A study conducted by the SANS Institute and sponsored by Nozomi Networks found that engineering workstation breaches were the initial attack vector in 35% of all operational technology (OT) and industrial control system breaches surveyed worldwide this year.
Over the past 12 months, the number of respondents reporting that their OT/ICS systems have been compromised has dropped to 10.5% (down from 15% in 2021), but a third of all respondents say their systems have been breached or not.
The 2022 SANS ICS/OT Survey received 332 responses representing energy, chemical, critical manufacturing, nuclear, water management and other industries.
Control system security challenges
Some of the biggest challenges faced in securing ICS/OT technologies and processes are: Integrate legacy and aging OT with modern IT systems; Traditional IT security technologies that are not designed for control systems and disrupt the OT environment; IT staff who don’t understand OT operational requirements are understaffed to implement traditional security plans, according to a survey.
Sectors such as business services, healthcare and public health, and commercial facilities are the top three sectors where respondents are most likely to have successful ICS compromises that will impact safe and reliable operations this year.
When asked which ICS components would have the greatest business impact if compromised, most survey respondents (51%) specified engineering workstations, metrology laptops, and calibration/test equipment. Additionally, most survey respondents (54%) said that engineering workstations, laptops, and test equipment are the system components most at risk of being damaged.
Engineering workstations, including mobile laptops used for device maintenance in facilities, have control system software used to program or change logic controllers and other field device settings or configurations, the study noted. Unlike traditional IT, ICS/OT systems monitor and manage changing data in real-time in the real world with physical inputs and controlled physical actions.
IT systems are a major attack vector for OT/ICS.
Although attacks on engineering workstations have doubled in the past year, they are only third in terms of initial attack vectors against OT/ICS systems. The leading attack vector for OT/ICS systems is IT-related, with 41% of organizations reporting that IT breaches are responsible for eventual damage to their OT/ICS systems.
The second largest attack vector is removable media such as USB and external hard drives. To combat these threats, 83% of respondents have formal policies in place to manage ad hoc devices, and 76% have threat detection technologies in place to manage these devices. Additionally, 70% use commercial threat detection tools, 49% use homemade solutions, and 23% have deployed ad hoc threat detection to manage these risks.
According to the report, “Engineered systems are not equipped with traditional antimalware agents, but can be protected through network-based ICS-aware detection systems and industry-based network architecture practices.” “We can also protect these assets through log capture or log shipping and regular controller configuration checks as part of our ongoing engineering maintenance work on field devices.”
The report suggests that ICS security is maturing. “The ICS threat intelligence market has come a long way in 12 months. More facilities are using vendor-provided threat intelligence to take more immediate and actionable defenses. By 2022, unlike most respondents in 2021 Respondents are no longer just relying on publicly available threats, Intel,” said a report by Dean Parsons. It is an indication of budget allocation.”
Industrial systems have their own security budget
According to the report, more organizations have ICS-only security budgets, and by 2022 only 8% of facilities are expected to be non-facilities. 27% of organizations have budgets between $100,000 and $499,999, and 25% of organizations have budgets between $500,000 and $999,999.
Over the next 18 months, the organization allocates these budgets to various initiatives. Plan to increase visibility into cyber assets and their configurations (42%), and implement network-based anomaly and intrusion detection tools (34%). It also focuses on network-based intrusion prevention tools in control system networks (26%).
While nearly 80% of respondents said they would take on a role that emphasizes ICS operations, in 2021 only about 50% had that specific role. However, organizations suggest that responsibilities still converge even though domains are affected during different missions, required skills, and security incidents.
Nearly 60% of survey respondents use passive monitoring, and network sniffers are the preferred method for vulnerability detection in hardware and software. The second most popular method is continuous active vulnerability scanning.
The third and most popular method is to compare the configuration and control logic program to a known good working version of the logic.
Copyright © 2022 IDG Communications, Inc.