Critical Infrastructure Security
ICS Detection Improves, Response Still Lacking
SANS Survey Finds Incident Detection ImprovingMore incidents, vulnerability remediation timelines that can stretch into a year and mismatched budget priorities - such is the state of operational technology cybersecurity in 2024, according to participants in an annual SANS survey.
See Also: How Active Directory Security Drives Operational Resilience
The survey based on responses from more than 530 professionals in the critical infrastructure sector, found that while detection capabilities have improved, many organizations don’t have an effective incident response plan.
The number of detected non-ransomware incidents went up by 19% compared to 2023 numbers, with a plurality of initial attack vectors coming from an information technology vulnerability that allowed attackers to penetrate a combined OT/IT network. About 46% of attacks originated in that way, with the second most common vector - at 24% - coming into an OT network through an external remote service.
Ransomware remains a major threat. While there has been a slight decline in ransomware attacks, 38% of respondents reported that ransomware impacted the safety or reliability of their physical processes.
On the bright side, "respondents with 'extensive' ICS/OT network monitoring were significantly faster in ICS incidents detection - over 50% detecting in less than 6 hours," said Jason Christopher of SANS in an Oct. 6 webinar.
A majority of surveyed organizations now have dedicated incident response plans, and three-quarters have implemented multifactor authentication for remote access, both representing increases from previous years. Organizations lacking ICS-specific incident response plans amounted to 28% of those surveyed.
Despite advances, the report found that incident response remains a weak point. A plurality - 26% - said they need between 8 and 30 days to complete vulnerability remediation, while 3.5% acknowledged the need for at least seven months as much as a year. Workforce issues can exacerbate response time lags.
"The workforce is the beating heart of any ICS/OT security program," the report stated. Yet only a quarter of respondents allocate significant budgets to workforce training and retention, while 52% prioritize spending on new technology solutions.
"Our field has matured drastically over the past 5 years and is unrecognizable from +15 years ago, but we still need to invest in training practitioners on technologies and threats," Christopher said.
The survey recorded a years-long downward trend in information sharing with non-regulatory government agencies. From a five-year peak of 41% in 2019, now only 12% of surveyed organizations say they will engage with such agencies. The numbers have gone down each year. "The requirements have become more stringent for mandatory reporting, so it doesn’t surprise me that voluntary reporting would go down," said Larry O'Brien, vice president, research at Arc Advisory Group. "Voluntary reporting is kind of tricky. I don't think there's enough voluntary information sharing going on, but there isn't enough incentivization for it."
Companies are hesitant to engage with the government, fearing increased scrutiny. "I know this. A lot of times people consider relying on the government's resources, 'Well, if I let the government in, they're going to see everything that's going wrong here,'" he said. "I wish more people would contact CISA - they're there to help. While I understand the reluctance, I don't believe it's justified," he added, referring to the U.S. Cybersecurity and Infrastructure Security Agency.
A related challenge is a lack of resources. "They just can't find people. This staffing shortage could also be contributing to the drop in voluntary reporting, as everyone is stretched thin and simply trying to keep up with their workload," O'Brien said.
The report also points to a lack of workforce development as a critical gap in OT security. Over 51% of respondents do not have ICS/OT-specific certifications and many professionals have less than five years of experience in the field.