AI
Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
Identity and Access Management (IAM)
Industrial CISO
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Secure Remote Access
Secure-by-Design
SOC & Incident Response
Technology & Solutions
The Skills Gap - Training & Development
Threat Landscape
Vulnerabilities

Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats

April 14, 2024
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats

Rising cyber threats and attacks against critical infrastructure installations have led to the constant adaptation of the changing threat landscape in the ever-evolving world of industrial cybersecurity. One of the primary challenges organizations face in industrial cybersecurity is the rapid evolution of threats in terms of number and sophistication. Cyber attackers continually devise new methods to breach systems, creating a constant struggle for companies to proactively defend against such threats. As a result, there is a growing emphasis on continuous monitoring and leveraging threat intelligence to detect and respond to attacks in real-time.

By leveraging advanced technologies such as AI and machine learning, organizations can detect and respond to threats in real time, bolstering the protection of their systems and data. Moreover, they are prioritizing proactive measures like vulnerability assessments and penetration testing to preemptively identify and address potential weaknesses before they can be exploited.

However, challenges persist across the industrial cybersecurity sector with legacy systems commonly found in industrial settings often lacking inherent security features, rendering them vulnerable to cyber-attacks. Integration of IT and OT (operational technology) introduces complexities in managing cybersecurity risks across interconnected systems. Additionally, organizations must navigate the intricacies of securing interconnected systems and operational technology, which frequently involve legacy equipment. This necessitates a delicate balance between implementing robust security measures and ensuring minimal disruption to operations.

Another factor that the sector faces is the shortage of skilled cybersecurity professionals poses a significant obstacle, as organizations struggle to find and retain talent capable of navigating this specialized field. Despite these challenges, organizations are committed to staying ahead of emerging threats, collaborating with industry peers, and investing in innovative solutions to fortify their defenses and protect critical infrastructure.

Gauging technology evolution and industry progress across industrial landscape

In a two-part feature article series, Industrial Cyber reached out to market experts to offer insights into the current landscape of cybersecurity technology and solutions in the industrial sector. They also evaluated the evolution and maturation of products and assessed the industry’s overall progress and effectiveness.

Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center
Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center

The industrial cybersecurity technology marketplace has grown from a few small boutique consultancies into a multi-billion-dollar industry, Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), told Industrial Cyber. “Huge progress has been made in developing technologies to better secure operational technology (OT), especially in the areas of detection and monitoring, but gaps still exist for scalable solutions that cover some of the industry’s biggest challenges like identity and access management, segmentation, security testing, and endpoint defense.” 

However, he identified that there are still too many well-known common weaknesses built into cybersecurity technology solutions within the industrial sector where safer alternatives are available. 

Jonathon Gordon, directing analyst at Takepoint Research
Jonathon Gordon, directing analyst at Takepoint Research

The industrial sector is characterized by a dynamic and constantly evolving threat landscape, Jonathon Gordon, directing analyst at TP Research, told Industrial Cyber. “Industrial cybersecurity solutions are increasingly adapting to emerging threats such as ransomware and sophisticated attacks that compromise production and service delivery or directly assault targeting OT and IACS. The industry’s response has been proactive, with updates in security tools and strategies to defend against these evolving threats.”

Gordon added that the challenges posed by ransomware and geopolitical tensions highlight the importance of enhanced protective measures within ICS/OT environments. “The industry has made notable progress in terms of adopting proactive and flexible approaches to manage cybersecurity risks effectively within this complex and changing environment.”

“Overall, the industrial cybersecurity sector is making significant progress towards becoming more resilient and capable of handling current and future threats,” according to Gordon. “The shift towards proactive cybersecurity measures, combined with the push from regulatory pressure and the integration of advanced technologies, suggests a positive outlook for the industry’s capability to manage and mitigate cyber risks effectively.”

Mike Holcomb, cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor
Mike Holcomb, cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor

Mike Holcomb, a cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor, told Industrial Cyber that there are a limited number of core established providers in the industrial sector (e.g., Dragos, Nozomi) with several less established vendors trying to carve out their own space in a market that doesn’t allow for a lot of growth for these new companies.  

“While less established companies might have great ideas and solutions to bring to the sector, they might not be able to sustain their efforts simply due to not being able to obtain funding or make sales,” Holcomb observed. “For those products that do appear to be maturing over time, I would say that most are slow to progress, all companies in the market having been constrained over the last year or two by funding and sales numbers.”  

He noted that as far as effectiveness is concerned, it is tough to gauge independently without listening to the vendors themselves and not having solid reporting data on cyber security incidents in the ICS/OT space. 

Navigating rising geopolitical tensions in industrial cybersecurity

The experts address geopolitical tensions impacting the evolving threat landscape in industrial cybersecurity, particularly in combating ransomware attacks and LotL techniques. They look at the key challenges organizations encounter when fostering a collaborative security culture across all levels of the organization, and how these can be addressed. 

