IT
  • Engineering workstation compromise
  • External remote services
  • Exploit of public-facing application
  • Drive-by compromise Spearphishing attachment

Adversaries targeting industrial control systems continue to deploy living-off-the-land attacks that are “cheaper to deploy, have higher success rates, are more difficult to detect, require more rapid industrial response, and can have immediate direct safety and engineering impacts.” In order to live off the land, you have to get to know the landscape. In order to defend the landscape, you have to know it better than your adversary.

Given this reality, this blog will unpack 3 emergent trends for industrial cybersecurity and explore 3 predictions for the year ahead.

Trend: Visibility is more than a flashlight

Visibility and continuous monitoring continue to lead OT security investments and decision making. Network and asset visibility is more than just the ability to identify nodes on a network. Documenting asset specifications and configurations, distinguishing legacy devices and crown jewel assets, and prioritizing risks based on operational risk is paramount. Beyond counting and categorizing assets, it’s incredibly important to understand industrial protocols and their use cases. Visibility provides the foundation to security. Without it, you will be hard pressed to investigate the root cause of any disruption, malicious or not.

Trend: Attack surface management is a full court press

Zero trust, defense in depth, compensating controls, etc. all extend security beyond the perimeter where defenders have to anticipate and cover adversarial behavior throughout networks, systems, and devices. This requires building defensible architectures and defending those architectures, precise network segmentation, visibility and monitoring, and robust incident response planning. Simultaneously, defenders have to operate with two assumptions: compromise has already occurred somewhere, and some controls will fail under certain conditions.

Trend: Supply chain complexity exacerbates risk

The lifecycle of each product – from design to manufacturing to distribution, use, and maintenance – affects an organization’s risk tolerance and ultimate mean time to recover (MTTR). IT/OT interoperability exacerbates both upstream and downstream supply chain risk. These potential hardware and software compromise for vendor systems and services exacerbate the complexity of heterogeneous control systems that tolerate little to no downtime. Supply chain compromises can be catastrophic, either because of ubiquitous use of the system or component, critical interdependence on the system or component, or just-in-time processes.

Prediction: Increased cloud adoption

Though cloud adoption has been trending for a decade, the once inevitable is here. The risk to reward analysis of moving certain processes to cloud systems increasingly favors the rewards – scalability, flexible services, cost and time optimization, storage capacity. Hurdles of data sovereignty, regulatory limitations, third-party certifications and attestation, and shared services are diminishing as rearchitecting for security in the cloud becomes better understood. Cloud adoption with potentially new access and attack vectors is a step change with behavior analytics in security products routinely analyzing network traffic to determine and categorize benign network events and significant security incidents.

Prediction: OT workforce & talent growth

Amidst a web of government regulation, standard compliance, strategies and roadmaps, artificial intelligence promises to recreate the future. Despite augmenting certain security practices, AI is not filling the workforce and talent gaps in industrial cybersecurity. OT-specific security jobs are increasing, though they often require years of experience – from protocols and standards familiarity to education, certification, and programming languages, but also security clearance, travel, and communications skills. Roles include senior-level management, technical system engineers and analysts, and specified roles like pentester or specialist. 2024 will be the year we finally begin to see entry level positions in this space – for asset owners and SOCs.

Prediction: Increased adversary emulation activities

Adversary emulation for OT and ICS has traditionally been a testing capacity for security professionals and vendors. While some asset owners and organizations with ICS networks have sandboxing capabilities, penetration testing and purple teaming are still new concepts for industrial environments. Tools like Caldera, MITRE’s GitHub platform that allows practitioners to automate security assessments through autonomous adversary emulation and the testing and evaluation of threat detection is a key milestone in the expansion of adversary emulation for OT. Paired with incident response planning and tabletop exercises, emulation can lead to meaningful risk tolerance and mitigation decisions.

Conclusion: Metrics over everything

No two operational environments are exactly alike. Therefore, according to the November 2023 Gartner Market Guide for Operational Technology Security, “security for operational environments has evolved beyond a catch-all market into specific categories that support changing threats, security practices and vendor dynamics.” Despite metrics being the best indicator for learning what works well and what doesn’t, specific categories of security likely lead to different metrics for each category.

For changing threats, intelligence, information sharing, and vulnerability disclosure metrics matter most. CISA advisories, industry organizations and global partnerships, the MITRE ATT&CK Framework, the ICS Advisory Project, vulnerability scanning and mapping capabilities, and security research teams all have a role to play in the metrics and lessons learned and applied.

For security practices, The CISA Cyber Performance Goals (CPGs) map to the NIST cybersecurity framework (CSF) to allow organizations to select standards and controls based on intended cybersecurity outcomes. As an external framework, it provides flexibility in choosing which controls an organization is mature enough for, technically equipped for, and can afford, etc. offering a year over year audit for adopted controls and drivers.

For vendor dynamics, the SANS ICS/OT survey referenced above reveals that 70-80% of assets in most ICS environments run non-traditional operating systems, while even the 20-30% of ICS assets that are running traditional operating systems have differences when it comes to ICS threat detection, forensic data sources, and response techniques. Regardless, asset level ICS threat detection, forensic data sources, and response techniques offer metrics to capture, analyze, and compare across industrial cybersecurity vendors.

The complexity of supply chains, need for visibility, and changing defensive priorities effectively lead to the predicted expansion of cloud-enabled technologies and services to offset investments, a more equipped workforce to mature security programs, and emulation priorities for further understanding adversary tactics, techniques, and procedures (TTPs) in OT and ICS networks. With metrics as a backdrop, the mission ahead will be one ripe for improvement, collaboration, and dedication.