Engineering workstation compromises were the initial attack vector in 35 per cent of all operational technology (OT) and industrial control system breaches in companies surveyed globally this year, doubling from the year earlier, according to research conducted by the SANS Institute and sponsored by Nozomi Networks.
While the number of respondents who said they had experienced a breach in their OT/ICS systems during the last 12 months dropped to 10.5 per cent (down from 15 per cent in 2021), one third of all the respondents said they did not know whether their systems had been breached or not.
For the 2022 SANS ICS/OT survey, 332 responses were received, representing verticals from the energy, chemical, critical manufacturing, nuclear, water management, and other industries.
Challenges facing control system security
Some of the biggest challenges faced in securing ICS/OT technologies and processes, include integrating legacy and aging OT with modern IT systems; traditional IT security technologies that are not designed for control systems and cause disruption in OT environments; IT staff that does not understand OT operational requirements; and insufficient labor resources to implement existing security plans, according to the survey.
Sectors such as business service, healthcare and public health, and commercial facilities are the top three sectors deemed by respondent as most likely to have a successful ICS compromise that will impact safe and reliable operations this year.
When asked which ICS components are considered to have the greatest impact to the business if compromised, most survey respondents (51 per cent) specified engineering workstations, instrumentation laptops and calibration/test equipment.
Most survey respondents (54 per cent) also said that engineering workstations, laptops and test equipment were the systems components at the greatest risk of being compromised.
Engineering workstations, which include mobile laptops used for device maintenance in facilities, have control system software used to program or change logic controllers and other field device settings or configurations, noted the study. Unlike traditional IT, ICS/OT systems monitor and manage data that makes real time changes in the real world with physical inputs and controlled physical actions.
IT systems are a major attack vector into OT/ICS
Though attacks on engineering workstations doubled in the past year, they are only in third place in terms of being the initial attack vector into OT/ICS systems. The major attack vector into OT/ICS systems involves IT, with 41 per cent of companies reporting that IT breaches were responsible for eventual compromises of their OT/ICS systems.
The second largest attack vector is removable media such as USBs and external hard drives. To keep this threat at bay, 83 per cent of respondents have a formal policy in place to manage transient devices, 76 per cent have a threat detection technology in place to manage these devices.
In addition, 70 per cent are using commercial threat detection tools, 49 per cent are using homemade solutions, and 23 per cent have deployed ad-hoc threat detection to manage this risk.
"Engineering systems, although not equipped for traditional anti-malware agents, can be protected through network-based ICS-aware detection systems and industrial-based network architecture practices," according to the report.
"Additionally, as part of on-going engineering maintenance tasks for field devices, log capture or log forwarding and regular controller configuration verification are achievable ways to start protecting these assets."
The report suggests that ICS security is maturing. "The ICS threat intelligence market has come a long way in 12 months. More facilities are using vendor-provided threat intelligence for more immediate and actionable defence steps.
Unlike most respondents in 2021, respondents in 2022 are no longer just relying on publicly available threat intel," according to the report, authored by Dean Parsons. "This is a sign of increased maturity and awareness of the value of ICS-vendor-specific threat intelligence, as well as budget allocation for improved proactive defense in this area."
Industrial systems get their own security budgets
More organisations are obtaining an ICS-specific security budget, with 2022 seeing only eight per cent of facilities without one, according to the report. Twenty-seven per cent of organisations have budgets allocated between US$100,000 and $499,999, and 25 per cent of organisations have budgets between $500,000 and $999,999.
For the next 18 months, organisations are allocating these budgets toward various initiatives; planning for increased visibility into cyber assets and their configurations ( 42 per cent) and the implementation of network-based anomaly and intrusion detection tools (34 per cent). There is also a focus on network-based intrusion prevention tools on control-system networks (26 per cent).
Nearly 80 per cent of the respondents said they now have roles that emphasise ICS operations, compared with 2021 when only about 50 per cent had such specific roles. However, the organisations suggest there is still a convergence in responsibilities even though the areas have different missions, skillsets needed, and impacts during a security incident.
Almost 60 per cent of the respondents to the survey use passive monitoring, with a network sniffer being the primary method for vulnerability detection in hardware and software. The second most common method is continual active vulnerability scanning.
The third most common method used is comparing configuration and control logic programs against known-good logic versions.