Misconceptions about ICS/OT cybersecurity are stubborn. This "mythbusting" blog series dispels five common myths related to ICS cybersecurity. Catch up on previous entries if you're interested:
- Common ICS Cybersecurity Myth #1: The Air Gap
- Common ICS Cybersecurity Myth #2: Proprietary Systems and Protocols
- Common ICS Cybersecurity Myth #3: The Unbreachable Firewall
- Common ICS Cybersecurity Myth #4: Serial Communication
- Common ICS Cybersecurity Myth #5: Financially Motivated Cyberattacks
Now, let's look back at this series with a few parting thoughts on the state of ICS cybersecurity today.
Lessons Learned from Recent Attacks and Industry Surveys
Major Trends in ICS Cybersecurity
- ICS cyberattacks involving cyber criminals, hacktivists, and nation states are on the rise
- Most organizations recognize risks to their ICS and are taking numerous initiatives to address these risks
- The ICS cyber workforce/skills gap is widening
- Governments are declaring cyber as a national security threat, and enacting more laws and regulations (NERC CIP, NIS Directive, CFATS, Nuclear, etc.)
According to a report from the World Energy Council, most technology executives feel they are losing ground to attackers and lack the facts to make effective decisions. The report also mentions that most companies have difficulty quantifying the impact of risks and mitigation plans.
Image source: World Energy Council
Many organizations feel that they are not prepared for cyber exploits and security breaches. A study conducted by Siemens and Ponemon Institute found that only 35 percent of respondents rate their organization’s cyber readiness in the OT environment as high, and 61 percent of respondents say their organization’s industrial control systems protection and security are not adequate.
Cyberattacks on ICS often go undetected due to lack of visibility, monitoring, and forensics capabilities. In the case of the cyberattack on the Ukrainian utilities in 2015, attackers gained initial access in July 2015 and remained in their network undetected until they caused a power outage on 23 December 2015.
Phishing attacks via email are one of the top attack vectors for initial point of entry. Other attack vectors into ICS include USB/removable media, remote access, and supplier networks. USB and social engineering vectors were used for STUXNET, and surprisingly, these are still two of the top 10 risks to ICS networks.
Cyber risks, especially across the supply chain, are challenging to address. According to a recent survey of the energy sector, 69 percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain, and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.
The biggest vulnerability to organizations is outdated and aging ICS. This is also the most difficult and time-consuming to address, and could adversely impact ICS due to compatibility issues, so mitigation requires careful planning and adequate testing.
Most organizations have realized that 100% effective security is not practically possible, and that they need to build incident response capabilities. Many organizations are taking the first step toward that goal by building visibility and baselining ICS networks.
Final Thoughts
Goodbye Air-Gapped Networks: Embracing Digitalization and Taking Back Control of ICS by Being Cyber Resilient
Hopefully, the facts and data presented in this blog series will help in cracking a false sense of security created by age-old beliefs and myths, and expose the ground reality of ICS cybersecurity.
ICS cybersecurity issues cannot be solved by adding new technologies and processes alone. It will require a huge change in culture that challenges the old beliefs and myths, and bridges the gaps between business objectives and ICS cybersecurity needs. Boards need to provide leadership by facilitating strong governance, risk management, and collaboration among all functions within their organizations—including OT, IT, ERM, and EHS.
The very first step required is understanding of the threat landscape and gaining visibility into assets. The MITRE ATT&CK framework for ICS can be leveraged for understanding threats. New systems should be designed with built-in security. Last but not least, a documented and tested incident response plan should be in place to handle emergency situations in the event of a cyberattack.
Suggested Reading for ICS Cybersecurity
- ISA/IEC 62443 Standard for Securing Industrial Automation and Control Systems
- NERC CIP Standards
- NCSC CAF (Cyber Assessment Framework)
- ISO 27000 (27001 and 27019) Standards
- Purdue Model of ICS Security Architecture and Zones
- NIST SP 800-82 for Industrial Control Systems
- NIST CSF (Cyber Security Framework)
- NIST SP 800-53 Standard
- ICS-CERT Reports
- MITRE ATT&CK framework for ICS
- Real Story of Stuxnet: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
- Analysis of the Cyber Attack on the Ukrainian Power Grid: https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.