ICS Cybersecurity...Twists, Turns, and Roadblocks

Posted by Joe Perino on Fri, Apr 16, 2021

LNS Research has been following industrial control system (ICS) cybersecurity for some time now and believes that as we emerge from the grasp of COVID-19, this is a good time to revisit what has and continues to be a very dynamic part of the industrial software market.

Market Twists and Turns

What an active market this last year has been. And, everybody is in the game, from IT vendors to automation companies to plenty of VC capital. The number of new entrants has slowed as the leading independent startups continue to grow rapidly, stay partnered, and thus, remain piggybacked with larger automation players. But all is not quiet on the western front. Last year, LNS foretold the beginning of consolidation in the market, and indeed that is exactly what is happening. The larger players are beginning to absorb the smaller ones, and the smaller ones are slowly being forced to choose sides as the large players round out their portfolios. Those too small or lost in the crowd and unable to gain traction will start to fade as VC monies dissipate and go elsewhere.

Private equity goliaths, technology titans, and pure-play security mainstays collectively spent more than $8.5 billion in 2020’s most significant deals, scooping up nearly 6,700 employees from an assortment of legacy firms and late-stage startups. Two of the acquired entities were founded in the 1980s, five were founded in the 2000s, and three were established in the 2010s.

Among the most notable from an industrial perspective were:

  • Microsoft picked up CyberX
  • Hexagon acquired PAS
  • Accenture scooped up Symantec’s cyber business from Broadcom
  • Insight Partners acquired ARMI, which focuses on unmanaged and IoT devices
  • Advent International bought Forescout, another IoT security vendor, who had previously acquired SecurityMatters
  • Rockwell Automation absorbed Oylo
  • Tenable acquired Indegy
  • SparkCognition, an advanced analytics vendor best known for asset and operational performance, introduced their DeepArmor® product for cybersecurity
  • Splunk also made several acquisitions broadening and extending its portfolio down the stack

These are just the tip of the iceberg when it comes to the number of overall deals in the space, including managed security services firms. Cisco had already acquired Sentryo, as did Honeywell with NextNine.

Challenges and Barriers

Despite all this supposedly good news and amid the financial froth, several problems still remain.

Company CISOs are still faced with a plethora of vendors, all touting that they can take care of their cybersecurity needs. This "fog” of vendors isn’t going away anytime soon. LNS Research senses that CISO’s will welcome the day when one vendor’s security stack handles 90+% of their needs instead of having to buy and manage multiple overlapping solutions. With the market consolidation underway, hopefully, this won’t be too far off.

Cybersecurity is gaining attention, but at most firms, it still hasn’t been elevated to the level of other risk management strategies that normally demand the CFO’s and senior management's attention. As LNS has written, addressing cybersecurity is a critical part of risk management and hence achieving sustainability. Cyber attacks can be so pernicious that they are both systematic and unsystematic, so strategies to detect and mitigate them like we do in asset management and finance do not address all the risks. Events can be sudden and unexpected, or the likelihood of their occurrence can build up through time in the absence of appropriate policy, i.e., people, process, technology, and especially management responses. Cybersecurity prevention, mitigation, and recovery must be part of business continuity plans and actions. Thus, it is imperative that cybersecurity be an essential element of risk management from top to bottom and vice-versa.

JOb blog

Figure 1 - Risk Strategy and Relationships

The top-to-bottom and bottom-to-top approach also means that IT and OT need to be aligned, working together to address all levels. While progress is being made, the IT/OT divide is very real and a major stumbling block, not only to cybersecurity but to scaling solutions across the enterprise, whatever they may be. LNS Research has written about this extensively, and it is a topic on virtually every LNS client’s list.

Joe blog 2Figure 2 - Who's Responsible for Cybersecurity?

LNS Research shows that corporate IT is still largely in the cybersecurity driver’s seat. OT needs to step up their skill sets, not just to follow standards like IEC 62443 and NIST. We have to remember that these are standards, not detailed policies and procedures, and do not provide standard assessment methodologies or audit procedures. Having said that, methods do exist for conducting cybersecurity process hazard analyses (PHAs).

Joe blog 3Figure 3 - OT Cyber Coverage

OT’s network architecture and management skills need a boost, too, in view of the facts. The SANS 2019 State of OT/ICS Cybersecurity Survey found that 34.5% of control networks are connected to the internet, and 66.4% are connected to either a third-party private infrastructure or their enterprise business network. So, despite any physical barriers OT might think that they have, the door is still open. Finally, IT needs to realize that traditional security stacks insufficient to address all OT needs. Perhaps SANS could team up with the ISA to deliver a set of comprehensive courses.

Looking Ahead

With all this progress being said, there remains much room for improvement. LNS’s research shows that the use of IT security tools is underpenetrated in the OT space, let alone the use of dedicated ICS cybersecurity solutions.

Joe blog4Figure 4 - IT Cyber Tools in OT

On the positive side, cooperation between governments, industry, companies, insurers, individuals, and technology developers has greatly improved. For example, MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is open and available to any person or organization for use at no charge. Sharing is helping to build a common wall. So despite the continued onslaught of attacks at every target, from industrial companies to facilities to the recent and seemingly innocuous water treatment plant in Florida, LNS Research is optimistic that the fight against cyberattacks is gaining ground.

Autonomous Plant CTA

Categories: Risk Management, IT/OT, cybersecurity