As brought into focus by recent senior government leaders’ testimony on the topic, Bristow pointed out that “our nation’s peer and near-peer adversaries have developed capabilities to disrupt or destroy critical infrastructure via cyber means. Their goals are not strictly military in nature but also aim to create ‘societal panic’ and impact the people’s will to defend our partners and allies. This means that infrastructure providers not previously thought to be ‘important enough’ because they do not directly serve government or military customers could be targeted for their psychological impact, greatly expanding the scope of potential targets.” 

“In this context, every organization with OT assets may be put in a position to defend their environment against a patient, well-resourced national adversary,” according to Bristow. “We need scalable solutions and novel approaches to give them a fighting chance. Combating LotL techniques will remain a challenge until more robust detection models and identity and access management solutions are widely available.”

He added “While infrastructure attacks were previously thought to only be the objectives of nation-states, ransomware has demonstrated that financially motivated attackers also can effectively target OT. While potentially financially and operationally devastating to an owner/operator and their customers, ransomware has spurred into action many organizations who see a much more likely impact from these attacks into bolstering their defenses and likely had a net positive impact on the industry’s security posture. That said, financially motivated attackers are looking to cause reversible effects so are not representative of the tactics one could expect from an adversary trying to do explicit harm.”

Gordon pointed out that geopolitical tensions significantly impact the evolving threat landscape in industrial cybersecurity, particularly by increasing the involvement of nation-state actors. “These tensions contribute to the escalation of cyber threats as global conflicts and tensions shape cybersecurity dynamics. Cyberattacks targeting OT/ICS are increasingly influenced by the geopolitical strategies of nation-states, leading to more sophisticated and targeted attacks, including supply chain compromises and zero-day exploits.”

“As global tensions rise, nation-states such as China, Russia, Iran, and North Korea are often implicated in cyber activities targeting critical infrastructure,” Gordon noted. “These attacks exploit risks introduced by the interconnectedness of IT and OT networks, bypassing traditional security measures. The presence of nation-state actors in the cyber landscape necessitates a shift towards more resilient infrastructures and stringent protocols, alongside international cooperation to effectively combat these enhanced threats.”

Gordon further detailed that integrating diverse teams to ensure consistent security practices is one of the key challenges in fostering a collaborative security culture. “Transparency and collaboration are essential for engaging stakeholders like control room operators and engineers in cybersecurity dialogues. It’s important to involve individuals familiar with operations, as this emphasizes how continuous cyber risk management can enhance security and boost productivity.”

Highlighting that geopolitical tensions have grown and shifted significantly over the past few years, especially since the current Russian invasion of Ukraine, Holcomb said that this conflict, as well as other conflicts in the Middle East, have created a new generation of hacktivists with more evolved skills than previous generations, making them capable of having such great impact. “Combined with the fact that these attackers now realize ICS/OT networks are a valuable target, asset owners and operators need to realize that they are targets and prepare to defend their sites accordingly.” 

Holcomb added that ransomware attacks, regardless of geopolitical considerations, will continue to grow as ransomware group operators realize they can continue to make money by impacting OT operations, even if only infecting IT systems which then have a cascading impact on OT availability. “LotL techniques are one of the more interesting stories we see playing out today with advanced attackers like Volt Typhoon and the Russian nation-state leveraging these capabilities.”  

Another noteworthy point highlighted by Holcomb is that some asset owners and operators are still unaware that they are targets, despite clear indications from the world around them. “Helping leadership become aware of the threats through cyber security threat landscape briefings can help address this issue, especially with briefings specific to their industry/sector, the locations in which they operate and are based out of,” he added.

Addressing talent diversity gap, emerging role of industrial CISOs

The experts delve into strategies for organizations to address the talent diversity gap in cybersecurity, bolstering defenses against evolving threats. Additionally, they explore the impact of the growing role of the industrial Chief Information Security Officer (CISO) in managing intricate cybersecurity issues within industrial sectors.

“Cybersecurity is hard. Industrial processes are hard. Industrial cybersecurity is hard squared (hard2),” Bristow said. “We must invest more in practical cross-training of our cyber teams on OT and our OT teams on cyber. There are a ton of upskilling opportunities right in our own organizations that are not always leveraged to support the defense of our processes or to grow our workforce.” 

For security leaders, it’s critical to form strong relationships between OT and security so that security can be an enabler of safe operations, Bristow said. Operations leaders need to take some time to clearly communicate their constraints so that security leaders can help build solutions that enable the business.

Gordon noted that organizations can bridge the talent diversity gap in cybersecurity by adopting broader recruitment strategies and more inclusive hiring and development practices. “It’s essential to engage people from diverse backgrounds, which brings varied perspectives and expertise vital for crafting effective security solutions. Transparency and collaboration are pivotal; for example, involving engineers who understand operational aspects can highlight how cyber risk management enhances security and boosts productivity. This cooperative approach is vital for addressing the cybersecurity talent and skills gap, ensuring a robust defense against emerging threats,” he added.

