Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

ICS Cybersecurity Report Notes Overall Improvements to Industrial Security Posture but 48% Of Organizations Unsure if They’ve Been Breached

Friday, September 10, 2021

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.cpomagazine.com/cyber-security/ics-cybersecurity-report-notes-overall-improvements-to-industrial-security-posture-but-48-of-organizations-unsure-if-theyve-been-breached/

cpomagazine.com

The 2021 edition of the SANS 2021 OT/ICS Cybersecurity Report from Nozomi Networks confirms that threats to industrial operations are rising both in number and severity, but also finds that organizational capability is also scaling up to match them.

However, this state of preparation is not an across-the-board increase, even as 91% of these companies now use some sort of cloud technology in the OT environment. 48% of responding organizations say that they cannot be sure that they have not been breached, and about 25% have not conducted a security audit in the past year. Additionally, about 23% say they have no operational technology security budget.

ICS cybersecurity monitoring up overall, but threat detection divide widens
As the acronyms imply, the biannual ICS cybersecurity report provides insight into how organizations that make use of industrial control systems and operational technology are keeping pace with the modern threat landscape.

This year’s report surveyed 480 companies that incorporate ICS systems, across a wide variety of industries. This was a nearly 50% increase in companies surveyed in the prior ICS cybersecurity report (conducted in 2019) and a 16% increase in respondents that hold a security certification related to these systems.

The JBS and Colonial Pipeline incidents made clear that ICS security needs to be a priority concern for these organizations, but the survey indicates that awareness was up even prior to these high-profile incidents. The business concern that moved up the list the most from 2019 was the need to secure connections between industrial equipment and external systems, shooting up six spots. There were also substantial increases in concern about preventing information leakage and creating/managing security policies and procedures.

Awareness and security posture improvement are far from universal, however. The survey found that over 23% of organizations do not have a security budget for industrial systems, up from only 9.9% in 2019. An additional 19.1% are spending less than $100,000, also up from 2019’s ICS cybersecurity report.

Another area of backsliding for some organizations is in the connection between the internet and industrial controls. 41.5% now report direct connectivity between the public internet and these systems, up from 11.5% in the 2019 ICS cybersecurity report. Far fewer are isolated from the internet; 8.2% today as opposed to 27.9% two years ago. There is a small increase in the use of operational technology DMZ systems to protect those connected to corporate networks, but the number of companies using DMZs to protect OT systems from the internet dropped from 43% to 23%. DMZs are generally recommended by security experts as a best practice when industrial systems must be connected to the internet.

15% of the respondents said that they had experienced a breach involving the OT systems in the past year. Of those that had not, only 12% were fully confident they had not been infiltrated in that time (24% opted not to disclose due to company policy). 38.7% said they were unaware of a breach but could not be certain. About 3% suspected one but did not have proof, and 2.5% said they did not have telemetry to assess.

The numbers provided in the current ICS cybersecurity report also indicate that attacks on industrial systems that lead to operational disruptions are being underreported. 90% of the survey respondents that reported a breach said that it had some level of impact on that system’s process. 18.4% also said that the breach leveraged the engineering workstation, an element that is rarely included in the analysis of system breaches. The most common vectors of initial attack were external remote services (36.7%), public-facing applications (32.7%) and network-connected internet accessible devices (28.6%).

Biggest challenges and concerns over ICS cybersecurity
Organizations were also asked about the biggest challenges they face in securing their industrial and OT systems. The leading concern, expressed by 59.4% of respondents, is that legacy and aging OT technology is difficult to integrate with modern systems. 56% have a labor issue, and 52% say that IT staff is not familiar enough with these systems. 39.6% feel that their environment is too complex for typical IT security technologies. Organizations are largely relying on outside providers for response when a breach or infection is detected; 48% make their first call to a cybersecurity solution provider, 40% to an IT consultant and 32% to a control system vendor. Only 44% said that internal IT resources were considered the first line of defense.

In terms of the areas of concern, ransomware is the unsurprising leader of the pack. An increasing amount of companies are also now worried about becoming the target of advanced nation-state hacking teams, however, and they are also expressing relatively high levels of concern about Internet of Things (IoT) smart devices that are connected to the network.

Chris Grove (Technology Evangelist for Nozomi Networks) expressed surprise at the move to cloud-based services (a positive development) but also the general lack of preparedness by so many companies. He recommended that the leading concern of ransomware be addressed with a combination of a systematic assessment of cybersecurity risks, tabletop exercises, and a consequence reduction policy that creates a system of internal barriers to limit damage after an initial penetration.

He also does not see the relative lack of internal IT resources and security practitioners to deal with incident response as much of a concern: “One item I was pleased to see is most ICS security assessments are being done by those most qualified to do them. ¾ of the respondents either use their internal IT or OT teams or hired a specialized outside OT security consultancy. Another good finding in the report is that almost 90% of respondents did cybersecurity evaluation during the procurement process for products they were interested in. This will help drive quality in the marketplace up, as vendors will get locked out if they produce products with cybersecurity issues.”

The report author Mark Bristow pointed to some particular highlights from the data: “I found three things particularly striking in the report results. 1) The level of adoption of cloud technologies for operational outcomes was striking. Two years ago, cloud adoption was not being seriously discussed and now 49% are using it. 2) Incident visibility and confidence is not high. 48% of respondents could not attest that they didn’t have an incident. A further 90% of these incidents had some level of operational impact. 3) 18% of incidents involved the engineering workstation. This is a critical piece of equipment and having this involved in so many incidents is troubling.”

Bristow suggested that organizations with industrial operations should focus on correlating IT and OT security telemetry and data processing, and establishing formal asset identification and inventory programs as first steps.

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.