ICS regulations, standards and directives improve cybersecurity in OT environments, though limitations prevail

Increasing instances of cybersecurity threats, geopolitical instability, and rising cyber insurance premiums call upon operational environments to strengthen and safeguard by implementing ICS regulations, standards, and directives. Weaving these measures into the organizational framework helps improve security posture, enhance resilience against cyber threats, minimize cyber risks, protect assets and operations, and safeguard public safety and national security while establishing a common baseline for cybersecurity practices. 

Federal agencies around the world have recognized the importance of securing critical infrastructure systems and stepped up efforts to bolster cybersecurity measures in OT (operational technology) environments. These regulations outline specific requirements that organizations must follow regarding the management and protection of their OT assets. Compliance with these measures is mandatory and failure to comply can result in penalties or loss of licensing.

Assigning directives by regulatory bodies or industry-specific organizations also helps provide guidance on specific aspects of cybersecurity for OT environments. These measures serve as a roadmap for organizations to enhance their security posture and align their practices with industry best practices.

Standards are set by international organizations and industry consortiums to define best practices, frameworks, and technical specifications for securing OT environments. Standards such as ISO 27001, IEC 62443, IEC 63452, and NIST SP 800-82 provide organizations with a structured approach to implementing security controls, risk management, and incident response processes in OT environments. Compliance with these standards helps organizations demonstrate their commitment to cybersecurity and provides a benchmark for measuring their security posture.

Industrial Cyber contacted cybersecurity executives to assess the adequacy of existing regulations, standards, and directives in addressing Ransomware-as-a-Service (RaaS) attacks, nation-state hackers, and insider threats in OT/ICS environments. They also analyze how they contribute to building resilience and business continuity in OT environments and the critical infrastructure sector.

“CISA is at its core a partnership agency and our relationship with critical infrastructure entities is based on a voluntary collaboration and trust,” Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told Industrial Cyber. “In certain cases, CISA supports regulatory agencies in developing outcome-oriented requirements that appropriately incentivize adoption of the most effective security controls, including with agencies like TSA, EPA, and the U.S. Coast Guard.” 

He added that in all cases, regulatory requirements do not replace the foundational value of voluntary operational collaboration to support shared security outcomes between the government and the private sector.

“The relative pervasiveness of RaaS and other intrusions into critical infrastructure demonstrate that our current regimes are insufficient to ensuring that critical infrastructure owners and operators have taken the necessary steps to secure their environments,” Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center (CIPIC), told Industrial Cyber. “This is particularly frustrating in the case of RaaS where financially motivated adversaries are often looking for the ‘low hanging fruit’ with vulnerabilities that are well understood and can be mitigated but are not providing ample examples of ransomware against our CI entities. Some industries already have regulations for cybersecurity, such as the NERC CIP regulations.” 

“However, they are all somewhat limited in scope as CIP only applies to the bulk electric system, so the power to your home or office is not directly regulated by these requirements,” according to Bristow. “The requirements are a great step in the right direction but are insufficient in and of themselves to stop even the rudimentary intrusions, let alone more sophisticated operations by nation-state adversaries.” 

Bristow added that more work needs to be done integrating cybersecurity for OT into corporate risk management frameworks so that OT security gets the appropriate attention in the boardroom along with other corporate risks and is effectively managed.

“The short answer is yes. For example, the ISA 95 Standard for Enterprise Control System Integration could have changed the course of the most recent cyber-attack on Nagoya Port Authority and the earlier cyber-attack on Colonial Pipeline,” Vytautas Butrimas, industrial cybersecurity consultant, and member of the International Society of Automation (ISA) told Industrial Cyber. “In those cases, it seems that there were vulnerable links between the business and physical process side of those operations.  ISA 95 provides guidance on reducing the danger.”  

Butrimas highlights that the sad thing is that while best practices are available, the problem lies in the implementation. “Implementation requires collaboration amongst several players who have enough understanding of their operations, are aware of the risk, and are willing to learn about what practices (regulations, standards,) are available and apply them accordingly. If the office management (who have to deal with stockholders) and the engineers in the field are not on the same page on this, then the Nagoyas and Colonials are likely to happen,” he added.  

“In terms of directives and laws, they are only as good as those that write them,” according to Butrimas. “Do not expect a directive on protecting critical infrastructure from threats emanating from cyberspace to be any good from a writer who is bound by the world of IT in the office.” 

