Professional Documents
Culture Documents
OT Cybersecurity
OT Cybersecurity
OT cybersecurity practitioners and boardrooms keep threats and perceived risks front
of mind. Recent incidents such as the Colonial Pipeline ransomware attack and the JBS
Foods ransomware highlight the complex threat environment these systems face. The
results confirm this, with ransomware and financially motivated cybercrimes topping
the list of threat vectors that cause respondents most concern, followed by the risk from
nation-state cyberattacks (43.1%). Most interestingly, the elevation of non-intentional
threat vectors made for a combined 34.5% of the total choices for top three threat vectors.
The threat and risk landscape remains somewhat opaque, and incidents often go
unreported and insufficiently investigated. When asked to identify the most at-risk
sector, most sectors did not choose their own. When asked about vulnerabilities in their
sector, however, they reported significant challenges. Incident self-awareness in the form
of monitoring and detection also rank relatively low, with only 12.5% of respondents
confident they had not experienced a compromise in the past year and 48% of survey
participants not knowing whether they suffered an incident. Connectivity to external
systems continues as the overwhelming root cause of the incidents, an indication that
organizations still fail to follow network segmentation best practices. Additionally, 18.4% of
initial infection vectors report leveraging the engineering workstation, a highly concerning
fact because few correlate cyber and process data to analyze system breaches. Publicly
available channels grossly underreport incidents; for example, almost all respondents
indicated having at least one incident, with 90% having some level of impact on the
process, yet only high-profile incidents such as Colonial make headlines.
The OT cybersecurity landscape has changed significantly in the past two years. We have
seen significant attention and overall growth of investment in securing our critical ICS/OT
systems, but we still need some progress in key areas. Key industry-wide insights from this
survey include:
• Significant adoption of MITRE ATT&CK® framework for ICS (given its relatively
recent release)
• Continued support for patch management (by most) and vulnerability assessment
processes if not evenly applied
• Asset inventories continuing to challenge most organizations, with only 58.2% having
a formal process (progress, but not enough progress)
Overall, significant progress has occurred in the areas of professionalizing the workforce,
OT monitoring, analysis, assessment, remediation, and response. However, although we
still need improvement in inventory and asset management and OT segmentation/system
interconnectivity, the past two years have demonstrated great progress (with more to come).
verticals,1 with additional respondents sub-classifying into 62 unique groups, 30% 28.5%
24.7%
from gaming to aviation to space systems and payment systems.
20%
The survey represents a balanced view across the industry, capturing 12.7%
responses from those whose primary responsibilities emphasize ICS 10%
1
urvey options based on CISA’s critical infrastructure sector definitions, with some modifiers for ICS-specific elements,
S
www.cisa.gov/critical-infrastructure-sectors
Small
Energy (Up to 1,000)
Information Small/Medium
Technology (1,001–5,000)
Medium
Other (5,001–15,000)
Medium/Large
Government (15,001–50,000)
Ops: 137
HQ: 21 Ops: 174
HQ: 35
Ops: 186
HQ: 91
Ops: 115
Ops: 89 HQ: 15
Ops: 123
HQ: 15
HQ: 9
• P
eople—We face a significant OT security labor shortage. Although this survey shows
that we currently have more OT security professionals than ever, we still need to do
more to bring additional professionals into the industry to perform this critical work.
We need investments in formal and informal training and professional development
to train and re-skill the workforce to meet this surging demand.
• P
rocesses—Security leaders need to develop a culture of mutual understanding
and shared vision and execution through leadership and process integration. By
having IT and OT experts working more closely together, each can better understand
the other’s perspective and ultimately drive favorable outcomes for the business.
Without this shared understanding, all our other efforts may come to nothing.
with an increase in the no-budget response (perhaps $1 million–$2.49 million USD 10.8% 6.3% 4.5%
$2.5 million–$9.99 million USD 5.2% 3.7% 1.5%
because of the elimination of the unknown choice in
Greater than $10 million USD 6.2% 7.3% -1.1%
2021). See Table 2.
Asset owners continue to invest in the security of their ICS environment, and that
investment needs to achieve the security outcomes discussed throughout this survey.
on this list, the order of those with the Internal threat (intentional) 15.8%
2. Nation-state cyberattack
12.6%
11.4%
10%
5.0% 5.3%
2.6%
0%
Severe/Critical High Moderate Low Unknown
A focus over the past few years on employee training, Former employees 10 10 —
Current equipment providers 11 8 -3
insider threat programs, and business partner validation
Competitors 12 9 -3
for cybersecurity may have contributed to the reduction of Suppliers or partners 13 13 —
these concepts between surveys. Interestingly, domestic Former service providers, 14 14 —
consultants, contractors
intelligence services rose three postions, to the number
Other 15 15 —
eight concern in 2021.
Have you experienced one or more security incidents (e.g., unauthorized access; security
breach; loss of OT relevant data; operational disruption, damage, destruction of product,
process, or property) involving your OT/control systems during the past 12 months?
Yes 15.1%
30% 30%
26.2%
21.4%
20% 20%
16.7% 16.7%
11.9% 11.9%
10% 10% 9.5% 9.5%
7.1% 7.1%
4.8% 4.8% 4.8%
2.4% 2.4%
0% 0%
Less 10–20 21–50 51–70 71–100 101–500 501–1000 0% 10% 20% 30% 40% 50% 60% 80% 100%
than 10
2
“Havex,” https://en.wikipedia.org/wiki/Havex
3
“BlackEnergy,” https://en.wikipedia.org/wiki/BlackEnergy
perceived acute risk sources. With increased Internet accessible device 28.6%
• E
xploit of public-facing applications—What level of connectivity or
control is possible from applications exposed to the internet, and what
arcitecture is in place to mitigate risks to the ICS?
