Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

All Posts

Common ICS Cybersecurity Myths: Lessons Learned

Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on previous entries if you're interested:

Now, let's look back at this series with a few parting thoughts on the state of ICS cybersecurity today. 

Lessons Learned from Recent Attacks and Industry Surveys

Major Trends in ICS Cybersecurity

  • ICS cyberattacks involving cyber criminals, hacktivists, and nation states are on the rise
  • Most organizations recognize risks to their ICS and are taking numerous initiatives to address these risks
  • The ICS cyber workforce/skills gap is widening
  • Governments are declaring cyber as a national security threat, and enacting more laws and regulations (NERC CIP, NIS Directive, CFATS, Nuclear, etc.)

According to a report from the World Energy Council, most technology executives feel they are losing ground to attackers and lack the facts to make effective decisions. The report also mentions that most companies have difficulty quantifying the impact of risks and mitigation plans.

ICS cybersecurity myths world energy councilImage source: World Energy Council

Many organizations feel that they are not prepared for cyber exploits and security breaches. A study conducted by Siemens and Ponemon Institute found that only 35 percent of respondents rate their organization’s cyber readiness in the OT environment as high, and 61 percent of respondents say their organization’s industrial control systems protection and security are not adequate.

Cyberattacks on ICS often go undetected due to lack of visibility, monitoring, and forensics capabilities. In the case of the cyberattack on the Ukrainian utilities in 2015, attackers gained initial access in July 2015 and remained in their network undetected until they caused a power outage on 23 December 2015.

Phishing attacks via email are one of the top attack vectors for initial point of entry. Other attack vectors into ICS include USB/removable media, remote access, and supplier networks. USB and social engineering vectors were used for STUXNET, and surprisingly, these are still two of the top 10 risks to ICS networks.

Cyber risks, especially across the supply chain, are challenging to address. According to a recent survey of the energy sector, 69 percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain, and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.

The biggest vulnerability to organizations is outdated and aging ICS. This is also the most difficult and time-consuming to address, and could adversely impact ICS due to compatibility issues, so mitigation requires careful planning and adequate testing.

Most organizations have realized that 100% effective security is not practically possible, and that they need to build incident response capabilities. Many organizations are taking the first step toward that goal by building visibility and baselining ICS networks.

Final Thoughts

Goodbye Air-Gapped Networks: Embracing Digitalization and Taking Back Control of ICS by Being Cyber Resilient

Hopefully, the facts and data presented in this blog series will  help in cracking a false sense of security created by age-old beliefs and myths, and expose the ground reality of ICS cybersecurity.

ICS cybersecurity issues cannot be solved by adding new technologies and processes alone. It will require a huge change in culture that challenges the old beliefs and myths, and bridges the gaps between business objectives and ICS cybersecurity needs. Boards need to provide leadership by facilitating strong governance, risk management, and collaboration among all functions within their organizations—including OT, IT, ERM, and EHS.

The very first step required is understanding of the threat landscape and gaining visibility into assets. The MITRE ATT&CK framework for ICS can be leveraged for understanding threats. New systems should be designed with built-in security. Last but not least, a documented and tested incident response plan should be in place to handle emergency situations in the event of a cyberattack.

Suggested Reading for ICS Cybersecurity


Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Sanjay Chhillar
Sanjay Chhillar
Sanjay Chhillar is the head of OT/ICS Cybersecurity Practice at Siemens UK & Ireland.

Related Posts

Webinar: Securing Operations and Building Resilience in Critical Infrastructure

The connectivity of systems and products has created a complex and interdependent ecosystem of stakeholde...
Kara Phelps Dec 27, 2024 7:00:00 AM

What Does the Future of Zero Trust in OT Look Like?

Zero trust principles have established themselves in the mindshare of cybersecurity practitioners worldwi...
Jacob Chapman Dec 20, 2024 7:00:00 AM

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and ISA/IEC 62443 Comparative Analysis

The Utilities Technology Council and Cumulys recently prepared a report in partnership with the ISA Globa...
Kara Phelps Dec 13, 2024 7:00:00 AM