The 2019 SANS State of OT/ICS Cybersecurity Survey explores the challenges involved with designing, operating, and managing risk to industrial control systems (ICS) and their cyber assets. Security professionals active in IT, OT and hybrid IT-OT domains from around the world took part in the survey to answer the questions about known and perceived cybersecurity risks to ICS networks. We will highlight some of the key findings here.
Risk Drives the Emphasis on Control
The top cybersecurity initiative for 2019, according to respondents, is increasing visibility into control system cyber assets and configurations. The Internet has opened up these systems in ways we haven’t seen before, and many companies now have networks that are cloud-based and fragmented, making complete visibility into them quite difficult.
Luckily, industrial organizations are catching the drift. Half of the survey respondents identified the level of OT/ICS cyber risk to their company’s overall risk profile as high or severe/critical – and over 60% claimed that the biggest risk factor in OT/ICS are people, ranging from malicious outsiders and insiders to accidents caused by internal staff with too much administrative power.
The survey results state the number one business concern as ensuring the reliability and availability of control systems. More interesting, however, is that ensuring the health and safety of employees is now the second highest concern for OT cybersecurity, increasing from 33% in 2017 to 42% in 2019. This is a positive indication that companies are beginning to understand the link between employee safety and cybersecurity risk management in the ICS domain.
Respondents are also showing awareness of the necessity of basic security tools, claiming that 20% of currently available security technology will be implemented at their company in the next 18 months. The complicated collection of different networks, including direct connection of systems to the internet, vast legacy offline networks and servers, and different solutions used across companies require more review and intense check-ups.
IT and OT Must Go Hand in Hand
Bridging the gap between IT and OT teams to strengthen cybersecurity is now unavoidable. One of the biggest challenges when integrating will be changing the mindset of both IT and OT to think like each other and leverage each other’s expertise. To ensure collaboration and reduce risk to the organization, security leaders should clearly communicate common goals, create a shared security roadmap with defined roles, conduct cross-training when needed and empower each team with the right security tools.
But how much do you budget for this and who manages it? Almost half of all respondents didn’t know their OT/ICS security budget, and when they did, it usually stood below $1 million, with some companies allocating less than $100,000. 10% of respondents even claimed they have no OT/ICS security budget at all. Additionally, 48% of respondents indicated that OT is overseeing the budget for safeguarding the ICS, while 31% indicated that enterprise IT is overseeing the ICS security budget. Although IT takes a leading role in managing corporate security policy and implementing the necessary controls, including into OT’s domain, OT still frequently oversees the cybersecurity budget for the control system.
Interestingly, most companies that invest heavily in OT/ICS security allocate the funds to technology, while neglecting the human factor, even though people typically make the decisions on how technology is used. As companies grow increasingly aware of the risk posed by the human factor, more fluid communication between IT and OT departments is essential.
Detection and Prevention Can Save the Day
Effective OT/ICS security begins with visibility. When security practitioners are continuously monitoring every device on their network, they can detect and respond to a cyber incident faster and reduce MTTR. Organizations also need to keep the human factor in mind. Anomaly and intrusion detection tools are a great example of human + technology pairing up. If a system is breached, the right people can be notified to initiate a rapid and informed response, before the network is harmed. One of the most important takeaways from this report is that ICS security must evolve beyond just implementing new technologies to training people on the right ways to use these technologies.
There’s More Where That Came From
To dive into the complete data set and explore recommendations for challenges faced by cybersecurity stakeholders when managing risk to OT infrastructure, download the 2019 SANS State of OT/ICS Cybersecurity Survey Report here.