Industrial Cybersecurity Insights

SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond.

Operational technology (OT) is the umbrella term for the devices that control the physical processes of manufacturing and utility operations. It includes both industrial control systems and IIoT, and is foundational to manufacturing and critical industries. 

OT differs in both evolution and purpose from information technology (IT). While IT is concerned with business data, OT is ultimately concerned with the physical processes of the shop floor (also known as cyber-physical). IT and OT are converging to allow business data influence over cyber-physical processes. This convergence is sometimes known as the Industry 4.0, and its purpose is to develop the smart factory.

In today’s adversarial cyberworld, OT has become a prized target: for cybercriminals and ransomware extortion, and for nation states as a diplomatic lever. It is IT, with its connection to the cloud and internet in general, that often provides the adversarial entry point into OT.

OT in 2024 and beyond

“The biggest development in the ICS/OT/IIoT ecosphere will be the continued rapid proliferation and increased integration of these devices,” says KPS Sandhu, global head of strategic Initiatives with the cybersecurity business group at TCS. “As more devices and systems get interconnected, this will raise complexity and increase exposure to cyber threats. Cybersecurity of this ecosystem will be of prime importance as this will be in the crosshairs of attackers with more sophisticated malware and ransomware targeting these systems.”

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, believes that attacks will begin to focus on cloud. “I think cloud security will be significant for OT/ICS networks across critical infrastructure in 2024, with new deployments and pilot extensions rolling out in new verticals from various vendors. With NERC adopting new guidance and OEMs broadening their independent cybersecurity offerings, we may also see a shift in threat actors targeting vendor technologies attempting to access or corrupt cloud products, connectivity, and reliance.”

Hsin Yi Chen, Security Solution Manager at Ericsson, believes that OT security will improve through two developments: regulations and artificial intelligence. “Primary developments in ICS/OT/IIoT cybersecurity in 2024 will be driven by evolving regulatory requirements and guidelines, such as the EU’s Cyber Resiliency Act (CRA) and NIS2 directive, as well as NIST’s guide to OT security,” she suggests. 

The CRA complements the existing NIS2 directive. NIS2 has a focus on the security of critical infrastructure and essential services, while the CRA focuses on the security of connected devices at the manufacturing level. Both are highly relevant to OT. The NIST guide is currently advice only, but the global influence of NIST recommendations cannot be ignored.

She also believes that AI will become more important in OT defense, for both passive anomaly detection and more streamlined event triaging.

OT Vulnerabilities

With IT/OT convergence, it is no longer realistic to consider their cybersecurity as two separate issues. With IT business decisions ultimately controlling the operation of cyber-physical devices, it is possible to hamstring OT by taking out (ransomware? wipers?) IT. Nevertheless, OT retains specific weaknesses that we can discuss. Not least of these is the historical need for and reluctance to jeopardize continuous operation. There remains a reluctance to install patches that might threaten continuity or even demand temporary operational shutdowns.

Hsin Yi Chen explains the overall context of OT vulnerabilities. “Vulnerabilities in ICS/OT equipment persist due to the legacy nature of many systems that were designed and implemented before security became a top priority. Traditional reliance on ‘air-gapped’ environments is no longer sufficient, as increased connectivity is needed for remote monitoring and advanced automation, leading to IT/OT convergence. The difficulty in applying regular updates and patches to these legacy systems, combined with inadequate segmentation and security controls between IT and OT environments, expands the attack surface.”

The lack of proper security measures allows an initial compromise in the IT network to potentially lead to unauthorized access to critical OT systems.

Sandhu agrees with this assessment. “Vulnerabilities persist,” he said, “due to factors like the legacy nature of the environment wherein many ICS/OT systems were designed without cybersecurity in mind and are difficult to upgrade or patch. Unlike IT environments, where confidentiality and integrity take precedence, the prime concern for OT environments is availability because of which enterprises steer clear of any such activities like vulnerability assessment and remediation which might result in downtime as they might break the system.”

Greg Ellis, GM of application security at Digital.ai, adds, “The challenge is that older devices still in operation were not designed for frequent software/firmware updates thus leaving potential weaknesses in the overall system.”

