Exploring changing terrain of OT/ICS cybersecurity issues, regulatory adherence, new threats

Evolving cyber threats and attacks, especially across OT/ICS environments, are bound to bring in new challenges, regulatory frameworks, and emerging threats in 2024. One of the primary obstacles faced by organizations is the ongoing convergence of IT and OT (operational technology) systems as they increasingly embrace digital transformation initiatives. While this integration brings about efficiency benefits, it also expands the potential attack surface, making it more difficult to secure critical infrastructure.

Furthermore, there is a growing emphasis on regulatory compliance in the realm of OT/ICS cybersecurity, with the implementation of various standards and frameworks on a global scale. Notable examples include the EU’s Cybersecurity Act and NIST’s Cybersecurity Framework, which provide guidelines for organizations to enhance their cyber resilience. However, achieving compliance can be a complex endeavor, as organizations must navigate through multiple regulations and standards.

The emergence of new threats and attacks presents another significant challenge. Advanced persistent threat (APT) groups are increasingly targeting OT/ICS environments, utilizing sophisticated tactics to exploit vulnerabilities, apart from resorting to living-off-the-land techniques. 

For instance, a cyber-attack on a European oil and gas facility in 2023 exploited weak OT cybersecurity controls, resulting in widespread disruption, and CyberAv3ngers hackers executed an exploitation campaign targeting Unitronics programmable logic controllers (PLCs) across multiple sectors, including the water and wastewater sector. The campaign employed unsophisticated methods such as secure shell (SSH) brute-forcing and exploiting default configurations.

In response to these challenges, organizations must prioritize OT/ICS cybersecurity by adopting a risk-based approach. This involves enhancing incident response capabilities and investing in technologies such as anomaly detection and secure-by-design principles. Additionally, collaboration between government entities, industry stakeholders, and cybersecurity vendors is crucial. By sharing threat intelligence and developing proactive strategies against emerging threats, these entities can collectively strengthen the security of OT/ICS systems.

OT/ICS security evolution since 2022: Challenges, legacy risks, mitigation

Industrial Cyber consulted cybersecurity agencies to understand the changes in the OT/ICS cybersecurity landscape since 2022 and identify the ongoing challenges organizations encounter in protecting critical infrastructure. They also explored how legacy systems contribute to OT/ICS cybersecurity issues and the strategies organizations are implementing to mitigate these vulnerabilities.

“The security ecosystem around OT/ICS cybersecurity has grown significantly in the last several years through security vendors, incident response firms, and general OT security awareness,” Matthew Rogers, ICS cyber security expert in the Office of the Technical Director, Future Technologies Branch at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told Industrial Cyber. “However, the challenges of maintaining an ‘insecure by design’ legacy network are the same. There is limited authentication, modern security techniques such as endpoint management are difficult to apply to controllers, and asset management requires significant coordination between a vendor and the asset owner.

Rogers added that “one of the more interesting approaches I’ve seen lately is that asset owners are virtualizing their old legacy infrastructure and hosting it on modern infrastructure. This allows their legacy software for managing controllers to work while still giving them modern security benefits.”

Christopher Anthony, director of the Critical Information Infrastructure (CII) division at the Cyber Security Agency of Singapore (CSA) said that the OT cybersecurity landscape had evolved rapidly due to shifts in business requirements to digitalize to increase productivity. “The increased connectedness of industrial control systems (ICS) to IT environments and deployment of Industrial-Internet-of-Things (IIoT) devices meant that OT systems are no longer ‘air gapped.’” 

Anthony added that organizations also rely heavily on OT/ICS providers for maintenance which increases the supply chain risks as supply chains for OT/ICS components become more interconnected globally. 

He also highlighted that many of the OT/ICS systems consist of legacy equipment that often rely on outdated firmware and software versions. “They may also lack proper network segmentation, have inadequate authentication methods or modern security features, leaving them vulnerable to exploitations by cyber threat actors.”

Assessing cyber threats to OT/ICS sector in 2024

The executives discussed the new and sophisticated cyber threats emerging in 2024 that specifically target OT/ICS environments. They also offered advice on how OT/ICS security professionals can adapt their defense strategies.

Rogers said that the CISA is seeing more attacks on edge networking devices across the board and that keeping these devices up to date is critical for reducing an organization’s attack surface. “A similar example for OT is the Unitronic hacks last year where we saw Iranian Government Islamic Revolutionary Guard Corps (IRGC) affiliated actors hacking internet exposed Unironic controllers with default passwords. OT/ICS devices should not be connected to the public-facing internet, these devices are low-hanging fruit for an attacker, especially without multi-factor authentication,” he added.

As far as security advice goes, there are two main areas, Rogers identified. “The first is looking towards ‘secure by design.’ I encourage security professionals to read our ‘secure by design’ whitepaper, then encourage acquisition decisions where those principles are met by the Original Equipment Manufacturers (OEM). Not all of these principles are easy to apply to OT/ICS systems, but any security improvements you can make are worthwhile.”  

In a similar vein, Rogers said that he “would encourage any OT/ICS security professionals to sit down with their vendors and operators to talk through how to get the most security possible for an acceptable level of operator friction. These levels will vary from organization to organization, but it’s important to get operator buy-in to any process you would adopt. The principles of human-centered design are helpful for designing security gracefully into the existing process.”

Anthony said that as “we advance into 2024, the cybersecurity landscape continues to evolve at an unprecedented pace. Cyber threats are becoming more sophisticated and potentially more damaging. In 2022, the discovery of Pipedream, a new modular malware designed to attack ICS and has the potential to cause disruption and possibly destruction on crucial industrial devices, is an important turning point in the OT cyber threat landscape.”

