Surprising Findings in the SANS 2021 OT/ICS Cybersecurity Survey

Surprising Findings in the SANS 2021 OT/ICS Cybersecurity Survey

The just-released SANS 2021 OT/ICS Cybersecurity Survey, sponsored by Nozomi Networks, uncovered some findings that surprised me, as well as survey author, Mark Bristow. Below, we take a look at some compelling statistics that ICS operators should take note of as they work to protect their OT and ICS systems.

While it’s not surprising that respondents reported that threats remain high and continue to grow in severity, it’s shocking that forty-eight percent still don’t know whether their organization had been compromised.

That’s a concerning – and unnecessarily large number given that visibility and detection solutions are readily available to provide that awareness. So, while threats are increasing in severity, and more organizations are proactively using new technologies and frameworks for defeating them, there’s still much work to be done.

An Even Bigger Surprise: The Use of Cloud Technologies

One of the biggest (and welcome) surprises from the 2021 SANS OT/ICS Cybersecurity Survey was the widescale adoption of cloud technologies to support OT operations. According to the survey, forty-nine percent of respondents were using cloud technologies for operations support, and thirty-two percent were using cloud technologies for control critical activities.

The survey also identified remote access as the number one initial intrusion vector. This seems to be at odds with adding hosted services into critical control loops. Increased reliability and reduced total cost of ownership may be driving this trend, despite the connectivity requirements that come with it.

Insights From SANS Survey Author Mark Bristow

Ahead of Nozomi Networks’ upcoming webinar on this year’s survey, I had a chance to talk with Mark Bristow, the survey author and an ICS 515 certified instructor. He shared his thoughts on where we are today, and what’s needed for future progress.

What surprised you most in this year’s survey?

I found three things particularly striking in the report results:

  • The level of adoption of cloud technologies for operational outcomes was striking. Two years ago, cloud adoption was not being seriously discussed and now forty-nine percent are using it.
  • Incident visibility and confidence is not high. Forty-eight percent of respondents could not attest that they didn’t have an incident. A further ninety percent of these incidents had some level of operational impact.
  • Eighteen percent of incidents involved the engineering workstation. This is a critical piece of equipment and having this involved in so many incidents is troubling.

The implication of engineering workstations in so many incidents is highly concerning. These devices are what is needed to develop predictable repeatable effects operations against control systems and the targeting and successful exploitation of these systems indicates significant current and future risk.

What do ICS operators need to focus on to protect themselves?

It’s great that we now have monitoring programs in place, but we are still mostly looking at the IT aspects of our OT environments. We need to be correlating our IT and OT security telemetry as well as process data to truly understand potential impacts to safety and operations.

Focus on fundamentals. Too many respondents do not have a formal program for asset identification and inventory. Without this foundational step, further security investments may be invalid, misplaced, or over/under the actual needs.

Ransomware is a huge risk, but it’s not one that is specifically targeting ICS. A malicious actor who is specifically targeting your ICS environment will usually not be as blunt or noisy as ransomware can be, but we are struggling to defend against ransomware. The impact of a ransomware breach still has potential to interrupt OT operations, even indirectly, so the risk should be tracked and mitigated.

What are ICS operators doing well?

I was really encouraged to see that some respondents are using continuous patching of the OT environment. A few years ago, this was considered impossible and seeing implementation is really encouraging. Also, the new openness and increased willingness to leverage cloud technologies for functionality other than operational control, will help defenders in the long run if done properly.