There has been public broad realization that operations which tolerate little to no physical downtime—including critical infrastructure, industrial sectors and hyperconnected facilities—are lucrative targets for cyberattacks. A decade ago, intrusion and anomaly detection tools for operational technology (OT) and industrial control systems (ICS) were in their infancy. Today, the OT cybersecurity market is expanding and maturing in new ways.
Historically, “proof of concept” meant ensuring that software introduced into industrial and process control environments would not corrupt the systems and networks it sought to protect. Today, a “proof of concept” is often a bake-off between the best in the business to demonstrate deeper and more thorough understanding of OT/ICS systems and IT and IoT integration, efficient partnerships and go to market strategies, and horizontal application across many sectors. Despite IT and OT being substantially different fields with divergent priorities, several cybersecurity companies traditionally serving IT have already entered the OT cybersecurity market. With market analysis predicting a major boom, leaders in the market will find themselves at a more crowded table in 2023. Detection, digital transformation, operational reliability, interoperability, governance and standards continue to drive demand.
If any theme has emerged from 2022 it is that trust and verification for OT cybersecurity are not mutually exclusive.
In 2022, INCONTROLLER demonstrated the potential severity of cyberattacks targeting industrial operations. Fortunately, the attack was discovered prior to any operationalized incident, demonstrating the potential return on investment for cybersecurity solutions specifically tailored for industrial operations. Representing only the fourth attack featuring malware targeting industrial control systems, this incident involved a highly sensitive response demanding trust and verification between the ICS vendor and security research teams.
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has issued sector-specific guidelines while simultaneously building trust with industry, to enhance owner and operator input on actions like the rulemaking process for the new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The European Union is pursuing two new mandates that will provide “an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure.”
Israel, Germany, Singapore, Australia, and many other countries around the world continue to bolster cybersecurity initiatives with the goal of increased trust and verification in mind. Furthermore, the invasion of Ukraine by Russia placed new emphasis on trust in cyber operations with official ministry operations crowdsourcing a volunteer “cyber army” to aid in the conflict.
Zero Trust has taken on a life of its own with a myriad of definitions and implementation mechanisms from strategy to application. With an assume breach mentality, recognizing that perimeter security is insufficient to defend against today’s threat landscape, Zero Trust principles are essential to reduce “dwell time” and the severity of potential impacts.
Some may say Zero Trust is simply repackaging best practices like network segmentation and the principle of least privilege, but properly applying Zero Trust requires studying how technologies interact, what they need from each other, and how to minimize superfluous access to information, command, and control of systems.
According to the Council of Insurance Agents and Brokers (CIAB), cyber insurance premiums increased again in 2022, by an average of 28% in the first half of the year alone. Litigation in 2022 saw a cyber policy contract rendered null and void due to a failure on behalf of the claimant to verify the company had multifactor authentication (MFA) in place when it was hit by ransomware, as indicated on the self-attestation portion of the application for coverage.
In 2022 NIST rolled out updates to the cybersecurity supply chain risk management guidance, specifically highlighting “trust and confidence” as drivers. And finally, most specific to industrial cybersecurity, 2022 placed new emphasis on continuous monitoring for OT and ICS. Defined by NIST as “the information system and assets that are monitored to identify cybersecurity events and verify the effectiveness of protection measures,” continuous monitoring is the top priority for detection and prevention of cyber incidents.
What’s on the horizon for 2023?
From the now-or-never razzmatazz surrounding SBOMs (Software Bill of Materials) to the next unprecedented international issue, predictions are difficult to master. Predictions are even more difficult for OT and ICS given that data is often either private, distributed, or behind a paywall. 2023 promises to be an integral year, calling for increased cybersecurity investments at a time when a potential recession can exacerbate the impacts of ransomware and unplanned downtime or production loss.
Governance will set new precedence.
Government standards and frameworks to date have taken an accordion approach, stretching to address what critical infrastructure sectors have in common, and compressing to magnify security issues most critical to specific sectors. New direction and bolstered industry involvement will produce greater situational awareness, trust, and resolve across the critical infrastructure security community. The U.S. government is “putting its money where its mouth is,” rolling out a federal binding operational directive focused on asset discovery and vulnerability enumeration, offering implementation assistance and unique tool sets.
In addition to the CIRCIA legislation, 2023 will usher in the fruits of two recently debuted CISA programs. The CyberSentry program will monitor critical infrastructure networks for known threats and indicators of compromise, and the newly released RedEye tool, developed to “parse logs from attack frameworks (e.g. Cobalt Strike) will present complex data in a more digestible format. Both will broaden the aperture for understanding of OT and ICS incidents, further building out mechanisms for enhanced trust and verification.
Information sharing will be more meaningful.
Despite a reluctance to aggregate information, meaningful information sharing requires a vendor-agnostic mechanism for real-time sharing of early warning data. In terms of the threat landscape, there is no way to standardize and correlate threat and vulnerability research produced from the competitive market leaders. Information sharing is lacking trust and verification, has been siloed into sector-specific, private sector, or government agency-specific mechanisms—creating single sources of information without much consensus.
Regardless of commonalities, no two attacks on OT/ICS systems are ever the exact same, making automated response and remediation difficult. Unfortunately, this reality means that every operation and facility has to wait to see another organization victimized before there can be shared signatures, detections, and fully baked intelligence for threat hunting to ensue. Solutions for information sharing in this domain will begin to shift toward more inclusive, creative, and proactive ways to share information in 2023.
Innovative analysis will set OT cybersecurity solutions apart.
Innovation in the ability to provide situational awareness, with trust and verification, will lead the OT cybersecurity future. Many organizations enable tools to gather and store data but fail to analyze data to enhance their mission. Simply having and storing reems of data is not particularly useful for any risk mitigation. Solutions built for OT and ICS will continue to fix security gaps and improve security controls.
Behavioral analysis and anomaly detection for network operations can augment threat intelligence and overall security postures. Anomaly detection can alert on both deviations from normal communications patterns, as well as variables within the process—like sensor readings and flow parameters. This process data can be correlated with communications data to provide actionable intelligence to inform security procedures and reduce overall risk.
The Receipts
The Nozomi Networks-sponsored SANS report on the state of ICS/OT Cybersecurity in 2022 and beyond mentions “adversaries in critical infrastructure networks have illustrated knowledge of control system components, industrial protocols, and engineering operations.” Other reports of OT/ICS incidents cite adversaries’ “unfamiliarity with the OT domain.” 2023 may be the year that adversaries demonstrate increased capabilities to both monitor—and modify OT and ICS systems in critical sectors.
Across the globe, governments, public-private-partnerships, insurance providers, and international relations are reticent about the significance of protecting critical infrastructure and building resilience across industrial sectors and hyperconnected facilities. Across the market—from competitive intelligence to innovation to live ‘bake-offs’—trust and verification matter more today for OT cybersecurity than ever before. OT cybersecurity stakeholders, concerned with physical safety, environmental impacts, the provision of goods, services, and resources, micro and macroeconomics, will all be saying “show me the receipts” in 2023.