The just-released SANS 2021 OT/ICS Cybersecurity Survey, sponsored by Nozomi Networks, uncovered some findings that surprised me, as well as survey author, Mark Bristow. Below, we take a look at some compelling statistics that ICS operators should take note of as they work to protect their OT and ICS systems.
While it’s not surprising that respondents reported that threats remain high and continue to grow in severity, it’s shocking that forty-eight percent still don’t know whether their organization had been compromised.
That’s a concerning – and unnecessarily large number given that visibility and detection solutions are readily available to provide that awareness. So, while threats are increasing in severity, and more organizations are proactively using new technologies and frameworks for defeating them, there’s still much work to be done.
A big surprise from the 2021 SANS OT/ICS Cybersecurity Survey was the widescale adoption of cloud technologies to support OT operations.
An Even Bigger Surprise: The Use of Cloud Technologies
One of the biggest (and welcome) surprises from the 2021 SANS OT/ICS Cybersecurity Survey was the widescale adoption of cloud technologies to support OT operations. According to the survey, forty-nine percent of respondents were using cloud technologies for operations support, and thirty-two percent were using cloud technologies for control critical activities.
The survey also identified remote access as the number one initial intrusion vector. This seems to be at odds with adding hosted services into critical control loops. Increased reliability and reduced total cost of ownership may be driving this trend, despite the connectivity requirements that come with it.
Insights From SANS Survey Author Mark Bristow
Ahead of Nozomi Networks’ upcoming webinar on this year’s survey, I had a chance to talk with Mark Bristow, the survey author and an ICS 515 certified instructor. He shared his thoughts on where we are today, and what’s needed for future progress.
What surprised you most in this year’s survey?
I found three things particularly striking in the report results:
- The level of adoption of cloud technologies for operational outcomes was striking. Two years ago, cloud adoption was not being seriously discussed and now forty-nine percent are using it.
- Incident visibility and confidence is not high. Forty-eight percent of respondents could not attest that they didn’t have an incident. A further ninety percent of these incidents had some level of operational impact.
- Eighteen percent of incidents involved the engineering workstation. This is a critical piece of equipment and having this involved in so many incidents is troubling.
The implication of engineering workstations in so many incidents is highly concerning. These devices are what is needed to develop predictable repeatable effects operations against control systems and the targeting and successful exploitation of these systems indicates significant current and future risk.
What do ICS operators need to focus on to protect themselves?
It’s great that we now have monitoring programs in place, but we are still mostly looking at the IT aspects of our OT environments. We need to be correlating our IT and OT security telemetry as well as process data to truly understand potential impacts to safety and operations.
Focus on fundamentals. Too many respondents do not have a formal program for asset identification and inventory. Without this foundational step, further security investments may be invalid, misplaced, or over/under the actual needs.
Ransomware is a huge risk, but it’s not one that is specifically targeting ICS. A malicious actor who is specifically targeting your ICS environment will usually not be as blunt or noisy as ransomware can be, but we are struggling to defend against ransomware. The impact of a ransomware breach still has potential to interrupt OT operations, even indirectly, so the risk should be tracked and mitigated.
I was really encouraged to see that some respondents are using continuous patching of the OT environment. A few years ago, this was considered impossible and seeing implementation is really encouraging. Also, the new openness and increased willingness to leverage cloud technologies for functionality other than operational control, will help defenders in the long run if done properly.
Explore What’s Driving Cloud-Adoption and Other OT/ICS Cybersecurity Trends
Learn more about the business and operational drivers behind this year’s survey results and what’s next for ICS cloud applications. We invite you to register for the Pi in the Sky: Cloud Adoption in OT webinar on October 14th at the link below.
Pi in the Sky: Cloud Adoption in OT
Thursday October 14, 2021 I 12:30 pm PDT, 3:30 pm EDT, 9:30 pm CEST
Duration: 1 hour
Join SANS 2021 OT/ICS Cybersecurity Survey author Mark Bristow, along with Nozomi Networks OT/IoT security expert Chris Grove to explore:
- The widescale adoption of cloud technologies to support OT operations
- Remote access as the number one initial intrusion vector
- The business and operational drivers behind the 2021 survey findings
- What’s next for ICS cloud applications
- Report: A SANS 2021 Survey: OT/ICS Cybersecurity
- Research Report: OT/IoT Security Report 2021
- Blog: Are You Ready for the Perfect Operational Security Storm?
- Blog: IoT Devices – the Newest Source of OT Network Security Gaps
- Blog: OT and IoT Security: Adopt a Post-Breach Mindset Today
- Solution Brief: The Leading Solution for OT & IoT Security and Visibility
- Research Report: OT/IoT Security Report 2021
Chris brings more than 25 years of cybersecurity experience with deep knowledge of IT, OT and IoT networks and mission-critical infrastructure. His prior experience includes managing large, critical and complex security projects around the world for customers of leading IT and OT cybersecurity vendors. Security executives turn to Chris for his expertise in almost every sector including commercial, government, defense, law enforcement, and the intelligence community.