Advances in the market
Operational Technology (OT) and Industrial Control Systems (ICS) are used to support mission-critical infrastructures across a wide range of industries. OT is the computing systems that manage industrial operations, and ICS is a sub-segment within the OT sector referring to systems that control, operate and automate many industrial processes. Industrial sectors rely on ICS systems to continuously deliver essential services including transportation, power utilities, communication systems, water monitoring, among others.
Historically, Information Technology (IT), which is the application of computers to process and data, hasn’t overlapped with OT and has been managed separately as siloes. However, the disconnect between these technologies has generated unreliable outputs. OT and IT has increasingly converged in the last few years to enhance performance, reduce costs and enable automation across a wide range of fields. With this, many organizations have achieved more efficient monitoring of critical processes and improved ability to leverage sensor-enabled data through the Industrial Internet of Things (IIoT).
So what’s the problem?
As OT systems grow more connected to IT systems or directly to the internet, a new realm of cybersecurity risks are created. The new OT/IT convergence environment has an added layer of complexity as it has to cater to traditional security requirements while preserving the reliability and safety of critical infrastructure systems. If these systems are vulnerable to cybersecurity attacks, then there’s a chance this might result in catastrophic events.
The need for OT enterprise security and ICS systems is of utmost importance, as it protects the safety of operations for a wide range of fields, from transportation infrastructure to industrials and utilities. Since OT is deployed within critical infrastructure that deliver a wide range of services that people use on a day-to-day basis, compromising these systems puts the lives of countless people in danger.
Threat actors in cyber warfare, industrial espionage and terrorism are becoming more sophisticated with their attacks, hence are more likely to succeed at organizations without appropriate security defenses. In recent years, another source of cybersecurity risk has been associated to the added exposure of infrastructure to business partners, hence granting privileged access to appropriate parties is crucial for security purposes and data protection.
Has anything bad happened?
Attacks on OT and ICS assets increased over 2000% since 2018. Most of the observed attacks were centered around using a combination of known vulnerabilities within ICS hardware components, as well as password-spraying attacks using brute force login tactics against ICS targets. With more than 200 new ICS-related CVEs released in 2019, threats to ICS will likely continue to grow in 2020.
Furthermore, CyberX reported that ICS continue to have outdated systems with old cybersecurity protection in place. 57% of them have weak anti-virus protection and 69% of ICS has security gaps. Additionally, 20% of vulnerable ICS devices have vulnerabilities considered to be “critical” (Kaspersky Labs). Attacks here can cause major damage — an example is the 2015 Ukraine Power Grid hack, where the blackout affected 200,000+ people.
What have regulators done so far?
In recent years, there has been increased pressure for regulatory compliance, as governments and other organizations globally look at new guidelines to enhance critical infrastructure cybersecurity.
Compliance has become an increasing concern for organizations looking to better manage their OT systems. Several regulations that are making the most impact include EU’s GDPR. International Society Standards (ISA) and the Federal information security management act (FISMA). Some important standards to know are:
- The 62443 series of standards for securing industrial systems. These provide guidance and requirements for all participants and stakeholders in the life cycle of industrial automation and controls systems (IACS), including component and system suppliers, system integrators, asset owners and service providers. This life cycle begins with the development of single components, such as an embedded controller, or a group of components working together as a system or subsystem.
- The new NERC CIP 013–1 standard by the North American Electric Reliability Corporation (NERC), which requires utilities to perform firmware vulnerability analysis to improve supply chain security with deep visibility and transparency into the authenticity and integrity of the software running on the grid. Mandatory elements of the plan focus on software integrity and authenticity, vendor remote access to BES cyber systems, information system planning and procurement, and vendor risk management and procurement controls. NERC is authorized to penalize Utilities up to $1 million per day per outstanding violation.
What are the solutions offered by startups?
The implementation of new industrial security initiatives has traditionally fallen short as there is a lack of specialized personnel in OT security and lack of data visibility within organizations. To help combat this problem, many startups have risen up to the challenge to improve the security of IIoT. The startup offerings in the space can be categorized into the following types:
- Identify, Detect & Protect: solutions that provide security posture assessment, asset management, continuous vulnerability monitoring, threat detection, network segmentation and secure remote access
- Respond & Recover: solutions that provide incidence-response, breach mitigation and recovery planning post-incident
- Services: software and service solutions to help secure industrial assets against cybersecurity attacks as well as to respond to threats
There are different ways to ensure ICS systems are up to date and to protect OT from known and unknown vulnerabilities. Some approaches include preventing phishing attacks, protecting remote access connections, segmenting OT networks and keeping ICS devices safe. Overall, it is necessary to strengthen security strategy using a hybrid approach of both traditional cybersecurity solutions plus specialized OT security solutions.
In short, to properly address security in an ICS, it is essential for cross-functional cybersecurity teams from IT and OT to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cybersecurity team should coordinate closely with the company’s Chief Information Officer (CIO) or Chief Security Officer (CSO), who in turn, accepts complete responsibility and accountability for the cybersecurity of the ICS. Key objectives of these teams should include:
- Continuous visibility and management of all assets, threats and vulnerabilities
- Shared responsibility of the end-to-end cybersecurity of the organization
- Global governance of all cybersecurity guidelines, policies, procedures and technologies used
The ICS and OT Cybersecurity market will increasingly catch more momentum as organizations are more aware of improving their cyber posture and regulators are growing more strict. This is due to the fact that disruptions in critical infrastructures can severely impact the stability, safety and security of whole nations. Several governments have established federal laws and policies (such as NERC, EPCIP, DIACAP) to develop new cybersecurity standards and are also incentivizing organizations with new insurance grants and tax incentives.
Incumbents in the space have also made developments in recent years. For instance, Cisco has a new comprehensive security architecture for Industrial IoT, including the Cisco Cyber Vision and Cisco Edge Intelligence offerings for advanced real-time threat detection and data governance. There’s also been some important acquisitions:
In the upcoming years, I foresee more consolidation in the space as incumbent cybersecurity vendors will look to acquire OT cybersecurity capabilities to bring IT vulnerability management and industrial cybersecurity together. At the same time, these giants will be looking to expand their customer footprint around digital transformation while helping other organizations understand and reduce cyber risks across the entire modern attack surface (both IT and OT infrastructure).
Moving forward, I believe every ICS deployment should include cybersecurity component to protect against security attacks. Protecting critical infrastructure starts with asset visibility — operators want complete visibility of assets connected to their networks and want to be alerted on anomalous traffic. Since this is becoming an increasingly competitive market, successful startups will be those that are able to clearly articulate their value proposition in relation to the corporate business objectives of their target customers.
In the last part of this four-article series, I’ll be covering the supply chain security startup landscape for IoT devices.
Disclaimer: This blog represents solely my own opinions, not my employer’s.