Industrial Control Systems (ICS) security has seen significant changes due to both technological advancements and evolving cyber threats. As interconnections between ICS, enterprise IT, and cloud technologies multiply, the security challenges also multiply. In a recent webcast titled "The Business Risks of Ignoring ICS Security," SANS ICS course authors and instructors and ICS subject matter experts Tim Conway, Robert M. Lee, Dean Parsons, and Jason D. Christopher highlighted several critical takeaways that leaders and security professionals in the field must pay close attention to. These five insights provide a roadmap for understanding and mitigating the rising threats to ICS environments.
1. The Evolving ICS Threat Landscape
The evolution from diverse, bespoke systems to standardized, interconnected networks in the ICS environment represents both opportunity and risk. Historically, ICS were custom-built and unique to each installation. This created a barrier against widespread cyberattacks because malicious actors had to craft highly specific attacks for each system. However, with the move towards more standardized technologies and interconnected systems, attackers now have the potential to scale their operations. The transition to uniform software, protocols, and systems across various critical infrastructure sectors allows adversaries to target multiple industries with a single attack framework.
An example of this shift is the 2022 Pipedream attack. This state-sponsored toolkit was designed to target critical infrastructure at scale, marking a new era where operational technology (OT) environments can be targeted just as widely and frequently as traditional IT networks.
Robert emphasized the need for organizations to "prioritize OT security due to the connected nature of modern systems." The once segmented ICS systems are now networked and exposed, meaning that the defenses used in the past are no longer sufficient.
2. Network Visibility
Among the SANS Five ICS Cybersecurity Critical Controls discussed, the webcast guests emphasized network visibility as one of the most important. In ICS environments, network visibility is not only a cybersecurity tool, but also an efficiency and troubleshooting tool.
Dean highlighted how network visibility aids in root cause analysis and troubleshooting. With proper network monitoring, organizations can detect early signs of cyber threats and operational issues. For example, detecting anomalies in data traffic might not just signal a potential cyber intrusion but could also indicate a malfunctioning piece of equipment that needs immediate attention.
Network visibility also plays a key role in detecting "living off the land" attacks, where adversaries use legitimate processes and protocols in an ICS environment to carry out malicious actions. By focusing on network traffic, cybersecurity teams can identify and respond to such activities before they escalate into full-blown incidents.
3. Realistic ICS Incident Response Plans
One of the most overlooked aspects of ICS security is the development of a robust incident response plan tailored specifically to the operational technology in the facility. Many organizations make the mistake of applying their IT incident response plans to ICS environments, only to realize that the complexities of OT require a completely different approach.
During the webcast, Robert pointed out that having a generic incident response plan is not enough. Organizations need to understand the specific scenarios that could impact their operations. For example, a manufacturing facility may have different risks compared to an energy utility, and their response plans should reflect those differences.
The key is to create incident response scenarios based on realistic threats that have been observed in the specific industry. By focusing on known vulnerabilities and attack vectors, organizations can ensure that their response plans are not only effective but also executable under real-world conditions. The speakers recommended conducting regular tabletop exercises to validate these plans and adjust them as necessary.
4. Bridging the IT-OT Gap
One of the recurring themes in the webcast was the persistent gap between IT and OT teams. While both groups share the common goal of securing the organization, their approaches and areas of focus differ significantly. OT teams prioritize safety, reliability, and continuity of operations, whereas IT teams focus on data security, confidentiality, and integrity.
Collaboration is essential to overcome this gap. Allowing IT personnel to spend time with OT teams allows them to understand the operational environment they are tasked with securing. This can bridge the communication gap and foster better collaboration.
Dean underscored the importance of this collaboration, stating that "sitting with engineering staff, shadowing them at substations, and understanding how ICS environments function is a crucial step towards convergence." This convergence between IT and OT not only improves security but also operational efficiency, as both teams work together to solve common problems.
5. Leadership Engagement and Organizational Risk Awareness
Maybe the most critical takeaway from the webcast was the role of leadership in managing ICS security. Executives, particularly chief information security officers (CISOs), must fully understand the risks to their ICS environments. Failing to do so can lead to catastrophic consequences for the organization, the individuals responsible for securing it, and even the public.
One of the alarming trends mentioned during the webcast was that some CISOs tend to downplay or hide the risks associated with ICS vulnerabilities due to fear of budget cuts or pressure from leadership. Robert warned that this approach is not only dangerous but could lead to legal liabilities, especially with increasing regulatory scrutiny.
Instead, CISOs should focus on clear communication about risks, including what the organization can and cannot do with its current capabilities. By aligning security initiatives with business goals and openly discussing the trade-offs of different risk management strategies, leadership can make informed decisions about where to allocate resources.
Jason further emphasized the need for a more business-centric approach to risk management, suggesting that organizations should move away from traditional red-yellow-green risk metrics and instead focus on the actual business impact of security incidents. This means discussing risks in terms of operational outages, safety implications, and financial losses, making it easier for the board and executives to grasp the gravity of the situation.
The Path Forward
The webcast underscored that securing ICS environments is not just a technical challenge but also an organizational one. The path forward requires understanding the evolving threat landscape, fostering collaboration between IT and OT, proactive leadership, realistic planning, and continuous learning. Organizations that take these steps will be better positioned to navigate the complex and ever-changing world of ICS security.
SECURING INDUSTRIAL CONTROL SYSTEMS against today’s evolving cyber threats is not just a technical challenge, it’s a business imperative. The SANS ICS Strategy: Guide ICS Is the Business provides insights into the specialized strategies needed to protect our critical infrastructure. Now is the time for organizations to prioritize proactive security measures that ensure both operational resilience and public safety.
.jpg "ICS_Blog_Building a Better OT Ransomware Response Plan_340 x 340(1).jpg")
