The Future of Industrial Cybersecurity
In the next five years, cybersecurity for industrial control systems (ICS) is expected to achieve strong growth, with estimates predicting the sector will be worth approximately $22.8 billion by 2026. With help from researchers, investigations of increasing attacks on industrial facilities and growing interest from corporate and government sectors, the industry has already amassed an arsenal of awareness and protection offerings.
With that in mind, now is the time to look at how cybersecurity for ICS will develop further and what challenges it will face in the future so that organizations can use this knowledge to shape or adjust their security strategies.
Implementing Layered Operational Technology Protections
To understand where the industry is going, it is important to look at the current state of play. Industrial infrastructure protection is a complex task, as it means using a variety of tools for each level including field devices and operation management to protect ICS and corporate IT. These are technologies for various industrial controllers, networks, computer protection and the overall security management for enterprises.
The primary cybersecurity task for any industrial organization and facility is timely detection and elimination of threats to endpoints and the network to safeguard the perimeter. If the industrial site has complex automation and control systems, it is important to protect them from accidental failures and deliberate attacks. Some examples include substation or power plant automation, discrete or continuous process automation, distributed or centralized control systems, field, supervisory or telecontrol systems. It’s important to use dedicated tools to track minor anomalies in performance indicators, for example, an indicator of pressure inside an oil refinery tank or power plant, to act before a breakdown occurs.
Organizing timely updates and vulnerability fixes in the industrial firmware is also crucial to decrease the risk of a cyberattack. The fewer vulnerabilities in the equipment, the less likely that attackers will be able to compromise the network. Unfortunately, it is not always possible to detect and patch them by simply checking an update from the tool vendor’s website. There should be a documented process for obtaining reliable, accurate, up-to-date information about vulnerabilities that affect the device and its configuration. This helps organizations make an informed decision whether to patch or use an optional mitigation measure if the patch is not available or justified.
Last but certainly not least, organizations need dedicated threat detection and response capabilities against advanced persistent threats. Ideally, the ICS security system must collect and analyze all security events across the entire network so that an internal security operations center or external expert service can identify signs of targeted attacks. This will help the company stop them in time and investigate the causes. This should work against APTs to prevent them lurking undetected inside the network, as happened in the Lazarus attack, targeting the defense industry with a custom backdoor that researchers highlighted in 2020. The backdoor moved laterally through infected networks gathering sensitive information.
As OT systems become more complex with all the variety of devices, remote connections and geographically distributed facilities, protection becomes more complex, as well. Different tools work for different needs. Some require integration, and each has its own control panel. As a result, managing protection for the entire system becomes the most challenging task for enterprises.
Configuring each tool separately and managing everything manually can be hard work and may ultimately reduce the level of protection if it is ineffective. Different solutions do not share threat intelligence with each other, and there is no visibility within the entire OT system.
Security as a Common Denominator
Addressing this issue means having all parts of security converge at a single point, creating an ecosystem that offers customers access to all possible solutions and services and adapts to the tasks of small, medium and large enterprises. It should offer a single platform for managing all security tasks, including those from third-party services. Thus, all teams involved in OT security will be able to access the necessary data and processes.
An important feature of the platform should be monitoring and processing security events from different sources, be it an anti-malware agent at endpoints, EDR, threat intelligence, SIEM or any other tool, and correlating them with events in the IT network. Ingesting data from different sources, performing analysis and searching for correlations with the help of a security orchestration, automation and response (SOAR) system will make it possible to detect complex targeted attacks more effectively.
Extended detection and response (XDR) technology is already serving this purpose for corporate IT. XDR in conjunction with threat detection, investigation and response across all infrastructure elements is already gaining momentum in enterprise security, and the same methods can be adapted for OT security needs.
This will help OT security mature and evolve. This means that organizations will be able to protect their assets in a more systematic way, better understand what is happening in their networks and build a secure foundation for subsequent digitalization. These technologies will create or strengthen centers for monitoring and ensure industrial safety within large enterprises. It can also be used at the regional, country or nation-state level and international CERT organizations, as well as by managed service providers.