by Ekaterina Rudina, System Analyst Team Lead, Kaspersky ICS CERT
Reading the recent State of Industrial Cybersecurity Report 2019, one may think the situation with ICS cybersecurity has improved since last year: more organizations name OT cybersecurity a top priority, implement or plan to implement measures accordingly and suffer less from incidents or breaches. But let’s look at the report from the Industrial Internet Consortium (IIC) IoT Security Maturity Model (IoT SMM) point of view, keeping in mind that maturity is about effectiveness and not the arbitrary use of measures.
For Kaspersky, working in the field of information security, it’s pleasant to hear that in 2019, an overwhelming majority of organizations (over 80%) place cybersecurity as their top priority. They have already taken most of the measures mentioned in the 2018 report. At the same time, the number of organizations that had experienced zero OT incidents or breaches within the past 12 months dropped 10% from the same stat in 2018 and is now at 41%. Sounds bad, right? Don’t rush to conclusions yet. One of the most demanded security measures of 2018 was intrusion detection systems, and since being implemented, it’s natural to learn that companies were detecting more incidents than before. Yet those incidents or breaches had actually caused less damage in product or service quality and lesser loss of customer confidence – because of the OT incident response programs that had been implemented. So despite the fact that the number of organizations not experiencing incidents has decreased, they seem to be implementing adequate security measures. This is a clear sign of more maturity in the industry, but there is still plenty of distance to cover as less than a third of industrial enterprises actually have such incident response programs in place, with roughly the same amount of companies planning to implement such systems in the coming year. What is alarming, though, is that two out of five representatives admitted they were not aware of any OT cybersecurity incidents at all. The poor state of employee awareness is one of the most important findings of this year’s assessment.
There is a clear shift in understanding that challenges related to OT/ICS cybersecurity management are in the surveyed domain. The risks linked to the low priority of cybersecurity to decision-makers or budget limitations are now less relevant while the complexity of the ICS infrastructure, lack of security awareness among asset owners and operators and finding ICS cybersecurity experts with OT skills have become more challenging. At least two of the latter factors – the first and the last – hint at the necessity of additional guidance to move from understanding the need for security enhancement to real planning. This plan determines what needs to be done first, how to set up the roadmap on security enablement and hardening and how to introduce the specific OT constraints for the implemented cybersecurity controls to support process safety, continuity and other requirements which make the task special.
The complexity of the ICS infrastructure in terms of cybersecurity implies that security objectives and concerns are not clear to stakeholders. Simply put, stakeholders sometimes cannot formulate “what is security” for the system. There is a misalignment between understanding what security brings to the traditional IT infrastructure and the desired effect for the OT environment. Not data leakage prevention, but prevention of the OT processes failure. Safety first, then security. Avoiding interruptions and hardware reboots even caused by security updates.
One of the interesting findings of this year’s report is that for the first time since 2017, OT cybersecurity leaders do not name targeted attacks as their top concern – ransomware took the lead. Such “mundane” problems like generic malware outbreaks and ransomware occur more often than targeted attacks, and stakeholders are starting to recognize this risk. Is it possible that measures taken to counter the targeted attacks which were named as a top priority in 2018 and 2017 are effective? It is. It is also plausible that such measures as incident response programs have also helped mitigate the effects of these mundane security incidents, as it was already stated there was less actual damage reported. There are some exceptions, like the Hydro incident (if you want to know what was done right and what was done wrong with Hydro, read more here). However, this is still not the whole picture, and we cannot escape the observation that efforts to prevent such incidents from happening in the first place might have been inadequate.
An effective approach to the dialogue between OT stakeholders and cybersecurity experts should be based on the cost/welfare evaluations and multiple validations of the direction for applying effort. Such an approach, described in Chapter 10 of the IIC IoT Security Maturity Model: Practitioners’ Guide, transforms the business goals to security practices implemented with an appropriate level of comprehensiveness and specific industry and system constraints.
However, the reason for failing to prevent these incidents may not be within the technology, processes or solutions but, again, in the employees. Humans as the number one reason for both causing the incidents and preventing or responding to them (when actually aware of an incident) is a recurring theme in this year’s report. This is something we cannot fully comprehend because the information security industry has already developed a plethora of training in nearly all conceivable formats, from gamified experiential sessions to fully-fledged courses and certifications. Did the industry forget that cybersecurity is a process, not a one-step measure? If that’s true, then it’s definitely a step away from maturity as cybersecurity awareness is a short-lived memory and requires regular revival.
This brings us to another problem: lack of cybersecurity experts with OT skills. Security experts are not responsible for the OT processes but must keep adhering to their constraints. When it comes to practice, there is no such thing as a ‘generic OT cybersecurity expert’. They learn about a specific system and its context, process the details and plan appropriate security measures that fit these system requirements. The existing cybersecurity frameworks and standards provide a straightforward scale of security enhancements which doesn’t allow introducing specific considerations that may restrict application of security controls. Experts may even realize “less is more” as the guiding principle for some cybersecurity practices applied in a specific OT context, but common cybersecurity frameworks do not presume the reasoning for the restrictions and specific considerations which support real objectives of the security practice. Such a feature is another dimension of cybersecurity which makes it more flexible, and it must be introduced through a specific framework.
Furthermore, for a significant step towards cybersecurity the OT stakeholders must recognize their concerns and then establish a dialogue with security experts. The IIC IoT Security Maturity Model may play a role in this framework, consolidating the expertise of OT and IT security personnel into one platform.
If you are interested in reading the full report, “The State of ICS Cybersecurity 2019,” please click here.