OPSWAT-sponsored SANS 2023 ICS/OT cybersecurity report detects key priorities to mitigate ongoing threats

September 25, 2023

OPSWAT, StarLink partner to boost cybersecurity defenses for MEA's critical infrastructure

The findings from the 2023 SANS ICS/OT Cybersecurity Survey, sponsored by OPSWAT, identified a distinct reality that despite notable improvements in defense strategies, including increased ICS (industrial control system) cybersecurity awareness and enhanced incident response plans, survey respondents collectively consider current cybersecurity threats to ICS as severe/critical (25 percent) and high (44 percent). Consequently, the paramount priorities for ICS security programs in 2023 have crystallized into three pivotal areas: network visibility, comprehensive risk assessments, and the vigilant detection of transient device threats.

ICS/OT environments are becoming increasingly interconnected and complex, offering efficiency and innovation. However, this also exposes organizations to heightened vulnerabilities from relentless cyber threats.

Dean Parsons, a SANS certified Instructor, practitioner, and ICS/OT cybersecurity assessment expert, emphasized in an OPSWAT media statement, “This year’s survey reveals several notable changes compared to previous years. We see significant efforts in crucial areas and, regrettably, a lack of commitment in some equally important, evolving domains. However, there is a silver lining in the form of increased investments in asset inventorying, network-specific ICS/OT visibility and detection systems, and the development, training, and retention of staff with the required specific ICS security skillsets.”

“Building resilient critical infrastructure requires a proactive approach to cybersecurity as noted with the SANS’ report findings,” Yiyi Miao, chief product officer at OPSWAT, said. “At OPSWAT, we’re committed to empowering organizations to safeguard their vital systems through effective industry-leading solutions.”

Respondents are predominantly concerned with and have experienced ICS incidents involving malware threats or attackers breaching the IT business network. These breaches often enable access and pivoting into the ICS/OT environment. Compromises in IT systems leading to threats entering OT/ICS networks ranked highest, followed by compromises of engineering workstations and external remote services.

To address these threats effectively, understanding the specific vectors within the top threat vector is essential. Questions arise about why IT compromises lead to ICS breaches, the enabling factors behind such breach points, methods used to compromise engineering stations, and the ownership of these critical processes.

Luckily, penetration testing is occurring at multiple levels, with a focus on Levels 3, DMZ, and Level 2, indicating proactive measures to assess and enhance ICS security.

The report highlights a significant trend towards IT/OT staff convergence, with 38 percent of all respondents now responsible for both ICS and IT security, indicating increased responsibilities in 2023 compared to the 20 percent reported in 2022.

Cybersecurity solution providers are frequently consulted (43 percent) when signs of infection or infiltration emerge, emphasizing the need for specialized expertise in incident response. Additionally, a quarter of respondents were uncertain about having an exercised and documented plan for operating ICS engineering systems in reduced capacity, and only 56 percent currently possess a dedicated ICS/OT Incident Response Plan.

Xage also identified ‘most interesting, revealing, and actionable results from the 2023 SANS ICS Security Survey.’

“The number one reported initial intrusion vector came as no surprise: Attackers entering through corporate IT, then pivoting into OT systems,” Chase Snyder, senior product marketing manager at Xage Security, wrote in a company blog post. “This was a key concern in the Colonial Pipeline attack several years ago, which launched OT cybersecurity into the mainstream news and into the spotlight in a way it had never been before.”

Snyder said that after the IT to OT pivot on the list of initial attack vectors came engineering workstation compromise, external remote services, and exploitation of public facing applications. “Honorable mentions went to lateral movement and compromised active directory infrastructure. Given the ongoing success of the above listed attack vectors, it is surprising that most respondents indicated an 8 out of 10 level of confidence about the separation between their ICS networks and the IT enterprise network and/or the public internet.”

“These all point to the near complete erosion of the air gap between OT and IT, and between enterprises and the public internet more generally,” according to Snyder. “Attackers are finding their way in, which makes defense-in-depth and the ‘Defensible Architecture’ pillar of the SANS ICS Security Pillars all the more important as these trends continue.”

Last month, OPSWAT announced significant international growth and corporate milestones for the first half of 2023, laying the groundwork for an ‘exceptional year.’ Notable achievements are marked by partnerships, new offices opening, industry events, and revenue growth. With the company’s global expansion efforts and continuous dedication to CIP solutions, OPSWAT is ‘well-positioned’ to enhance the enterprise IT and industrial OT cybersecurity landscape globally.