Aaron Moore, EVP of engineering, QuSecure, provides context: “Initially there were no threat models developed for ICS/OT and most of these environments were closed to the internet and over-the-air communications,” he said. “They were focused on controlling an industrial process not defending against bad actors. Cyber-hygiene was not a thing.”

Jablanski implies that this historic lack of built-in security is most to blame for the emerging threats to ICS. “ICS/OT equipment is increasingly researched more than in previous years. Increased attention has caused newly recognized security flaws, rather than newly introduced vulnerabilities.”

The cybersecurity vulnerability threat to OT is double-edged. Firstly, there are old, cumbersome ICS devices initially designed to be air-gapped with little in-built security; and secondly there is a new wave of ubiquitous interconnected IIoT devices adding extreme complexity to converged IT/OT networks.

IIoT

IIoT devices play a pivotal role in the evolving OT. They can collect data from and transmit data to the cyber-physical devices, fine-tuning operational efficiency. They can also bridge the gap between IT and OT, improving data-driven decision making. “XIoT is becoming the basis for efficient data sharing and smart decision-making across industries as networks continue to converge, and it will be central to delivering enhanced data insights. Every network will become part of the Extended Internet of Things,” explains Yaniv Vardi, CEO at Claroty.

But according to Kevin Kumpf, chief OT/ICS strategist at Cyolo, IIoT is a double-edged sword. “IIoT devices have historically enabled a wide range of improvements in smart factories, making them more efficient, safe, and intelligent. For example, AI/ML-driven technologies can be used to automate factory lighting, monitor vital signs and performance metrics, and enhance overall worker safety,” he says.

“However,” he adds, “the accelerated integration of IIoT devices will also make organizations significantly more vulnerable to cyber threats. Smart factories generate lots of critical data, and this vast amount of information will become increasingly difficult to analyze and secure effectively, which can hinder its optimization and place organizations at risk of cyberattacks.”

Sandhu agrees that rapid growth in numbers and the concomitant complexity of networks is a growing threat to OT cybersecurity. “The complexity of network architectures and the ubiquity of connected devices amplify the potential for cyber threats,” he warns.

The role of AI

As a primary driver of automation, AI will be used to help solve the unique problems of IT/OT convergence. Agnidipta Sarkar, VP CISO advisory at ColorTokens explains, “The increased need for distributed business decisions by connecting IT and OT will force AI-based solutions to address human safety, operational reliability, and efficient OT cybersecurity solutions that can solve mundane issues such as patch and vulnerability management, and OT access management. Enterprises will begin to see the loss of OT data impacting business outcomes and, consequently, will begin investing in ways to regulate the flow of OT using AI tools.”

Hsin Yi Chen, adds, “AI is another development we can expect to see in 2024, especially in the context of threat detection and prevention. Manually correlating extensive datasets poses challenges, but with the advent of generative AI and other AI models, experts can leverage them as assistants to enhance the accuracy of event detection and correlation within the environment. This approach helps mitigate false positives, enabling experts to concentrate on critical events. As technology evolves, there is potential for automated and dynamic responses based on the prevailing situation. But this needs careful evaluation given the integrated nature of ICS/OT/IIoT devices with the physical world.”

Government intervention

When enterprise security fails, governments usually step in with advice and/or regulations. OT is no different. 

One example of each is worth considering for the potential effect on OT in 2024 and beyond. The first is the final version of NIST’s 800-82r3 OT Security Guide, published in September 2023. The second is the EU Cyber Resiliency Act (CRA), formally adopted on 12 December 2023 and likely to come into effect around or soon after mid-January 2024.

NIST’s Guide to OT Security

Adherence to NIST security publications could be required in the US through two routes: state-level legislation and/or executive order or directive requiring adherence by federal agencies. Neither of these conditions currently apply to NIST’s 800-82r3 OT Security Guide. However, given the growing importance of OT to the economy and social stability, we can expect an executive order or similar for federal agencies, possibly in 2024 or 2025. State-level legislation is less likely, although corporate adoption of NIST advice is traditionally high. For the time being, NIST’s OT advice is advice only.

