Engineering workstation compromises were the initial attack vector in 35% of all operational technology (OT) and industrial control system breaches in companies surveyed globally this year, doubling from the year earlier, according to research conducted by the SANS Institute and sponsored by Nozomi Networks.
While the number of respondents who said they had experienced a breach in their OT/ICS systems during the last 12 months dropped to 10.5% (down from 15% in 2021), one third of all the respondents said they did not know whether their systems had been breached or not.
For the 2022 SANS ICS/OT survey, 332 responses were received, representing verticals from the energy, chemical, critical manufacturing, nuclear, water management, and other industries.
Challenges facing control system security
Some of the biggest challenges faced in securing ICS/OT technologies and processes, include integrating legacy and aging OT with modern IT systems; traditional IT security technologies that are not designed for control systems and cause disruption in OT environments; IT staff that does not understand OT operational requirements; and insufficient labor resources to implement existing security plans, according to the survey.
Sectors such as business services, healthcare and public health, and commercial facilities are the top three sectors deemed by respondents as most likely to have a successful ICS compromise that will impact safe and reliable operations this year.
When asked which ICS components are considered to have the greatest impact to the business if compromised, most survey respondents (51%) specified engineering workstations, instrumentation laptops and calibration/test equipment. Most survey respondents (54%) also said that engineering workstations, laptops and test equipment were the systems components at the greatest risk of being compromised.
Engineering workstations, which include mobile laptops used for device maintenance in facilities, have control system software used to program or change logic controllers and other field device settings or configurations, noted the study. Unlike traditional IT, ICS/OT systems monitor and manage data that makes real time changes in the real world with physical inputs and controlled physical actions.
IT systems are a major attack vector into OT/ICS
Though attacks on engineering workstations doubled in the past year, they are only in third place in terms of being the initial attack vector into OT/ICS systems. The major attack vector into OT/ICS systems involves IT, with 41% of companies reporting that IT breaches were responsible for eventual compromises of their OT/ICS systems.
The second largest attack vector is removable media such as USBs and external hard drives. To keep this threat at bay, 83% of respondents have a formal policy in place to manage transient devices, and 76% have a threat detection technology in place to manage these devices. In addition, 70% are using commercial threat detection tools, 49% are using homemade solutions, and 23% have deployed ad-hoc threat detection to manage this risk.
“Engineering systems, although not equipped for traditional anti-malware agents, can be protected through network-based ICS-aware detection systems and industrial-based network architecture practices,” according to the report. “Additionally, as part of on-going engineering maintenance tasks for field devices, log capture or log forwarding and regular controller configuration verification are achievable ways to start protecting these assets.”
The report suggests that ICS security is maturing. “The ICS threat intelligence market has come a long way in 12 months. More facilities are using vendor-provided threat intelligence for more immediate and actionable defense steps. Unlike most respondents in 2021, respondents in 2022 are no longer just relying on publicly available threat intel,” according to the report, authored by Dean Parsons. “This is a sign of increased maturity and awareness of the value of ICS-vendor-specific threat intelligence, as well as budget allocation for improved proactive defense in this area.”
Industrial systems get their own security budgets
More organizations are obtaining an ICS-specific security budget, with 2022 seeing only 8% of facilities without one, according to the report. Twenty-seven percent of organizations have budgets allocated between $100,000 and $499,999, and 25% of organizations have budgets between $500,000 and $999,999.
For the next 18 months, organizations are allocating these budgets toward various initiatives; planning for increased visibility into cyberassets and their configurations ( 42%) and the implementation of network-based anomaly and intrusion detection tools (34%). There is also a focus on network-based intrusion prevention tools on control-system networks (26%).
Nearly 80% of the respondents said they now have roles that emphasize ICS operations, compared with 2021 when only about 50% had such specific roles. However, the organizations suggest there is still a convergence in responsibilities even though the areas have different missions, skillsets needed, and impacts during a security incident.
Almost 60% of the respondents to the survey use passive monitoring, with a network sniffer being the primary method for vulnerability detection in hardware and software. The second most common method is continual active vulnerability scanning.
The third most common method used is comparing configuration and control logic programs against known-good logic versions.