“The rise of the Industrial Chief Information Security Officer (CISO) marks a significant shift in managing cyber risk from end to end in industrial sectors. This role is undergoing a transformation, acting as a conduit between executive management’s strategic objectives and operational execution,” according to Gordon. “The Industrial CISO’s responsibilities now extend beyond safeguarding assets to enabling efficient and reliable operations within a secure framework. By translating high-level cybersecurity frameworks into tangible practices and bridging the gap between IT and OT teams, the Industrial CISO enhances organizational resilience and safety in the digital age.”

He also noted that this shift encourages a holistic strategy for cybersecurity, moving away from isolated departmental efforts. This approach aligns the entire company with strategic goals and risk appetite.

Holcomb recognizes that organizations can attempt to hire individuals who understand ICS/OT cybersecurity, both from the engineering side and from the cybersecurity perspective. “Unfortunately, these individuals are rare and our asset owners and operators need to realize that it is on them to help support building these individuals.  This can take significant investment in education/training, time, and other resources, which asset owners and operators typically are not used to providing for such a purpose.”

He added that the industrial CISO role is a significant step forward in helping secure the ICS/OT environment by entrusting their overall cyber security strategy and operational management to the vision of a leader. “Unfortunately, very few entities will have a dedicated ICISO outside of the larger providers.”

Proactive methods for continuous risk management in industrial cybersecurity

The experts throw light on how organizations can proactively adopt continuous risk management to stay ahead of evolving threats in industrial cybersecurity. They explore the strategies that industrial organizations use to enhance resilience and efficiently respond, recover, and learn from cybersecurity incidents, emphasizing operational continuity and long-term resilience planning.

Bristrow flagged that too often in industrial cybersecurity “we are focused on the vulnerability of our industrial systems when evaluating risk. Given that some of these technologies were developed before the public internet, there are many inherent vulnerabilities that exist that are unlikely to be remediated until the equipment is replaced with more modern equipment. The end result is ‘risk’ that we can do nothing about.” 

“Unlike IT where vulnerability translates to meaningful and reasonable risk estimation, in OT vulnerability is not as meaningful and more robust risk evaluation methods are needed,” MITRE’s Bristow added. “We need to more effectively leverage threat intelligence from known case studies, as well as analysis on threat actor capabilities to make more informed decisions on the probability of any particular vulnerability being exploited.” 

Bristow emphasized that there are simply many vulnerabilities that do not translate to risk because there are no threats capable of exploiting them. “We need to leverage insights into threat – not just intent and capability but capacity and adversary research and development for over-the-horizon risks – and susceptibility, where possible, to make meaningful investment decisions with limited resources,” he added. 

“Organizations can effectively embrace continuous risk management to stay ahead of evolving threats in industrial cybersecurity by shifting from traditional one-off or annual risk assessments to a continuous model,” Gordon said. “This involves ongoing monitoring, vulnerability management, and strategic risk management, including risk assessment, prioritization, breach attack simulation, and attack path analysis.”

To adapt to the evolving threat landscape, he added that it is essential to employ a cyclical process of continuous assessment and adaptation, with a feedback loop from security incidents and drills. “This allows organizations to dynamically evolve their security measures, ensuring their practices are responsive to the real-time cybersecurity environment and adequately mitigate emerging threats.”

Gordon noted that industrial organizations can build resilience and effectively respond, recover, and learn from cybersecurity incidents by focusing on several key strategies that emphasize operational continuity and long-term resilience planning. 

“Key strategies include developing robust incident response plans with clear roles and effective collaboration across teams to manage and remediate incidents. Utilizing standardized playbooks aids in efficient response and maintains security,” according to Gordon. “A continuous improvement approach for incident planning, response, and recovery is crucial, integrating technical controls and skilled personnel to lessen incident impacts and downtime. Proactive contingency and crisis planning further strengthen the organization’s ability to manage disruptions, maintaining operational efficiency and resilience.”

Holcomb identified this as one of the areas “that I see most ICS/OT environments struggle with – the need for continual improvement. Many might conduct an initial risk assessment, and come up with a list of identified issues and controls to apply to reduce the associated risk, but might not take action, or if they do, they believe no further effort to continuously improve overtime, leaving their program stagnant.”

He added that to build resilience, organizations need to focus on what it will take to allow OT operations to continue in the event the IT environment is lost (at least, temporarily). “At a bare minimum, they need to be able to establish and test the capabilities to ensure they can rebuild any of their assets in the event of a significant incident.”

Be sure to tune in for the next part of this feature series, where industry experts will discuss recent updates in global regulations, standards, and compliance impacting the industrial sector. They will also explore the crucial role of supply chain security in industrial settings, strategies for implementing secure-by-design/default principles, and the use of generative AI to bolster security in industrial environments, along with the potential benefits and challenges of its implementation.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program