“NIST,” says Sandhu, “is doing a stellar job of raising the profile of OT security needs and challenges within organizations… By integrating these standards into their security practices, enterprises can bolster their defenses against the evolving threats in the interconnected world of Operational Technology.”

Hsin Yi Chen comments, “NIST’s OT security guide is likely to influence global regulations, fostering a shift toward more secure and cyber-resilient practices in the industry. These regulations will enforce secure-by-design principles and a defense-in-depth mindset. Over the next three years, starting from 2024, the industry is expected to see a transformation in cybersecurity practices.” The NIST guide, she continued, “promotes essential security measures, and its adoption can enhance the overall security posture of OT environments. By implementing the recommendations outlined in the NIST guide, organizations can strengthen network segmentation, access controls, and authentication mechanisms, contributing to a more robust defense against cyber threats.”

Jablanski adds, “The NIST 800-82 Rev. 3 is the best security guide freely available today for OT/ICS security. I particularly like its emphasis on manipulation versus loss of view and control… It really focuses on the condition or impacts you want to avoid because you can now understand the exact impact certain conditions are going to have. I’ve been referring to this for years as ‘effects-based’ (on your networks) rather than ‘means-based’ security (the threat capabilities out there in the world).”

But Moore introduces one note of caution. The need for encryption is stressed throughout the NIST OT publication. But NIST’s own separate recommendations on increasingly essential quantum-resistant cryptography (QRC) capable of withstanding quantum computer decryption will not be released until 2024. So, we are simply not yet ready to fully implement the OT guide.

Specifically, he comments, “The time it takes for NIST standards to develop QRC hardware root of trust and firmware signing and certification standards will be painfully long — and given today’s rapid advances in quantum computing, will fall far short of the time of need. QRC HSM hardening will not move forward until the NIST [post-quantum] standards are finalized, making it impossible to build QRC into tomorrow’s aviation and weapon systems using the hardware and firmware of today.”

EU’s Cyber Resiliency Act

The EU’s CRA provides a comprehensive set of requirements for hardware manufacturers and suppliers. Its purpose is to improve product security; increase transparency for users; enhance lifecycle management; and enforce compliance through market surveillance, testing, and significant monetary sanctions. ‘Secure by design’ is a fundamental aspect of the act. In theory, this should improve the security of hardware for both IT and OT (including ICS and IIoT), and its ramifications will spread far beyond the borders of the EU. 

“The act, effective from early 2024, places significant pressure on manufacturers to design and implement secure measures for products. By enforcing secure-by-design principles and setting standards for cybersecurity, the EU CRA contributes to raising the overall security level of IIoT devices. This regulatory framework will likely drive improvements in cybersecurity practices across the IIoT industry, enhancing resilience against evolving threats,” explains Hsin Yi Chen.

“It will protect consumers and improve the overall security posture of devices, benefiting end users and the ecosystem as a whole,” says Sandhu. “The CRA’s impact on IIoT will largely depend on effective implementation and the ongoing adaptation to the evolving threat landscape. Manufacturers will need to navigate the challenges of increased compliance costs while leveraging the benefits of improved security and user experience. Industry collaboration will be crucial to ensure the Act remains relevant and effective in safeguarding IIoT ecosystems.”

It will affect hardware manufacturing costs, with only a limited number of possible effects. Cost to users will increase or profits to manufacturers will decrease (unless manufacturing processes can be improved without cutting corners); or the act will be ignored or evaded by manufacturers. Moore has a less than enthusiastic view of the CRA (perhaps typically American) compared to the optimistic view (perhaps more typically European). 

“In my opinion,” says Moore, “the ACT is so broad and invasive that it is as unwieldy as it is impractical. Even if they could get the member states to enact consistent market surveillance mechanisms and fines, it is so pervasive and encompassing that the negative economic impacts it will cause will be more severe than the cyber problems that it is attempting to address. Reminds me of a ‘cyber-Utopia’ — total bureaucratic fantasy.”

Certainly, the addition of extra manufacturing costs will be better accommodated by existing large manufacturers than small newcomers. Time will tell whether this has a damaging effect on hardware innovation.

