Cyber threats to operational technology environments remain high – but security defenses are getting stronger

• The latest report from Nozomi Networks Inc. found that industrial control systems (ICS) cybersecurity threats are still significant
• Despite security posture improvements, some people still don’t know whether their organizations have been compromised

Attacks on operational technology (OT) and industrial control systems (ICS) are becoming more sophisticated than traditional attacks on corporate networks. Given how these attacks affect ICS/OT, managing the various risks needs a new set of security capabilities, technologies, processes, and approaches, distinguishing ICS from traditional IT corporate networks.

Difference between operational technology (OT) and industrial control system (ICS)

ICS/OT assets and traditional IT assets are frequently contrasted; however, traditional IT assets emphasize either data in transit or data at rest. ICS/OT systems track and control the data that causes physical inputs and regulate physical actions to modify the real environment in real time.

In terms of technical distinctions, ICS differs from IT in a number of ways, including the prioritization of passive asset discovery and passive threat detection, low-bandwidth sites, critical yet legacy devices, proprietary engineering protocols, engineering systems not running traditional endpoint operating systems, and requirements for engineering hardware to be ruggedized and operate extremely reliably in harsh and even hazardous environments.

Due to the development of new attack frameworks, legacy devices, growing technological options, and resource limitations, the most challenging aspect of safeguarding control system technologies and processes is the technical integration of outdated ICS/OT technology with modern IT systems.

In fact, Nozomi Networks Inc., the market leader in OT and IoT security, revealed that industrial control systems (ICS) cybersecurity threats are still significant in its recent report titled, “SANS 2022 OT/ICS Cybersecurity Report”. As a result, organizations’ security postures have dramatically improved since last year. Despite the advancements, 35% of respondents don’t know whether their organizations have been breached. Also, in the past year, attacks on engineering workstations have doubled.

According to Andrea Carcano, Co-founder and CPO of Nozomi Networks, attacks like Incontroller have started directly targeting operational technology in the last year, which has been observed by Nozomi Networks researchers and the ICS cybersecurity community.

“While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available. The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience,” he added.

Concerning threat vectors

With the surge in ransomware seen globally, it is not surprising that ransomware, extortion, or other financially motivated crimes rank as the top threat vectors of concern to respondents (40%).

Even ransomware that affects IT business networks may have an effect on ICS operations. This would depend on the location of ICS support services and network architecture, such as requirements for the enterprise resource planning (ERP) system and manufacturing execution system (MES) for ICS to be located on IT networks, and similar lessons learned from the Colonial Pipeline ransomware event. Detection and neutralization are more challenging when ransomware is specifically designed for industrial control systems, like the Ekans/Snake malware.

ICS cybersecurity risks remain high

• Compared to 69.8% in 2021, 62% of respondents rated the risk to their OT environment as high or severe.
• Although 10.5% of respondents claimed they had experienced a breach in the previous year (down from 15% in 2021), 35% of those respondents said the engineering workstation was an initial infection vector (up from 18.4% last year).
• Removable media replication is still the most common access vector (37%), followed by IT intrusions (41%).

Although there are still significant cybersecurity risks for ICS, its postures are maturing. The report showed that businesses are spending money on ICS certification and training: 83% of respondents have professional control system certifications, a significant increase from 54% in the previous year.

Additionally, 56% (up from 51% in 2021) claim to be discovering compromises within the first 24 hours of an incident. The majority (69%) claim that it takes 6 to 24 hours to go from detection to containment.

Defense efforts are progressively getting more assertive. Asset owners and vendors are working together to address the significant concerns the community is currently facing. It only seems reasonable that they would need to improve their defenses and staff skill sets to counter the growing threat since the enemies have undoubtedly raised their game.

---

---

---

---