SANS 2019 OT/ICS Cyber Security Research: 3 Key Findings

SANS 2019 OT/ICS Cyber Security Research: 3 Key Findings

How does your company’s perception of ICS risk compare to that of other organizations? How are other asset owners defining the boundaries between OT systems and external systems? How do your ICS security roadblocks compare to others? And, where does your company rank in terms of managing OT/IT convergence?

If you’d like to know where you stand, I have good news. The SANS Institute has just released new cyber security research that answers all these questions, and more. It’s one of the few sources of hard data on the state of industrial cyber security, and it’s available for free .

Let’s look at the issues mentioned above, and find out where they stand in 2019, based on input from hundreds of industrial organizations.

Risk Level Perception is High, and Connected Systems Are Expanding the Attack Surface

Amongst the 338 survey respondents*, just over 50% rated the level of ICS cyber risk to their organization’s overall risk profile as severe/critical or high. This is down from 69% in the last survey, conducted in 2017. With cyberattacks and data breaches on the rise and very much in the news, this finding might seem a bit surprising.

But both Nozomi Networks experience in the field and the SANS 2019 survey results indicate that the practice of ICS cyber security is maturing:

  • 69% have conducted a security audit of their OT/control systems or networks in the past year
  • 60% now proactively depend on internal resources to respond to an OT threat detection incident, up from 23% in 2017
  • Between 2017 and 2019, the time to detect anomalous activity has decreased

This is perhaps giving organizations more confidence that they can deal with threats, and possibly explains why the risk level is rated as lower than in the past.

At the same time, however, the challenge of securing OT systems is expanding with the size of the attack surface. The boundaries of ICS are becoming broader as they “… are interwoven and interdependent, while also exchanging information with a myriad of other systems and processes.”

Boundary challenges include the use of mobile and wireless devices, which respondents give a low level of risk. The report points out that some mobile applications are replacing engineering workstation applications, so their risk level should be treated at a higher level. Also, wireless communication is becoming more widely used to transfer data from sensor networks. This further increases the attack surface and opens an organization up to severe consequences if compromised.

You’ll want to review the charts included in the SANS survey section called “Knowing the Boundaries”, and see how your approach to external connections compares to others.

A Key ICS Security Roadblock: Gaining Visibility

Having clear visibility into ICS devices and networking activity is a fundamental element of a robust cyber security program. And, the need to define and secure the OT boundary includes the need to see and monitor systems assets within the boundary.

The SANS 2019 cyber security research indicates that increasing visibility into controls systems’ cyber assets is the top initiative organizations are budgeting for in the next 18 months.

Indeed, the need to identify assets within an industrial control networks is a key business driver for many Nozomi Networks implementations. It’s not unusual for our teams to conduct a Proof of Concept (PoC) where the industrial operator has indicated that their network has, say 3,000 assets. But, when our technology is installed, it quickly identifies 15,000 assets. After thousands of installations, we know that it’s typical to uncover a large discrepancy between the number of perceived assets versus the real number.

The SANS 2019 survey provides insight into where the gaps in asset inventory are:

  • 64% of respondents have identified and inventoried over 75% of the servers and workstations in their OT/control systems
  • Less than have half of respondents have identified and inventoried control system devices and software applications
  • The identification of embedded industrial devices is difficult, especially with porous system boundaries

Where is your organization at in terms of compiling a comprehensive inventory of OT assets? Is the lack of an asset inventory your top ICS security roadblock?

Nozomi Networks solution
The Nozomi Networks solution automatically builds an asset inventory.The extensive amount of information shown for each node includes embedded devices, vulnerabilities and installed software.

A Key People Challenge: IT/OT Convergence

The SANS 2019 survey puts a big spotlight on the people challenges involved in improving ICS cyber security. Interestingly, organizations are increasing their reliance on internal staffing, versus consultants and vendors, for their cyber security programs. Growing confidence in employees’ abilities is another indicator of maturation of the processes surrounding industrial cyber security.

In-house OT cyber security requires that IT and OT work together. The age-old challenge of aligning priorities, and ensuring cooperation and communication between the teams, is not easy, however.

According to survey results, IT takes a leading role in managing corporate security policy and implementing the necessary controls, including into OT’s domain, while OT often controls the budget for safeguarding the ICS.

The goals and objectives of these two domains are not well aligned: IT governance and risk management centers on uptime and the protection of information and reputation (privacy), while OT focuses on the safety and reliability of cyber-physical processes.

To ensure collaboration and reduced risk to the organization, a common understanding of these key concepts is needed

SANS 2019 OT/ICS Cyber Security Survey and Whitepaper

Since 2017, ICS security budgets have migrated from being primarily shared between IT and OT, to today where:

  • For 49% of respondents, budget is controlled by OT, up 18% since 2017
  • For 32% of respondents, budget is controlled by IT, up 15% since 2017
  • For 30% of respondents, budget control is shared between IT/OT, down 9% since 2017

When budget is held by one side of the house or the other, it’s essential that the groups work together to prioritize the people, process and technology measures that will be the focus of an annual plan.

While most respondents rate the current level of collaboration as “moderate or better”, there is still a lot of progress to be made. Nozomi Networks staff report that IT/OT convergence is more advanced in Europe and the Middle East than it is in North and South America.

Take Advantage of the SANS 2019 Survey to Improve Your ICS Security Program

The SANS 2019 cyber security research is valuable to every OT/ICS security practitioner, and can likely help you advocate for stronger support and funding. It also clearly identifies where difficulties lie, reminding you that you are not the only organization struggling with the challenge of improving operational cyber resiliency.

I encourage you to download the full report, available below, and consider how its findings can use used to advance your organization’s ICS cyber security program.

And, if you’d like to learn how the Nozomi Networks solution can help with visibility, asset inventory, anomaly detection and IT/OT convergence, please contact us.

* There were 338 survey respondents, representing organizations with operations in the United States (70%), Europe (49%) and Asia (39%). 45% of respondents have a role where more than 50% of their work time is spent working OT/ICS cybersecurity.