John Lee, managing director of the OT-ISAC (Operational Technology Information Sharing Analysis Centre), told Industrial Cyber that ransomware attacks are a prevalent tool among cybercriminals and have proven to be highly successful, leading to their continued reuse by malicious threat actors. “Responding to ransomware attacks varies depending on the country, as some legal frameworks do not explicitly prohibit ransom payment. However, organizations must focus on building resilience in OT/ICS environments to ensure business continuity and effectively prevent, stop, or recover from such attacks,” he added.

“While regulations, standards, and directives concerning OT/ICS environments may differ across countries and industries, they establish a foundation for securing critical infrastructure,” Lee pointed out. “However, they may not fully address the legal and regulatory aspects of countering these threats. Consequently, it remains the responsibility of OT asset owners or operators to proactively protect their systems against ransomware attacks, treating them with the same level of importance as any other cyber threat.”

He added that in Singapore and many other countries, the critical infrastructure is closely monitored and regulated, with specific baseline requirements aimed at achieving a higher level of cybersecurity maturity. “Employing practices like risk management and incident response allows organizations to identify vulnerabilities and address security gaps, thereby enhancing their overall business resiliency to cyber-attacks.”

The executives discussed the main verticals or markets that are more active with regulations, including transportation (car, rail, pipelines, etc.), medical, energy, and others. They also shed light on how they expect these regulations to potentially impact the market.

Bristow said that the Bulk Electric System (BES) has had significant cybersecurity regulations for years, as has the nuclear power industry and the financial industry. “These regulations have had significant impact in raising the overall security posture of these industries, but they do not necessarily constitute sufficient security controls for more advanced threats. In other industries, there are multiple voluntary standards in place but application of these is haphazard at best.” 

“Getting resources for ‘non-mandatory’ efforts can be a significant challenge when competing with upgrading core components of the system,” Bristow identified. “In some ways, while regulation often does not go “far enough” to secure systems, it does at least force a minimum standard for compliance that’s easier to justify. More industries are exploring cybersecurity regulations such as the recent TSA security directives and EPA Sanitary Surveys, however, these are too new to measure their effectiveness in moving the market yet.”

Butrimas mentioned that regulations seem to be all over the place. “Pick any vertical or market and many regulations will be found. Their application could be at the local, state, national, or even international levels depending on the kind of product or activity. In terms of impact on the market, they could have a good or bad effect depending on the wisdom, intention, and understanding of the market the regulator is responsible for.” 

“For 10 years, I was a member of the National Communications Regulatory Authority Council of Lithuania and watched first-hand how an informed regulator can foster the creation of a competitive communications market which resulted in wonderful services for the consumer at a low price,” Butrimas said. “In the area of cybersecurity regulation, the major impact is found in the office IT environment rather than in the industrial control environment. This is the space that most government regulators work with daily (it’s on their desks and in their purses) and understand best. Data protection and personal privacy seem to be the focus of all these efforts, not protecting the processes governed by the laws of physics and chemistry.” 

Another critical element that Butrimas highlighted was that there is a knowledge gap between the regulator and the operator of critical infrastructure. “A regulation mandating the implementation of a best practice that makes sense in the office IT or home environment can become a difficult problem for a senior plant engineer to implement who may have to shut down operations in order to safely test and apply the regulation,” he added. 

“Regulations governing critical infrastructure industries (CIIs) are specific to each sector and are enforced by designated regulators. Compliance with these regulations is crucial for CIIs, as it entails implementing security measures and controls, albeit at a cost in terms of finances, time, and effort.” according to Lee. “Nonetheless, these regulations have a positive impact in prioritizing cybersecurity risks within organizations.”

The evolving cyber threat landscape drives continuous developments in regulations, Lee added. “For instance, highly regulated sectors like healthcare, where unauthorized access can lead to severe consequences, are closely monitored. Additionally, sectors undergoing digital transformation and adopting emerging technologies face increased scrutiny due to the associated risks. Implementing controls to prevent or mitigate incidents incurs operational costs, which may pose challenges for smaller companies with limited budgets. Conversely, larger companies might transfer these costs to consumers.”

“Despite the challenges, regulations have beneficial effects. They foster a culture of cybersecurity prioritization and encourage the adoption of best practices, elevating the overall security posture of the industry,” Lee said. “Compliance can enhance customer trust, showcasing a commitment to safeguarding sensitive information and ensuring the reliability and safety of critical systems. Moreover, regulations spur innovation in cybersecurity solutions and services as organizations strive to meet the required standards.”

The executives examine how smaller asset owners and operators perceive ICS regulations, standards, and directives. They also consider the existing barriers and challenges that these stakeholders face when it comes to adopting these initiatives.