• S
pear-phishing attachment—Properly configured OT environment should
not have direct access to email services directly, yet phishing continues to
be a relatively high-ranked vector.
Incident Response: Who to Call? Forty percent of respondents indicate that they leverage
Repondents identify a mix of outsourced and internal an IT consultant to support their OT response efforts. The
SANS ICS team has witnessed this many times, generally
resources as their top-three resouces to consult: an outsourced
when called in to remediate a failed response effort by
cybersecurity solution provider for primary response support, an IT-only response company. When vetting partners for
followed closely by internal resources, and then an IT consultant. incident response support, be sure to ask about previous
See Figure 13. case histories (anonymized) and experience in OT response.
IT consultant 40.4%
Other 3.8%
0% 10% 20% 30% 40% 50%
and hypothesis-based security Unidirectional gateway between control systems and higher risk networks 5.5% 7.54%
SOC for OT/control systems 11.1% 2.71%
model for OT—An increase (14%) in
Identity-based policy orchestration 5.3% 6.17%
the implementation of OT network Cloaking device IP addresses 10.3% 10.59%
security monitoring and anomaly
detection evidences this trend, as well as the 19% growth in the use of anomaly
detection tools, signaling a welcome change from jus traditional indicator-based
defense capabilities. Support for this trend also shows in increases in allowlisting
for communications, applications, and devices, as well as device access controls and
policy-based allowlisting.
Unidirectional gateway use remains relatively constant (6% increase). With a focus in the
industry on isolation technologies, we expected a higher percentage here.
NERC CIP) or locality-specific (e.g., NIS Directive) standards to govern their cybersecurity
practices. See Figure 16.
The OT security landscape has changed significantly since 2019 after the release of the
MITRE ATT&CK® ICS framework.4 This new framework provides a common lexicon to
describe adversary behavior and consequences in an ICS context as an extension of the
ATT&CK for Enterprise model.5 In the 2021 survey, 47% of respondents leverage MITRE
ATT&CK® for ICS in some way as part of their security framework: 43% for assessment
only, 31% using it as part of penetration testing, 16% for threat activity, and 11% for
adversary emulation.
4
https://collaborate.mitre.org/attackics/index.php/Main_Page
5
https://attack.mitre.org/
movement, and persistence had some of the most 0% 1–25% 26–50% 51–75% 76–99% 100%
60%
55.9%
Monitoring
50%
Almost 70% of respondents to the 2021 survey have a monitoring
40%
program in place for OT security. Most of this monitoring (56%)
32.4%
comes from the IT security team, which also monitors the OT 30%
24.7%
environment. Thirty-two percent of respondents report that they
20%
have a dedicated OT SOC monitoring their OT assets, and 25%
8.8%
use an outsourced OT MSSP for monitoring. With regard to OT 10%
The majority of monitoring telemetry comes from either Figure 19. OT Security Monitoring
(see Figure 20). Without cross- Computer network telemetry (taps/spans) 41.7%
Remote access appliances,
comparing these datasets, including modems 28.5%
Monitored 16.7%
each category, indicating that even in well-inventoried 13.0%
10.4%
14.1%
environments, monitoring of the known assets remains
5.8%
a challenge. Software assets and applications lagged 14.1%
Inventoried 13.6%
significantly in both the inventory and monitoring 14.1%
18.9%
22.3%
categories. See Figure 22.
11.5%
10.9%
Software platforms and
18.8%
Connection Inventories Monitored
16.1%
applications
11.5%
13.0%
Similar to asset inventory results, only 57% of
7.3%
respondents have documented all connections that lead 10.2%
Inventoried 15.5%
outside of the OT environment, down from 62% in 2019. 18.0%
18.0%
18.4%
This decrease perhaps results from respondents better
1.6%
understanding the complexity of the ICS networks and 1.6%
Monitored 1.6%
being, therefore, less willing to indicate that they had 3.1%
1.0%
1.0%
Other
6
ou can find additional information on ICS asset inventories in the SANS whitepaper “ICS Asset Identification: It’s More Than Just Security,” by Mark
Y
Bristow, www.sans.org/white-papers/39650/
mechanisms inherently offer more security Leased coper lines (T1 and above) 19.1%
trust from asset owners with Figure 26. Vulnerability Data Sources
regard to implementing these technologies in a modern ICS environment.
People Drive Process Who in your organization sets policy for security of control systems?
Implementation, however, remains largely in Who in your organization is responsible for implementation of
the hands of IT management (39%), although security controls around control systems? Select all that apply.
35% indicate that the CISO has a hands-on
IT manager 39.0%
role in implementing the processes and
Corporate level
strategy they set for the organization. See position (CIO/CISO) 34.6%
Owner or operator of
Figure 29. the control system 34.1%
The gaps and challenges that the ICS community needs to address include:
• Correlating process control telemetry with cybersecurity telemetry for root cause
analysis
The ICS community faces an inflection point. We continue to see investments and outcomes
from OT security efforts increase, but risk drivers do not remain static. OT security
dominates the national cyber conversation in ways not previously imagined. Although the
ICS/OT security community has made great strides, we still have hard work ahead.
Mark wants to thank Lindsey Cerkovnik, Jason Dely, and Dean Parsons for their
contributions to and peer review of this paper.
Sponsors