In 2020 we expect to see new attack vectors, increased OT/IT interactivity and help from the cloud. Here are our seven industrial cybersecurity predictions — and recommendations for how you can prepare your organization for the year ahead.
Information technology (IT) and operational technology (OT), with the adoption of Industrial Internet of Things (IIoT), are rapidly changing and converging. As they evolve, hackers search for new attack vectors and new attack surfaces to compromise.
So, what does all this mean for your organization and for industrial cybersecurity in 2020?
Below you’ll find our seven key predictions about what we think the industry will face this year — and our recommendations for how you can prepare your organization. First, though, let’s look at the industry changes influencing our predictions.
Air gapping used to be a sufficient way to protect networks and devices. Today, it’s impossible to ignore that your mission-critical and industrial processes are vulnerable to intrusion and disruption.
The Stuxnet worm of 2010, which targeted and disrupted an air-gapped system, is almost a decade behind us, and since then, IT and OT attacks have continued to increase.
A 2019 study from Ponemon Institute and Tenable found that 90% of respondents with OT infrastructure said they suffered at least one damaging IT or OT cyberattack in the past two years. Attackers hit nearly two-thirds of them at least twice.
Because of these increasing attacks, many industrial and critical infrastructure organizations are investing in ways to secure their OT infrastructure in addition to their IT infrastructure.
With the developing challenges we see in the field, Industrial Control Systems (ICS) security is quickly becoming a mainstream necessity for the majority of organizations that operate critical infrastructure and industrial facilities, regardless of size, location or field.
We’ve based our predictions about the 2020 ICS environment on what we see in the market and our daily interactions with professionals who defend their company systems. Here are our seven industrial cybersecurity predictions for 2020 and our recommendations for preparing your organization:
1. Technology convergence will open up new attack vectors
The convergence of IT, OT and the adoption of IoT will accelerate at an unprecedented pace in 2020. The boundaries between them will continue to dissolve. This new reality will create new attack surfaces and attack vectors your team should monitor and defend.
OT systems — which are characterized by a wide range of legacy, proprietary and non-standard protocols and interfaces — will enable an abundance of attack options even as it becomes increasingly difficult to protect them.
Recommendation: Whether or not you air gap your industrial control systems, OT-based attacks are a real and present danger. The mantra of “set it and forget it” is not an adequate way to administer OT environments. Early detection of OT threats will require continuous ICS-specific monitoring capabilities at the network and device level.
2. OT-to-IT attacks will be reality
While lateral attacks that gain a foothold in IT and spread to OT networks have been well documented in the past 24 months, in 2020 we will see the emergence of OT-to-IT attacks.
For example, we can expect attacks that intentionally compromise ICS devices in OT networks to gain access to IT networks and assets such as customer databases.
Attackers will target OT environments because traditionally they are not as well defended as IT systems. That makes them a path of least resistance for attackers looking to taget IT data repositories.
Recommendation: Create an ecosystem of trust and cooperation between IT and OT security and promote information sharing to detect these attacks. Also, leverage device integrity to identify problems at the device level and stop attacks before they spread across the network.
3. Attacks will expose weak links in OT security
In their search for the path of least resistance, attackers will target OT infrastructures such as branches or remote locations for large organizations.
Typically, these remote/smaller sites connect to a larger OT network and, in the case of energy providers, to regional grids. They also tend to have the lowest defenses and are most vulnerable to attack. As a result, attackers will seek to compromise a remote site — or even a small energy provider — hoping to create a cascading impact.
Recommendation: To avoid disruption of mission critical operations and lateral IT data-gathering invasions, pay equal attention to the monitoring and protection of OT infrastructure at branch and remote locations as you do to your primary sites. Attackers can exploit these remote locations to launch backhaul attacks into headquarters or partner sites.
4. The definition of critical infrastructure will broaden
The traditional perception of critical infrastructure will dramatically expand in 2020 beyond energy grids to include more non-traditional targets.
We can expect mainstream identification of critical infrastructure to include industries such as building management systems, transportation and logistics, heavy construction equipment, food and beverage supply chains and others.
Expect more widespread recognition of the U.S. Department of Homeland Security’s 16 critical infrastructure sectors. In addition, because 2020 is a presidential election year in the U.S., election system security will be front-of-mind.
Recommendation: Infrastructures labelled as non-critical, too small or too isolated — previously not considered targets — will now require protection and monitoring. OT security should be considered anywhere you deploy a programmable logic controller (PLC), distributed control system (DCS) or intelligent electronic device (IED), regardless of size, location or connectivity to the outside world.
5. Cloud-based ICS-as-a-Service will gain broad acceptance
Organizations will recognize the cloud as a reliable means to deliver OT security to locations where it’s not practical or feasible for a physical deployment.
Cloud-delivered OT security follows the same objection/acceptance trajectory as other technology infrastructure building blocks: on-premises CRM versus a Software-as-a-Service cloud-based tool like Salesforce, local versus online antivirus and, more recently, host- versus cloud-based endpoint detection and response (EDR).
Recommendation: Consider cloud-delivered OT security alternatives for remote or distributed locations that currently lack controls as vigorous as those at your primary installations.
6. IT will have a bigger ownership role in collaborative security
In 2020, most industrial organizations will recognize security must be a shared responsibility between OT and IT teams.
With the advent and growing awareness of both internal and external security threats, collaboration between IT and OT teams has steadily increased over the past 24 months. While OT teams have traditionally objected to IT intervention in ICS networks, we expect 2020 to see IT teams leverage their decades of experience to lead OT security.
We predict IT teams will collaboratively set guidelines for OT security projects, with critical support and input from OT teams.
Recommendation: Because an IT security approach differs significantly from OT security priorities and challenges, organizations will need a melding of the two approaches. Adopt best practices from both IT and OT security protocols to develop a new architecture optimized for visibility, security and control.
7. The cyber skills gap will spread to OT
By 2022, (ISC)2 predicts 1.8 million unfilled OT security positions, on top of the current global IT security skills shortage (more than 4 million unfilled positions).
In the year ahead, we predict the combined OT-IT skills gap will create new risks: an organization’s existing personnel may lack requisite IT and OT cross-security skills and qualified candidates for new roles will be scarce.
Recommendation: Map your current gaps. Then conduct a rigorous skills assessment of your OT SCADA teams and their IT security counterparts. Begin cross-training programs targeted to fill the gaps. Also, embrace this as an opportunity to recruit recent graduates or less-experienced candidates and train them from day one to address security for a combined IT/OT footprint.
View the on-demand webinar, Tenable and Indegy: the First Unified, Risk-Based Platform for IT and OT Security.