Geopolitics and the threat of cyberwar

Geopolitics is increasingly relevant to OT security — according to Hsin Yi Chen, “through three areas: international tensions, trade disputes, and political instability. Cyber threats may be used as a tool in geopolitical conflicts, leading to an increase in targeted attacks on critical infrastructure. Nations could employ cyber operations to gain a strategic advantage or disrupt adversaries.” 

Beyond nation state activity, culturally motivated criminal hacktivists could engage in more disruptive cyberattacks against the OT of ‘adversary’ critical industries. The danger is that by accident or design, such activity could escalate first into all-out cyberwar, and ultimately into a kinetic response. Put simply, could cyberattacks against OT escalate through cyberwar into physical warfare?

The popular view is that the world has been at cyberwar for many years. The popular view, however, is different from the legal/governmental view (see What is Cyberwar? for a detailed discussion). This distinction should be borne in mind with any discussion on the effect of geopolitics and attacks against OT (especially the OT of critical industries).

“Nation states have been in a cyberwar for decades,” says Moore. “One of the main problems with cyberwar is attribution. Another problem is that if it’s just data then there is no real motivation for a kinetic response. If we are ever able to say, ‘who shot John’ with confidence, or there is a catastrophic event caused by cyber like a dam flooding or a train crash that results in a number of deaths, then we will be very close to cyberwar spilling over to kinetic.”

Attributable death and destruction is the boundary between ‘ordinary’ cyberactivity and actual cyberwarfare. Attacks against OT could by design or accident easily cause death and destruction – but attribution remains the problem. It would require sufficient proof to withstand legal scrutiny, or (in the US) the President personally deciding ‘That’s it. I know enough. We will retaliate with physical force.’

Jablanski expands on the difficulties in making that decision: “Critical infrastructure cybersecurity presents a massive needle-in-a-haystack problem. The lack of consistent and enforceable international cyber policy today has created a world in which seemingly everything non-military can be held at risk—hospitals, trains, dams, energy, water—and nothing is off limits. At the same time, we know countries will retaliate if the safety or trust of their citizens is deeply degraded… Unfortunately, they will continue to be the targets of nations, criminals, hacktivists and more.”

Kinetic spillover is a serious concern, suggests Hsin Yi Chen, but she adds, “The likelihood of a cyberwar spilling over into a kinetic war depends on various geopolitical, strategic, and diplomatic factors – and is influenced by the response strategies of the nations involved.”

The potential for real cyberwar directed against the OT of critical infrastructure to spill over into a kinetic war is clear and genuine – and generally considered unwelcome. For this reason, most major nations try to avoid causing death and destruction but maintain the capacity to do so. There is a cyber ‘nuclear’ deterrent in place – genuine cyberwarfare would result first in total mutual cyber destruction before kinetic force is used, and all sides understand this.

Summary

OT is under increasing threat, from both criminals and nation states. Ransomware actors understand that crippling operations provides a compelling argument for manufacturers to settle quickly, ideally through paying the specified ransom. OT is an attractive target, and ransomware/extortion attacks will increase.

Hacktivists simply wish to cause disruption, and in troubled times, that too will increase. 

And in an age of increasing geopolitical tensions caused by actual wars in Ukraine and Gaza, and the threat of Chinese action against Taiwan, OT is a target that cannot be ignored by nation states. The cybersecurity threat against OT will only increase in 2024.

In short, the factors that have increased adversarial activity against OT over the last few years will deepen and worsen in 2024.

Learn More about Industrial Cybersecurity at SecurityWeek’s ICS Cybersecurity Conference

Related: Mandiant Intel Chief Raises Alarm Over China Hackers in US Critical Infrastructure

Related: US Government Releases Security Guidance for Open Source Software in OT, ICS

Related: New Era of Security Requires Secure Networking, Vendor Consolidation, and Focus on OT

Related: SANS Survey Shows Drop in 2023 ICS/OT Security Budgets

Related: Russian Hackers Used OT Attack to Disrupt Power in Ukraine Amid Mass Missile Strikes