Fotolia RAW -

Operational technology security improving, but attack surface continues to grow

Critical national infrastructure providers and others are improving cyber security capabilities around industrial control systems, but the cyber threat remains high and continues to evolve, a study shows

The security posture of organisations using industrial control systems (ICS) is maturing, with a higher concern with operational technology (OT) security and a growing number adopting strategies to address OT/IT convergence, a report reveals.

More than two-thirds (69%) of 348 security professionals polled worldwide have conducted a security audit of their OT/control systems or networks in the past year, according to the  2019 State of OT/ICS cyber security survey by the Sans Institute.

In addition, 46% of respondents said that increasing visibility into control system cyber assets and configurations is a 2019 priority, followed by investing in general cyber security awareness programmes for employees including IT, OT and hybrid IT/OT personal (30%) and bridging IT and OT initiatives (27%).

Some 62% claim to have a well-defined  system perimeter or boundary for their OT/control systems, while 51% said they are using continuous active monitoring to detect vulnerabilities, 44% now use anomaly detection tools to identify trends (up 9% from 2017) and 45% say they are now detecting compromise within 2-7 days of the incident, with  53% of those saying they move from detection to containment within 6 to 24 hours.

The report therefore shows that organisations are advancing their efforts and making investments to deploy OT cyber security programmes and technology

One of the biggest drivers of change in terms of IT/OT security is that more than half of respondents see cyber risks to their operations as being higher today than two years ago.

As a result, 42% said their control system security budget increased for the past two years, compared with just 29% in 2017, and only 50% of respondents ranked ICS security threats as high, severe or critical, down from 69% in 2017. 

While down significantly from 2017, the fact that 50% still consider the threat level to be severe reinforces the fact that even as organisations make OT cyber security a priority, cyber attacks and data breaches continue to rise and are evolving as OT and IT converge, and organisations adopt mobile, cloud and wireless capabilities.

The survey shows that 40% of respondents use some cloud service, while 37% of OT control system connections are wireless.

The report points out that some mobile applications replace engineering workstation applications, and organisations should treat their risk at a higher level. Wireless communication is also becoming more widely used to transfer data from sensor networks.

This further increases the attack surface and opens an organisation up to severe consequences if compromised, the report said, however respondents did not rate wireless communications and protocols as subject to high risk or impact.

Read more about OT security

Instead, the study shows that people are considered to be the greatest threat to ICS security, with 62% of respondents ranking people (internal and external) above technology (22%) and processes and procedures (14%) as the greatest risk to compromise.

“The obvious concern about the risk that people represent – whether they are malicious insiders, careless employees or nation-state bad actors – is consistent across industries,” said survey co-author and Sans senior analyst Barbara Filkins.

“We were a little surprised at the lower-ranking concern around process, given that there is significant complexity involved in ICS design, implementation and operation to safeguard OT systems. It’s possible recent attacks that almost always include tried-and-true tactics that exploit human-factors might have affected our respondents’ perceptions.”

Unprotected devices, nation states/hacktivists and internal accidents rank as the top three threats, followed by IT integration and external supply chain or partner threats.

Less than a quarter of respondents said they were concerned about phishing scams, despite continued evidence from ICS attack research that this tactic continues to be a favoured mechanism to establish an initial point of compromise and entry into many industrial control systems in IT.

“The findings in this latest Sans report make it clear that 2019 is the year for ICS cyber security,” said Edgard Capdevielle, CEO of Nozomi Networks, one of the sponsors of the report.

“We see the urgency and growing demand every day as more industrial companies worldwide reach out to us for help in aggressively arming themselves against cyber threats rising in number, persistence and strength.

“ICS cyber security is a priority and organisations are strengthening their cyber security posture with innovative OT security technologies that provide deep visibility and control across OT and IT.”

Next Steps

Operational technology is the new low-hanging fruit for hackers

Read more on Hackers and cybercrime prevention

Data Center
Data Management