“In many instances, smaller asset owners are not included in the regulatory requirements. To date, they have mostly applied to larger investor-owned utilities or utilities over a certain threshold. That said, there are lots of utilities that are voluntarily complying with the regulations that apply to their larger cohort members,” MITRE’s Bristow said. “These utilities often lack the resources to manage the compliance burden or access to the skillsets required to implement some of the requirements. Regulated utilities often have whole compliance departments that the smaller utilities lack. There is where we need to find better partnership models between industry and government and make regulatory requirements easier to implement for less mature organizations.” 

Bristow added that scalable solutions and repeatable blueprints would really help smaller companies overcome the engineering hurdles associated with compliance. “There is also the cost of these activities. In low-margin businesses with rate recovery models like water distribution, there are no resources available to make even these small changes without approval from public utility commissions or boards who may not understand why they are needed.”

Butrimas cited a tabletop exercise with operators of the power grids in three Baltic countries. “We asked them what they think about the need for more regulations in the power industry.  The consensus was that new regulations should not be imposed.  Instead, the operators felt they had good working contacts with each other and should just be allowed to deal with their operational issues by keeping in close collaboration.  This to me further indicated a gap in understanding between the regulator and the operator being regulated.” 

He added that each could benefit from collaboration with the other if both sides tried to understand each other’s work. “Another case for getting together informally with some coffee and donuts.”

One of the primary barriers to action is a need for more awareness regarding cyber security risks and the existing standards relevant to ICS/OT security, Lee said. “Smaller organizations may not realise the potential impacts of a cyber security threat on their operations, leading to a lack of proactive measures. Additionally, resource constraints in terms of time, capabilities, and budget further compound the difficulties. With their focus primarily on operational aspects, allocating sufficient resources to cybersecurity programs may not happen.”

“The complexity and technical expertise required to implement robust cybersecurity measures may exceed the capabilities of smaller organizations,” according to Lee. “The associated organizational roles and responsibilities might be too demanding for their limited resources and personnel, hindering their ability to achieve robust cybersecurity practices.”

To overcome these challenges, Lee proposes collaboration and support from regulators and professional bodies within their respective sectors is important. “Regulators and industry experts can play a vital role in simplifying and disseminating cybersecurity standards and guidelines. Conducting awareness talks and educational initiatives can enhance the understanding of cyber risks and the need for compliance. Encouraging smaller organizations to collaborate with their peers can promote knowledge sharing and learning from best practices.”

Furthermore, Lee suggests offering tailored support and advice to smaller asset owners and operators can empower them to establish effective cybersecurity strategies within their financial means. “By providing accessible resources and guidelines, regulators and industry bodies can help these organizations enhance their cyber resilience and ensure the security of their critical infrastructure.”

Addressing insights into the ongoing developments and updates in ICS regulations and standards to keep up with the evolving cyber threats, Butrimas said that in general, there are strategies and laws on cybersecurity in place that inform the policies. “However, even though they are intended to address critical infrastructure protection they are hopelessly office IT cybersecurity biased. They have a long way to go before they can leave the data and network protection mentality and become effective in protecting the technologies used to monitor and control physical processes found in critical infrastructures. Those that are vital to modern economic activity, national security, and well-being of society.” 

He added that sadly, the state-sponsored actor seeking to deny or disrupt these operations needs only to worry about developing the knowledge and skill sets to go after these hard-to-attack but increasingly vulnerable critical systems. “Just look at the EU’s list of top sectors affected by cyber threats. Energy sector does not deserve a mention even though all those listed sectors need electricity to run. Yes, the gap is evident in the EU policies as well.”

“To address the challenges posed by cyber threats, many countries have taken proactive steps by formulating comprehensive national cybersecurity strategies,” Lee said. “As part of the efforts to bolster ICS security, the IEC 62443 standard has emerged as a prominent ICS cybersecurity framework. This standard sets forth essential requirements for securing industrial systems, and its adoption is increasingly prevalent in industrial and control systems settings worldwide. By adhering to this standard, organizations can enhance the resilience of their ICS environments against cyber threats.”

Additionally, Lee pointed out that governments are implementing information-sharing programs involving both public and private sectors. Through such initiatives, stakeholders can exchange vital threat intelligence and best practices, promoting collaborative efforts to address cyber risks collectively.

Lee said that recognizing the importance of a skilled and competent workforce in ensuring critical infrastructure protection, governments are investing in capacity building and cybersecurity training programs. “These initiatives are designed to bridge the skills gap and empower professionals with the necessary knowledge and expertise to safeguard ICS environments effectively. By fostering a skilled cybersecurity workforce, countries aim to strengthen the overall cyber resilience of their critical infrastructure,” he concluded.