The 2022 SANS OT/ICS Cybersecurity Report finds that hackers are continuing to show a very strong interest in industrial control systems, but that organizations tend to be much more prepared after the high-profile incidents of 2021.
This is still not a universal trend, however, as 35% are still not able to tell if they have been compromised and 17% still aren’t monitoring OT system security. This is in spite of budget increases across the board, and a major increase in organizations that now have a discrete ICS cybersecurity budget when they did not previously devote specific funds to it.
Attackers hit some industries harder than others, passive monitoring remains common
When industries are expecting attacks and protecting particularly sensitive equipment, they tend to beef up their ICS cybersecurity to the point that they feel the actual risk of compromise is low. Critical infrastructure such as nuclear plants, dams and chemical producers all reported a relatively low feeling of risk of breach as compared to some sectors that are less frequently targeted with industrial control attacks (business services, health care and commercial manufacturing among these).
It’s heartening to know that the most potentially dangerous sectors appear to be taking ICS cybersecurity seriously, but across the board companies are still somewhat slow to take active measures. Not quite half are conducting active scanning, and a little over a third say that they wait for vendors to notify them of issues before doing anything.
Engineering elements are considered to be most at risk, followed by operator and server assets. Respondents also feel these components would cause the greatest amount of damage were they to be compromised. Passive monitoring remains the most common approach, most likely due to many organizations continuing to run older systems and equipment that does not play nice with modern IT scanning approaches.
ICS cybersecurity challenges: legacy equipment, inadequate it tools, ability to hire ICS specialists
ICS cybersecurity is more crucial than ever as ransomware gangs have shown a willingness to escalate to the sort of real-world damage that they had always shied away from before. Overall, the survey indicates that the industry recognizes the seriousness of this new threat; the bottlenecks appear to be equipment that is hard to replace, IT tools that don’t interface well with specific equipment, and the general cybersecurity hiring crunch making few specialists with ICS knowledge available.
41% of organizations say that ICS threats are a “high” priority, and 22% say they are “critical” issues. More professionals are also spending more time with ICS cybersecurity, moving away from both traditional IT and business duties to take care of industrial equipment issues. But even when organizations have a solid security plan in place, many say that general lack of staff prevents them from implementing it properly.
Business decision-makers expressed the most concern about control systems being reliable and remaining available to use. Departments are working with better budgets this year, and only 7% now lack a specific ICS cybersecurity budget (down from 21% the prior year).