Avoiding Sudden Death OT - Predictions and Insights for ICS Security in 2017

As 2016 draws to a close, we wanted to take the opportunity to reflect back on what the year has taught us in terms of trends in ICS/Operational Technology (OT) security, and make some predictions for what we will see in the year ahead. Consider this our obligatory cyber security predictions blog - but we hope that the insights within will resonate or at least give you something to talk to your colleagues about. If you'd like to discuss any of our thoughts, we welcome the dialogue.

1. Board and C-level mandates will drive focus and investment in OT security

Nearly every major industry has an OT (Operational Technology) network at the core of its business­–oil and gas, energy, chemical, pharmaceutical, manufacturing, food and beverage.  Even financial services and telecommunications rely on industrial control systems (ICS) in their buildings and data center management systems­–they all depend on OT networks. We have talked with dozens of CISOs within the large enterprises in the past two years and have seen a dramatic increase in the perception of cyber risk and focus on securing industrial networks. Board and C-level executives have become hyper focused on cyber-risk mitigation and are increasingly asking the right questions about the security of their industrial environments. Thus, CISOs roles are being expanded to cover OT security as well. As these CISOs focus in on the OT domain, they’re making comparisons to security capabilities within the IT space and finding stark differences in the level of sophistication. They’re recognizing that the OT space is somewhat trapped in time – and nowhere near the level of cybersecurity readiness seen in the IT domain. The issues include spreadsheet-based asset management, disparate access control, no real-time security monitoring and the lack of other key policies and controls. Allowing a gap in OT security or relying on strategies and tools designed for traditional IT is no longer be acceptable for industrial control environments. CISOs are starting to demand the same level of governance, monitoring, management and overall sophistication in the OT domain and will be investing in security tools that are designed specifically for the task.

 

2. Smart CISOs are going to invest in real-time detection solutions

Organizations are not necessarily under-funded in security so much as spending money on the wrong strategies. With the median time-to-detect a breach of 210 days and with 69% of those discoveries coming from an outside party (such as government agency), CISOs are recognizing spending 85% of their budgets on prevention seems unreasonable.  Gartner predicts by 2020 that at least 80% of budgets will be spent on real-time detection. We predict the same math will hold true for OT environments and that CISOs will invest heavily in technologies for visibility and monitoring of these critical networks. As it becomes increasingly obvious that adversaries are becoming more sophisticated, CISOs are going to turn to new strategies. Recognizing that simply building higher walls isn’t going to stop the threat – because the bad guys will simply dig under them or find other ways around them – security teams will turn to solutions that help them with rapid detection and response to breaches. 

 

This is particularly true in OT networks. The “conventional wisdom” is that “step 1” is to build walls by segmenting industrial networks. While we believe that network segmentation and other defensive measures are key to the overall protection of industrial networks, segmentation projects often take a very long time to design and implement in OT environments. Thus, we predict CISOs will adjust and change “step 1” to the implementation of tools that provide visibility into and security monitoring for ICS networks–giving them immediate return on investment without the need to disrupt the underlying production processes.

 

3. ICS attacks are coming–Mr. Robot and traditional IT security tools may be to blame

The "red lines" that conventional wisdom taught us would prevent disruptive or destructive attacks in critical infrastructure are dimming. With the Ukraine incident and the fact that no apparent repercussions followed, rogue nations and those embroiled in geopolitical conflicts will be more emboldened to use cyber-attacks against critical infrastructure. One or more state-level actors may use an ICS network attack as an instrument of foreign policy, to shake up or destabilize another country or region. Global terrorist organizations have also discussed these types of attacks and these rogue groups can purchase skills, tools and infrastructure to launch their own efforts. Thus, we believe it is likely that another ICS related incident will occur in the coming year.

Further, we believe rogue nations will continue “prepping the battlefield” – using reconnaissance techniques and APTs to map critical infrastructure and infiltrate industrial networks with malware that can be activated later.  Also, as we have viewed in the popular, and not altogether unrealistic TV show Mr. Robot, building automation, HVAC and data center infrastructure can infrastructure be used as attack vectors, either taking down buildings and data centers, or serving as attack vectors into IT networks–Domo Arigato Mr. Roboto.

There is also the real chance that even without an attack, work being done to secure OT networks using traditional IT security technologies­–for example using active vulnerability scanning tools in OT environments– will cause the proverbial “self-inflicted wound” (https://www.claroty.com/post/caution-service-disruption-possible).

4. Contractual obligations will drive ICS asset owners to better security

We've already seen this activity in the oil and gas industry for example.  Major energy companies are inserting contractual language that obligates sub-contractors, such as oil exploration and production companies, to implement and maintain robust cybersecurity programs for the offshore drilling assets they rent.  We will see this trend continue throughout 2017/18 across other industries. In advance of any legislative mandates, these industries will drive security consciousness with contractual compliance programs like PCI/DSS in the payment card industry. We are already seeing movement, with the same types of mandates within commercial real estate contracts. For example, financial services companies and law firms that deal with very sensitive information are starting to request cyber protection to be part of the “package” they get from their providers–forcing the major real estate companies to implement policies, programs and explore ICS cybersecurity tools and services for their commercial real-estate assets.

 

5. In 2017 - ICS is going to be the new security buzz word for traditional security vendors

Remember when 2014 became the year of Threat Intelligence? At the RSA Conference, every security vendor, regardless of whether they did anything useful with Threat Intel, included it as a new marketing bullet on their booths. That's exactly what is about to happen between 2017/18 with ICS cybersecurity. You're going to see the industry move hard in this direction - traditional vendors will repackage solutions with an ICS label – we have already seen a number of vendors move in that direction.  But the ICS/OT domain requires solutions designed for these unique network environments. These networks include a long list of unique and proprietary network protocols, legacy devices that are easily disturbed when actively queried and different uptime/availability requirements that will require purpose built solutions.  For example, implementing a traditional IDS system in an OT network is like showing up to a United Nations meeting and not using the translation headphones. You can hear a lot of noise but will not understand the conversation or its meaning.  Organizations will require tools that fully understand the unique language of OT networks.

Despite the marketing push that you'll see from the industry writ large, companies with solutions specifically designed architected for these unique environments, like Claroty, will break out.  We will likely see one of the main line security vendors take a more aggressive stance on industrial security through an acquisition of one of the pioneers in the space.

6. A wave of security vulnerability disclosures is coming and will be followed by more thoughtful OT vulnerability disclosure and patching guidelines

As more security companies move towards the ICS space, and as new entrants such as the half dozen or so emerging from Israel get moving, we will see a wave of ICS vulnerability research and disclosures in the space. It's just what security people do. But this space is VASTLY different than the traditional IT domain, largely because ICS/OT network operators do not have the luxury of an easy way to patch these systems. Thus, disclosures in this arena - far more than in traditional IT - are an incredibly sharp double edged sword. On the one hand, pointing to these vulnerabilities prompts the ICS vendors to continue to improve their security practices as part of the lifecycle of their equipment. On the other hand, because of the availability requirements in these environments, owners and operators are left without the ability to rapidly patch, and in some cases because the ICS systems are end-of-life there are no patches released from the vendor. The traditional disclosure model needs a heavy rethink, and more than in the IT domain, coordination with all parties is of critical importance.