IT, OT and the IIoT are rapidly changing and as they evolve, hackers find new attack vectors and surfaces to take advantage of. So, what lies ahead in this ever-changing field? We’ve based the following predictions about the 2020 industrial cyber security environment on what we see in the market and on our daily interactions with professionals working to defend their company systems.
In recent years, attacks on OT environments have been growing. While air gapping may have been a sufficient protection when these systems were first introduced decades ago, it’s impossible to ignore the fact that mission-critical and industrial processes alike are now vulnerable to intrusion and disruption. The Stuxnet worm of 2010, which targeted and disrupted an air-gapped system, is now almost 10 years behind us. In 2019, a study conducted by Ponemon Institute and Tenable found that 90% of respondents with OT infrastructure admitted suffering at least one damaging IT or OT cyberattack in the past two years, and nearly two-thirds were hit at least two times.
Many industrial and critical infrastructure organizations are making investments to secure their OT infrastructure in addition to their IT infrastructure. With the developing challenges we are identifying in the field, ICS security is quickly becoming a mainstream necessity for the majority of critical infrastructure and industrial organizations, regardless of size, location or field.
1. TECHNOLOGY CONVERGENCE WILL OPEN UP NEW ATTACK VECTORS
The convergence of IT, OT and adoption of IoT will accelerate at an unprecedented pace in 2020 and the boundaries between them will continue to dissolve. This new reality will result in new attack surfaces and vectors that need to be monitored and defended. OT systems, for example, are characterized by a wide range of legacy, proprietary, and non-standard protocols and interfaces that enable an abundance of attack options, accompanied by increased difficulty in protecting against them.
Recommendation: Realize that whether or not industrial control systems are air-gapped, OT-based attacks are a real and present danger. The mantra of “set it and forget it” is no longer an adequate way to administer OT environments. Early detection of OT threats will require continuous ICS-specific monitoring capabilities at the network and device level.
2. OT TO IT ATTACKS WILL BECOME REALITY
While lateral attacks that gain a foothold in IT and spread to OT networks have been a well documented concern over the past 24 months, in 2020 we will recognize the emergence of OT to IT attacks. For example, we can expect attacks that intentionally compromise ICS devices in OT networks in order to gain access to IT networks and assets like customer databases. OT environments will be targeted for attack because they are less well defended than IT systems and, therefore, a path of least resistance to IT data repositories.
Recommendation: Create an ecosystem of trust and cooperation between IT and OT security to promote information sharing that can help detect these attacks. Also leverage device integrity to identify problems at device level and stop attacks before they spread across the network.
3. WEAK LINKS IN OT SECURITY WILL BE EXPOSED
In their search for the path of least resistance, attackers will target OT infrastructures like the branch and remote locations of large organizations. Typically, these remote/smaller sites are connected to the larger OT network and, in the case of energy providers, to regional grids. They also tend to have the lowest defenses and are most vulnerable to attack. As a result, attackers will seek to compromise a remote site or even a small energy provider, hoping to create a cascading impact.
Recommendation: To avoid disruption of mission critical operations and lateral IT data-gathering invasions, pay equal attention to the monitoring and protection of OT infrastructure at branch and remote locations that can be exploited to launch backhaul attacks into HQ or partner sites.
4. THE DEFINITION OF “CRITICAL INFRASTRUCTURE” WILL EXPAND
The traditional perception of “critical infrastructure” will dramatically expand in 2020 beyond grids to more non-traditional targets. We can expect mainstream identification of industries like building management systems, transportation & logistics, heavy construction equipment, food & beverage and others as “critical.” Expect more widespread recognition of the 16 different critical sectors already defined for us by the Department of Homeland Security: https://www.dhs.gov/cisa/critical-infrastructure-sectors. In addition, because 2020 is an election year, election system security will become front-of-mind.
Recommendation: Infrastructures that were not considered targets previously because they were labelled as non-critical, too small or too isolated, will now require protection and monitoring. OT security should be considered anywhere a PLC, DCS or IED is deployed, regardless of size, location or connectivity to the outside world.
5. CLOUD-BASED ICSaaS WILL GAIN BROAD ACCEPTANCE
Next year, the cloud will be recognized as a reliable means to deliver OT security to locations where physical deployment is not feasible or practical. Cloud-delivered OT security is following the same objection/acceptance trajectory as other technology infrastructure building blocks: on-premise CRM versus SalesForce, local versus online AntiVirus and, more recently, host- versus cloud-based EDR (endpoint detection and response).
Recommendation: Consider cloud-delivered OT security alternatives for remote or distributed locations that currently lack controls as vigorous as those at primary installations.
6. IT WILL TAKE A BIGGER OWNERSHIP ROLE IN COLLABORATIVE SECURITY
In 2020, most industrial organizations will recognize that security must be a shared responsibility between OT and IT teams. Collaboration between IT and OT teams has steadily increased over the past 24 months with the advent and growing awareness of both internal and external security threats. While OT teams have traditionally objected to IT intervention in ICS networks, we expect 2020 to see IT’s decades of experience leveraged to lead OT security. We predict IT teams will collaboratively set guidelines for OT security projects, with the critical support and input of OT teams.
Recommendation: Because the approach to IT security posture differs significantly from OT security priorities and challenges, a melding of the two approaches is required. Adopt best practices from both IT and OT security protocols to develop a new architecture optimized for visibility, security and control.
7. CYBER SKILLS GAP WILL SPREAD TO OT
(ISC)2 predicts there will be a 1.8 million unfilled OT security positions by 2022, on top of the current global IT security skills shortage of more than four million unfilled positions. For 2020, we predict the combined OT-IT skills gap will create new risks: an organization’s existing personnel may lack requisite IT and OT cross security skills and qualified candidates for new roles will be scarce.
Recommendation: Map your current gaps. Then conduct a rigorous skills assessment of your OT SCADA teams and their IT security counterparts. Begin cross-training programs targeted to filling the gaps. Also embrace this as an opportunity to recruit recent graduates or less experienced candidates and train them from day one to address security for the combined IT/OT footprint.
Join our live webinar discussing the 2020 industrial cyber security predictions on January 8, 2020 at 11am ET.