Next year will mark the 20th anniversary of the SANS ICS Security Summit—our community’s largest asset owner/operator-driven educational event. In the two decades since its launch, our industry has grown considerably. In the pre-Stuxnet age, we were influenced by increased communications and data flowing across the IT-OT boundary (if such a boundary even existed).
Today, those communications and data flows have increased in both quantity and sophistication—and so have the threats.
Since 2017, the annual SANS State of ICS/OT Cybersecurity survey has provided industry with a wealth of information to help calibrate and further refine our industrial cyber risk programs. By highlighting trends across critical infrastructure sectors, asset owners and operators can effectively benchmark aspects of their ICS/OT security capabilities. Since our first publication, the document has become a vital tool for CISOs, security leaders, and ICS/OT practitioners.
I am proud to have authored this year’s report, which continues the SANS tradition of providing actionable information for asset owners/operators of critical infrastructure—with a slight twist. New to the 2024 State of ICS/OT Cybersecurity report are observations on how the trends and data have changed over the past five years of previous reports. By expanding beyond the “snapshot in time” we traditionally provide, readers will be able to observe our industry’s growth since 2019—and infer how we may improve going into 2029.
Hot Takes on the SANS Five ICS Cybersecurity Critical Controls
This year’s report is organized based on the SANS Five ICS Cybersecurity Critical Controls, with questions, data, and trend analysis offered to guide an organization on how to apply the controls, which were originally published in October 2022 by Rob Lee and Tim Conway. Don’t want to read about secure remote access? Skip it! Interested in non-ransomware cyber incidents that impacted ICS/OT networks? Jump to that section! With over 30 figures, tables, and graphs—and an underlying dataset of several thousand data points—you can nerd out on just about anything.
But if you’re short on time, here’s the “hot takes” and soundbites to use at your next security meeting (organized within the Five Critical Controls):
1. OT Incident Response
- Thanks to the increase in ICS/OT-specific detection, we have gotten faster at detecting cyber incidents in our industrial environments—moving from an average of “days” in 2019 to “hours” in 2024.
- Unfortunately, after detection, our industry is still lacking on ICS/OT-specific incident response, with only 56% of respondents having one.
2. Defensible Architecture
- Our number one priority in creating a defensible architecture is still network protections, including boundary security measures—which makes sense, considering the number one attack vector into our ICS/OT networks is still pivoting from the enterprise IT network. Neither of these facts has changed drastically since 2019.
- The most-used technology categories for ICS/OT cybersecurity architecture are access controls, endpoint detection and response (EDR), and segmentation, among others. Interestingly, both access controls and EDR saw massive growth across installations in industrial environments since 2019.
3. ICS Network Monitoring
- While our industry has done a lot of recent work understanding ICS/OT networks and gaining visibility, we still have a long way to go. Only 12% of respondents had “extensive” ICS/OT network monitoring capabilities. This was the number one indicator for how quickly an ICS/OT cyber incident was detected.
- Beyond ICS network monitoring, 70% of respondents use some sort of detection in their industrial facilities—even if visibility is limited.
- Only a small portion of respondents, however, have a Security Operations Center (SOC) with ICS/OT capabilities (31%).
4. Secure Remote Access
- Thankfully, multifactor authentication (MFA) has become the norm for remote access into ICS/OT networks, with 75% of respondents leveraging the technology.
- That said, basic capabilities like logging and access verification are still absent for many practitioners.
5. Risk-Based Vulnerability Management
- Like the use of MFA, performing annual ICS/OT-specific cybersecurity assessments can now be considered “table stakes” for industrial facilities. Historically, 70-75% of respondents have performed such annual assessments since 2019.
- Unfortunately, most of these assessments are paper-based and very few provide the more technical findings from active vulnerability assessments or ICS/OT-specific penetration tests.
But wait, there’s more… on workforce and governance
Beyond the Five Critical Controls, this year’s report also dives deep into workforce management and governance, with some equally surprising hot takes:
- The majority (52.6%) of the ICS/OT cybersecurity workforce has worked in the field for five years or less.
- Most of the workforce also lacks job-relevant certifications, with only 49% holding (or having held) an ICS/OT-specific credential.
