Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

Common ICS Cybersecurity Myths: Lessons Learned

Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on previous entries if you're interested:

Now, let's look back at this series with a few parting thoughts on the state of ICS cybersecurity today. 

Lessons Learned from Recent Attacks and Industry Surveys

Major Trends in ICS Cybersecurity

  • ICS cyberattacks involving cyber criminals, hacktivists, and nation states are on the rise
  • Most organizations recognize risks to their ICS and are taking numerous initiatives to address these risks
  • The ICS cyber workforce/skills gap is widening
  • Governments are declaring cyber as a national security threat, and enacting more laws and regulations (NERC CIP, NIS Directive, CFATS, Nuclear, etc.)

According to a report from the World Energy Council, most technology executives feel they are losing ground to attackers and lack the facts to make effective decisions. The report also mentions that most companies have difficulty quantifying the impact of risks and mitigation plans.

ICS cybersecurity myths world energy councilImage source: World Energy Council

Many organizations feel that they are not prepared for cyber exploits and security breaches. A study conducted by Siemens and Ponemon Institute found that only 35 percent of respondents rate their organization’s cyber readiness in the OT environment as high, and 61 percent of respondents say their organization’s industrial control systems protection and security are not adequate.

Cyberattacks on ICS often go undetected due to lack of visibility, monitoring, and forensics capabilities. In the case of the cyberattack on the Ukrainian utilities in 2015, attackers gained initial access in July 2015 and remained in their network undetected until they caused a power outage on 23 December 2015.

Phishing attacks via email are one of the top attack vectors for initial point of entry. Other attack vectors into ICS include USB/removable media, remote access, and supplier networks. USB and social engineering vectors were used for STUXNET, and surprisingly, these are still two of the top 10 risks to ICS networks.

Cyber risks, especially across the supply chain, are challenging to address. According to a recent survey of the energy sector, 69 percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain, and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.

The biggest vulnerability to organizations is outdated and aging ICS. This is also the most difficult and time-consuming to address, and could adversely impact ICS due to compatibility issues, so mitigation requires careful planning and adequate testing.

Most organizations have realized that 100% effective security is not practically possible, and that they need to build incident response capabilities. Many organizations are taking the first step toward that goal by building visibility and baselining ICS networks.

Final Thoughts

Goodbye Air-Gapped Networks: Embracing Digitalization and Taking Back Control of ICS by Being Cyber Resilient

Hopefully, the facts and data presented in this blog series will  help in cracking a false sense of security created by age-old beliefs and myths, and expose the ground reality of ICS cybersecurity.

ICS cybersecurity issues cannot be solved by adding new technologies and processes alone. It will require a huge change in culture that challenges the old beliefs and myths, and bridges the gaps between business objectives and ICS cybersecurity needs. Boards need to provide leadership by facilitating strong governance, risk management, and collaboration among all functions within their organizations—including OT, IT, ERM, and EHS.

The very first step required is understanding of the threat landscape and gaining visibility into assets. The MITRE ATT&CK framework for ICS can be leveraged for understanding threats. New systems should be designed with built-in security. Last but not least, a documented and tested incident response plan should be in place to handle emergency situations in the event of a cyberattack.

Suggested Reading for ICS Cybersecurity


Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Sanjay Chhillar
Sanjay Chhillar
Sanjay Chhillar is the head of OT/ICS Cybersecurity Practice at Siemens UK & Ireland.

Related Posts

Study Preview: IIoT Component Certification Based on 62443

The ISA Global Security Alliance (ISAGCA) and the ISA Security Compliance Institute (ISCI) recently relea...
Carol Muehrcke Oct 14, 2021 5:30:00 AM

ISA's Cybersecurity Standards Implementation Virtual Conference (CSIC)

Are your industrial automation and control systems (IACS) protected against malicious cyberattacks? These...
Steven Aliano Oct 12, 2021 5:30:00 AM

Securing Energy Infrastructure from Cyber Threats

Introduction Energy infrastructure is quite a large sector on Earth. It has evolved from the past 200 yea...
Sourabh Suman Oct 5, 2021 5:30:00 AM