SANS 2021 OT/ICS cybersecurity report confirms ICS threats remain high, grow in severity

A recent OT/ICS cybersecurity survey revealed that ransomware and financially motivated cybercrimes have topped the list of threat vectors that cause respondents the most concern, followed by the risk from nation-state cyberattacks at about 43 percent. 

Most interestingly, the elevation of non-intentional threat vectors made for a combined 34.5 percent of the total choices for the top three threat vectors. Non-intentional threat vectors are those threat vectors that are not malicious but still present risks. These include accidental insiders, unauthorized devices on the network, and risk from partner networks and IT/OT integration.

Sponsored by Nozomi Networks, the 2021 SANS report revealed steady growth in ICS-focused cybersecurity positions, the overall increase in budget allocation for ICS cybersecurity efforts, and a steady increase in the influence of regulatory regimes to drive cybersecurity investments. It also detected an increase in cloud adoption, use of the MITRE ATT&CK framework for ICS given its relatively recent release, and continued adoption of ICS monitoring technologies and threat-hunting methodologies.

It also revealed continued support for patch management and vulnerability assessment processes if not evenly applied. Asset inventories continuing to challenge most organizations, with 58.2 percent having a formal process. Overall, significant progress has occurred in the areas of professionalizing the workforce, OT monitoring, analysis, assessment, remediation, and response, the report said. 

“Although we still need improvement in inventory and asset management and OT segmentation/system interconnectivity, the past two years have demonstrated great progress (with more to come),” Mark Bristow, wrote in the 2021 SANS OT/ICS cybersecurity report.

The SANS OT/ICS cybersecurity report received 480 responses, an increase of 42 percent over the 2019 survey. Respondents represent a range of industry verticals, with additional respondents coming from 62 unique groups. 

Incident self-awareness in the form of monitoring and detection ranked relatively low, with about 12.5 percent of respondents confident they had not experienced a compromise in the past year, and 48 percent of survey participants not knowing whether they suffered an incident. Connectivity to external systems continues as the overwhelming root cause of the incidents, an indication that organizations still fail to follow network segmentation best practices. 

Additionally, 18.4 percent of initial infection vectors leverage the engineering workstation, a highly concerning fact because few correlate cyber and process data to analyze system breaches, according to the SANS OT/ICS cybersecurity report. Publicly available channels grossly underreport incidents; for example, almost all respondents indicated having at least one incident, with 90 percent having some level of impact on the process, yet only high-profile incidents such as Colonial Pipeline make headlines.

The SANS OT/ICS cybersecurity survey found considerable challenges facing OT security related to people, processes, and technology. Respondents’ answers relatively balance across these three areas concerning what they consider the biggest challenges their organizations face. 

On the technology front, technical integration represents a challenge. Organizations need to ensure that technical implementations more effectively integrate legacy OT environments with modern security technologies. Innovation from solution providers can support the area. 

The OT/ICS cybersecurity reported identified a significant OT security labor shortage.  “Although this survey shows that we currently have more OT security professionals than ever, we still need to do more to bring additional professionals into the industry to perform this critical work. We need investments in formal and informal training and professional development to train and re-skill the workforce to meet this surging demand,” Bristow wrote in the report.

Security leaders need to develop a culture of mutual understanding and shared vision and execution through leadership and process integration, the OT/ICS cybersecurity report said. By having IT and OT experts working more closely together, each can better understand the other’s perspective and ultimately drive favorable outcomes for the business. Without this shared understanding, all efforts may come to nothing.

Continued investment in OT incident-detection technologies, monitoring, and OT cybersecurity analysts and security operation centers are likely to drive these improvements. “This trend also represents a significant break with historical OT intrusion cases such as Havex and BlackEnergy, where adversary dwell time was plus-three years before detection. Containment also shows promising results, with the majority of incidents contained within the first day of the incident,” according to Bristow.

The number of incidents reaching or impacting the OT environment remains troubling because of the potential immediate effects on the OT environment even if an organization rapidly contains the incident, the OT/ICS cybersecurity survey reported. Remediation efforts appear somewhat delayed, as expected, with the bulk occurring within the first week of containment.

The OT/ICS cybersecurity survey identified that most respondents agreed that endpoints—engineering workstations and ICS server assets—present the greatest risk for compromise. Collectively, however, connectivity issues account for the second-highest risk concern, when factoring together internal system connections, remote access, connections to the field network, and wireless. 

Organizations need to focus on remote access and connections to other networks as a source of risk. This risk evaluation agrees with the reported incidents that leverage remote access as an initial vector. However, currently applied security controls do not sufficiently mitigate this risk, it added.

When it came to industrial incident response, interviewees identified a mix of outsourced and internal resources as their top-three resources to consult. The list included an outsourced cybersecurity solution provider for primary response support, followed closely by internal resources, and then an IT consultant. 

Forty percent of respondents indicate that they leverage an IT consultant to support their OT response efforts. The SANS ICS team has witnessed this many times, generally when called in to remediate a failed response effort by an IT-only response company, the survey said. When vetting partners for incident response support, be sure to ask about previous case histories (anonymized) and experience in OT response.

These results present an interesting contrast with 2019 survey results, indicating a sharp decrease in the reliance on internal resources, with the increase having shifted to the use of IT consultants and cybersecurity solution providers.

“It’s concerning to see that nearly half of this year’s survey respondents don’t know if they’ve been attacked when visibility and detection solutions are readily available to provide that awareness,” Andrea Carcano, Nozomi Networks’ co-founder and CPO, said in a press statement. “Threats may be increasing in severity, but new technologies and frameworks for defeating them are available and the survey found that more organizations are proactively using them. Still, there’s work to be done.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.