Completely understanding the reaction this next statement may invoke, the data is also clear:
CISOs officially “own” ICS/OT cybersecurity.
For years, and still today, there has been a debate on the owner of ICS/OT cybersecurity programs and the associated risks. The argument against CISOs owning ICS/OT programs is that individual facilities may know their systems better and that the CISO has historically been an IT-centric position with little influence on the culture in OT and operations. In teaching ICS418 with co-author Dean Parsons, the historic SANS response to this debate would be “it depends,” as we’ve all seen successes and failures when ICS/OT reports to either CISOs, CTOs, or VPs of Engineering.
Well, the data does not lie, and we can provide some more definitive insights.
First, per the chart below, it is apparent that since 2019, CISOs are highly favored to be the “leader” for ICS/OT cybersecurity:
All the other categories, as not-so-subtly outlined above, are “noise” to the signal—CISOs are the primary owner time and again.
Meanwhile, this has an overwhelmingly positive influence on ICS/OT cybersecurity programs. The data routinely shows that a CISO-led ICS/OT cybersecurity program has a shared IT-OT budget, which tends to be larger than any specific industrial facility/site can manage on their own.
CISOs also bring order to the chaos. When a CISO is in charge of ICS/OT cybersecurity, 82% of their programs are mapped to standards, compared to 42% if no corporate-wide policies exist (a nearly two-fold difference).
Interestingly, this correlation has larger ramifications. An organization that both maps to security standards and uses ICS/OT-specific threat intelligence to inform their program tend to be quicker at detecting (and responding to) cybersecurity incidents. These organizations are 53% more likely to have documented all external connections to its industrial environments.
At the end of the day, data is on the side to evolving the “Industrial CISO” to truly own and understand the implications of ICS/OT cybersecurity.
Does this mean every industrial CISO will be successful? Certainly not, and there will still be educational and cultural barriers to operating and sustaining these programs.
What does the future bring?
Like previous years, the 2024 State of ICS/OT Cybersecurity report analyzes the data behind ~40 technology categories used to manage industrial cyber risk. We included the full list in the appendix but dove deep on where the most growth will likely happen to 1) help asset owners/operators in their 3-5 year budget plans, and 2) attempt to forecast trends based on the 2019-2024 growth.
Suffice to say, the future looks cloudy. Technologically, that is, as 26% of respondents are now utilizing cloud technologies for ICS/OT applications—marking a significant (+15%) increase from previous years.
Meanwhile, artificial intelligence (AI) is a hot topic for IT systems but still has a long way to go (rightfully so) until the technology will be leveraged in ICS/OT networks—though plans are already in the works across several organizations that participated in the survey.
Actionable next steps
After completing a look back from 2019-2024, the logical question should be “how do we prepare for the next five years?” Regardless of the starting point, where should organizations focus their time and effort?
Based on the data, the following three objectives have the highest correlations and indicators of a mature and robust ICS/OT cybersecurity program:
- Adopt a standards-based program with centralized governance and ICS-specific threat intelligence, which will obviously take time if not already underway. This is also not relegated to just mid-sized or large organizations—when threat intelligence is centralized across IT and OT into a single team or senior leader, small organizations also saw rapid maturity and improvements compared to their peers.
- Prioritize workforce development, especially when considering the relative “newness” for ICS/OT security practitioners compared to their IT peers who may have spent more years in their field. As mentioned in the beginning—at our first SANS ICS Security Summit we did not even have ICS-specific courses. That was 20 years ago. A lot has changed, and the workforce protecting critical infrastructure needs to keep pace with the changing technologies and risks within our industrial environments.
- Evaluate technology adoption to understand what trends have succeeded over the past five years and which technologies will be deployed over the next five years. If there’s a clear majority of organizations using a technology (MFA for remote access, EDR where possible, segmentation, etc.) and your organization still has not deployed it—now is the time to use these benchmarks to enact change and better secure your industrial facilities.
I encourage each of you to read the report in full —especially with the new historic trend information.
If you missed the webcast where we deep-dive into more specifics, be sure to check out the recording here.
Lastly, stay up-to-date and be sure to join us for the 20th anniversary of the SANS ICS Summit in June!
