If you’d like to know where you stand, I have good news. The SANS Institute has just released new cyber security research that answers all these questions, and more. It’s one of the few sources of hard data on the state of industrial cyber security, and it’s available for free .
Let’s look at the issues mentioned above, and find out where they stand in 2019, based on input from hundreds of industrial organizations.
Nozomi Networks is a proud sponsor of the SANS 2019 OT/ICS Survey.
Click to see the full infographic.
Risk Level Perception is High, and Connected Systems Are Expanding the Attack Surface
Amongst the 338 survey respondents*, just over 50% rated the level of ICS cyber risk to their organization’s overall risk profile as severe/critical or high. This is down from 69% in the last survey, conducted in 2017. With cyberattacks and data breaches on the rise and very much in the news, this finding might seem a bit surprising.
But both Nozomi Networks experience in the field and the SANS 2019 survey results indicate that the practice of ICS cyber security is maturing:
- 69% have conducted a security audit of their OT/control systems or networks in the past year
- 60% now proactively depend on internal resources to respond to an OT threat detection incident, up from 23% in 2017
- Between 2017 and 2019, the time to detect anomalous activity has decreased
This is perhaps giving organizations more confidence that they can deal with threats, and possibly explains why the risk level is rated as lower than in the past.
At the same time, however, the challenge of securing OT systems is expanding with the size of the attack surface. The boundaries of ICS are becoming broader as they “… are interwoven and interdependent, while also exchanging information with a myriad of other systems and processes.”
Boundary challenges include the use of mobile and wireless devices, which respondents give a low level of risk. The report points out that some mobile applications are replacing engineering workstation applications, so their risk level should be treated at a higher level. Also, wireless communication is becoming more widely used to transfer data from sensor networks. This further increases the attack surface and opens an organization up to severe consequences if compromised.
You’ll want to review the charts included in the SANS survey section called “Knowing the Boundaries”, and see how your approach to external connections compares to others.
A Key ICS Security Roadblock: Gaining Visibility
Having clear visibility into ICS devices and networking activity is a fundamental element of a robust cyber security program. And, the need to define and secure the OT boundary includes the need to see and monitor systems assets within the boundary.
The SANS 2019 survey provides insight into where the gaps in asset inventory are:
- 64% of respondents have identified and inventoried over 75% of the servers and workstations in their OT/control systems
- Less than have half of respondents have identified and inventoried control system devices and software applications
- The identification of embedded industrial devices is difficult, especially with porous system boundaries
Where is your organization at in terms of compiling a comprehensive inventory of OT assets? Is the lack of an asset inventory your top ICS security roadblock?
The Nozomi Networks solution automatically builds an asset inventory.
The extensive amount of information shown for each node includes embedded devices, vulnerabilities and installed software.
Click to enlarge.
The SANS 2019 survey puts a big spotlight on the people challenges involved in improving ICS cyber security. Interestingly, organizations are increasing their reliance on internal staffing, versus consultants and vendors, for their cyber security programs. Growing confidence in employees’ abilities is another indicator of maturation of the processes surrounding industrial cyber security.
In-house OT cyber security requires that IT and OT work together. The age-old challenge of aligning priorities, and ensuring cooperation and communication between the teams, is not easy, however.
According to survey results, IT takes a leading role in managing corporate security policy and implementing the necessary controls, including into OT’s domain, while OT often controls the budget for safeguarding the ICS.
The goals and objectives of these two domains are not well aligned: IT governance and risk management centers on uptime and the protection of information and reputation (privacy), while OT focuses on the safety and reliability of cyber-physical processes.
To ensure collaboration and reduced risk to the organization, a common understanding of these key concepts is needed.
SANS 2019 OT/ICS Cyber Security Survey and Whitepaper
- For 49% of respondents, budget is controlled by OT, up 18% since 2017
- For 32% of respondents, budget is controlled by IT, up 15% since 2017
- For 30% of respondents, budget control is shared between IT/OT, down 9% since 2017
When budget is held by one side of the house or the other, it’s essential that the groups work together to prioritize the people, process and technology measures that will be the focus of an annual plan.
While most respondents rate the current level of collaboration as “moderate or better”, there is still a lot of progress to be made. Nozomi Networks staff report that IT/OT convergence is more advanced in Europe and the Middle East than it is in North and South America.
Take Advantage of the SANS 2019 Survey to Improve Your ICS Security Program
The SANS 2019 cyber security research is valuable to every OT/ICS security practitioner, and can likely help you advocate for stronger support and funding. It also clearly identifies where difficulties lie, reminding you that you are not the only organization struggling with the challenge of improving operational cyber resiliency.
I encourage you to download the full report, available below, and consider how its findings can use used to advance your organization’s ICS cyber security program.
And, if you’d like to learn how the Nozomi Networks solution can help with visibility, asset inventory, anomaly detection and IT/OT convergence, please contact us.
* There were 338 survey respondents, representing organizations with operations in the United States (70%), Europe (49%) and Asia (39%). 45% of respondents have a role where more than 50% of their work time is spent working OT/ICS cybersecurity.
REGISTER FOR THE WEBINAR
Converging OT and IT Networks: Where and How to Evolve ICS for Security
Wednesday, June 19th, 2019
1:00 PM EDT (17:00:00 UTC)
Nozomi Networks CMO, Kim Legelis .
Participates in an interactive panel discussion on the survey’s OT/IT security findings.
Download the SANS Report: “SANS 2019 OT/ICS Cybersecurity Survey & Whitepaper”
- State of OT/ICS security in 2019
- Levels of perceived cyber risk
- Top threat vectors of concern
- ICS security incident data
- Security architecture trends and gaps
- Security technologies in use and planned for adoption
- SANS recommendations and conclusions
- Press Release: Nozomi Networks-Sponsored SANS Survey Finds Industrial Organizations are Going All-In to Tackle Growing Threats to OT/ICS Cyber Security
- SANS Infographic: SANS 2019 State of OT/ICS Cybersecurity Survey
- Executive Brief: The Costs of OT Cyber Security and How to Reduce Risk
- Executive Brief: Integrating OT into IT/OT SOCs
- Blog: 5 Things to Consider for Your ICS Security Proof of Concept
- Blog: Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro
- Solution Brief: Nozomi Networks
- White Paper: Advancing ICS Visibility and Cyber Security with the Nozomi Networks Solution
ICS Security Specialist, Nozomi Networks
Heather MacKenzie has worked in the field of industrial cyber security since 2008, authoring over 150 articles and multiple white papers on the subject. She is passionate about helping IT/OT teams responsible for ICS networks understand their cyber risks, and how to use operational visibility and cyber security tools to build resiliency. As ICS Security Specialist at Nozomi Networks, Heather is actively working to protect the world’s critical infrastructure and manufacturing from cyber threats.