Ransomware attacks remain a concern as they are becoming more politically motivated and are increasingly used to target Critical Information Infrastructure (CII), Anthony disclosed. “Artificial Intelligence (AI)-driven attacks where threat actors build sophisticated and adaptive malware with evasion techniques also pose a significant challenge.”

“Organisations and OT cybersecurity practitioners must stay vigilant, adapt quickly, and invest in comprehensive cybersecurity strategies to safeguard their critical assets,” according to Anthony. “Implementing ‘Secure-by-default’ approach can help decrease cyber risks in OT. Organizations could also work on improving threat detection and response capabilities including gaining visibility into the supply chain to derive insights, potential concentration risks and drive policy decisions.”

Role of tech advancements in enhancing OT/ICS cybersecurity

The executives from the cybersecurity agencies assessed how advancements in technology, like blockchain and zero-trust architectures, have been utilized to strengthen OT/ICS cybersecurity defenses. They also examined the role of AI and machine learning in enhancing the detection and mitigation of new cyber threats in the OT/ICS domain.

Rogers said that he has not seen any meaningful inclusions of blockchain in OT/ICS cybersecurity. “Zero-Trust is a big shift for OT/ICS networks as they were historically seen as air-gapped networks and entirely focused on the perimeter. The advancements along zero trust are still focused on continuous monitoring and asset inventory, with some movement for improving the identity/authentication mechanisms within the OT network.” 

He added that AI and machine learning efforts will certainly help detect attacks on networks, though the acceptable false positive rate for models tends to be much lower in operational environments. “From an adversarial perspective, I expect that developments in generative AI may lower the barrier to attacking OT/ICS networks. OT/ICS has always relied on a bit of security via obscurity, and AI makes it easier to bypass that defense without needing several people with niche skill sets.” 

Anthony detailed that advancements in technology, such as AI, machine learning, and blockchain, are already being leveraged to enhance cybersecurity efforts. “For instance, AI and machine learning algorithms can detect patterns and anomalies in vast amounts of data, enabling quick identification of potential cyber threats and enhancing incident response planning based on predicted attack scenarios. It would, however, take time for organizations to train the data model,” he added.

Addressing the regulatory frameworks that currently govern OT/ICS cybersecurity and how these have been adapted or strengthened in response to evolving threats, and exploring the role of government agencies in promoting collaboration between the public and private sectors to improve OT/ICS cybersecurity, Rogers said that the CISA provides “Research and Development (R&D) resources, we share threat intelligence, and we take the high-level view to identify trends between sectors to help industry prioritize their security investments. This also helps foster collaboration with our stakeholders.”

Forecasting OT/ICS cybersecurity trends, offering proactive strategies

The executives dive into the projected trajectory of OT/ICS cybersecurity in the upcoming years and offer recommendations for organizations to preemptively address evolving threats. They also discuss how governments, industries, and security practitioners can collaborate effectively to build a more resilient and secure OT/ICS environment for the future.

Rogers identified that as more money gets invested into OT/ICS cybersecurity in the coming years, “my number one recommendation is finding security vendors who are willing to be partners and work with your organization. All cybersecurity requires a solid process with buy-in from the organization. In OT/ICS the number of niche networking protocols and different devices means that expanding visibility will take time and domain expertise. All OT/ICS deployments are a bit different and so the vendor will need to work with operators in order for the OT/ICS asset owner to get the most out of their purchase.”

“The greatest area for collaboration is working together to move away from legacy infrastructures. It will take new technology and shifts in industry thinking,” Rogers added. “Any shift that large requires buy-in from government and industry.” 

He detailed that the CISA is pushing in this direction with its secure by design initiative and investing in R&D. “The role of security practitioners is trying to get involved as early as possible in the acquisitions or design process. That early stage is the cheapest possible time to invest in cybersecurity, both for the customers who now deal with fewer cyber incidents and for vendors who need to spend less on emergency patch development.”

Last December, the CSA released the draft Cybersecurity (Amendment) Bill (Draft Bill), which seeks to amend the Cyber Security Act 2018 (CS Act), for public consultation. The public consultation concluded in mid-January. The proposed changes are significant and will have implications for the cybersecurity landscape in the country, to ensure that Singapore’s cybersecurity laws are up-to-date and capable of addressing the evolving challenges in the digital realm. 

Anthony said that CII systems in Singapore are required to comply with the Cybersecurity Code of Practice (CCoP), under the Cybersecurity Act, with objectives to improve the odds of defenders against attackers’ sophisticated Tactics, Threats and Procedures (TTPs) and impede their progress of attacks; enhance agility in addressing emerging risks in specific domains; and enable coordinated defenses between government and private sectors to identify, discover and respond to cyber threats/attacks timely.

“Aside from regulatory frameworks, it is also important for the OT ecosystem to play a part in a resilient OT cyber environment. The Singapore Government has taken the lead to launch the OT Cybersecurity Masterplan in 2019 as a strategic blueprint to guide our efforts,” according to Anthony. “We have worked with the public and private sectors to create an open forum4 to foster discussion on OT/ICS cybersecurity resiliency and issues to improve information sharing and deeper awareness. As OT systems continue to be targeted by cyber threat actors due to the potentially large-scale damages caused by such attacks, OT cybersecurity will become increasingly important.” 

As such, Anthony concluded that “we are reviewing the current Masterplan to address the new challenges brought about by emerging technologies to ensure that the OT/ICS CII systems remain secure and resilient. The review is expected to be completed in the later part of this year.”