Industrial Cybersecurity Survey Results from ARC

Author photo: Sid Snitkin
By Sid Snitkin

Table of Contents

  • Executive Overview
  • ARC Industrial Cybersecurity Maturity Model          
  • Building an Effective Industrial Cybersecurity Program
  • Addressing Cybersecurity Resource Challenges
  • Industrial Cybersecurity Technology Adoption Strategies
  • Research Methodology
  • ARC Cybersecurity Market Research

 

Executive Overview

ARC Advisory Group has been providing research and consulting to the industrial control system (ICS[1]) community for over three decades.  This work spans the full spectrum of ICS products and services used by process and discrete manufacturers as well as infrastructure organizations in critical sectors like power, water and wastewater, transportation, etc. 

Industrial Cybersecurity SurveyIndustrial cybersecurity has become a key focus of ARC’s research.  In addition to market reports on a wide range of cybersecurity products and services, ARC has provided custom consulting support to industrial owner/operators for critical issues such as cybersecurity strategies and new investment planning.  ARC has also developed tools like the industrial cybersecurity maturity model to help companies assess and improve plant cybersecurity programs. 

Industrial cybersecurity continues to evolve across industrial settings.  New developments like cloud applications and the industrial internet of things (IIoT) are forcing companies to expand practices and address issues like IT-OT convergence.  ICS cybersecurity is also gaining a foothold in new areas like smart cities and building management systems. 

This report analyzes the results of the recent ARC 2017 industrial cybersecurity survey.  It provides information that can help companies regardless of their cybersecurity maturity.  The chapter, “Building an Effective Cybersecurity Program,” can help companies that are just starting their cybersecurity journeys.  “Addressing Cybersecurity Resource Challenges” can help companies address the critical shortage of ICS cybersecurity expertise.  “Industrial Cybersecurity Technology Adoption Strategies” provides useful guidance for managers that want to gain control of “whack-a-mole” reactions to every new threat. 

 

ARC Industrial Cybersecurity Maturity Model

ARC developed the Industrial Cybersecurity Maturity Model to help industrial managers understand their cybersecurity challenges without having to become cybersecurity experts.  This helps managers ensure that cybersecurity investments align with their actual needs and willingness to accept cyber risks.  It enables them take replace “whack-a-mole” requests for new technology with rational evaluation of cost-benefit tradeoffs. 

Industrial Cybersecurity Survey

ARC’s model breaks cybersecurity into a set of steps that reduce cyber risks incrementally.  Each step addresses a specific, easily understandable security issue like securing individual devices, defending plants from external attacks, containing malware that may still get into a control system, monitoring systems for suspicious activity, and actively managing sophisticated threats and cyber incidents.  Each step has an associated set of actions and technologies that can be used to accomplish its goals.  The model also shows the human resources and tools required to sustain and utilize the technology investments at each step.   

To minimize cyber risks, industrial companies should consider implementing every step in this model.  However, ARC’s research indicates that most companies are operating with significant technology and resource gaps.  From a cybersecurity technology perspective, most facilities only have the passive, defensive technologies shown in the first three steps.  This may be adequate for companies that can tolerate process disruptions, but operators of critical infrastructure need to be more prudent and invest in the active defense measures shown in steps four and five.  This will ensure rapid detection, identification and response to more sophisticated cyber-attacks and minimize the mean time to recovery for any incidents.

Industrial Cybersecurity Survey

The gap in cybersecurity resources is even larger.  Most facilities lack the people and expertise to even maintain the technologies in steps one through three.  This generally means that the effectiveness of defenses in every step are being undermined, leaving industrial managers with a false sense of security regarding their real risks of a serious cyber incident.  Every company needs to recognize and address resource issues.  The extreme shortage of ICS cybersecurity expertise requires new approaches to triaging tasks and integrating additional resources from central groups and third parties.

ARC Survey Helps Managers Address Technology and Resource Security Gaps

ARC’s model provides a useful tool for managers to identify cybersecurity technology and resource gaps.  The next step is to evaluate the importance of these gaps and develop a plan for achieving the appropriate level of protection given factors like the company’s industry, products and geographic presence.  The industrial cybersecurity survey discussed in this report was designed to further help managers with these challenges.  It provides information about the focus and strategies of cybersecurity programs across a broad spectrum of industrial organizations. 

Building an Effective industrial Cybersecurity Program

Launching an ICS cybersecurity program can be challenging.  What do you do first?  How do you know if you are choosing the best security strategy?  What issues should you attack first?  The survey results discussed in this section represent the advice of experienced owner/operators and cybersecurity experts on these topics. 

Industrial Cybersecurity Survey

Steps to a Successful Cybersecurity Program Launch

Not surprisingly, most experts recommend that getting a top management sponsor is the most important step in launching a successful industrial cybersecurity program.  Top management support is essential for any major program and cybersecurity is no exception.  Funding is an obvious problem, particularly when people discount the likelihood of a cyber-attack.  Having a top manager championing the need to address cyber risks will greatly ease the release of funds.  Performing assessments and implementing defenses invariably impact operations and top management support is invaluable in overcoming delays caused by reluctant operations managers.

Building awareness of cyber risks is another critical issue in many companies.  Despite the growing number of highly publicized incidents, many people still underestimate the potential impact of a serious cyber event.  Many managers assume their investments in IT cybersecurity will also protect plants from cyber-attacks. 

Even with top management support, cybersecurity program managers will generally find that they need their plans approved by IT and operations managers.  Budget responsibility for industrial cybersecurity varies across industrial organizations.  Frequently, use of solutions and resources that are not preferred by IT will also have to be justified and approved by the IT department. 

Industrial Cybersecurity Survey

      

Choosing the Best Security Framework

Industrial cybersecurity has been addressed by various standards and cybersecurity research groups.  As the survey results indicate, the industrial cybersecurity community values these efforts.  However, this guidance varies in scope, industry focus, and specificity.  ARC recommends that users learn more about each of these efforts before selecting one as the basis for a cybersecurity program.  A combination may be the most appropriate choice. 

A large majority of participants in ARC’s survey recommend that companies “should definitely use” the popular ISA-62443 and IEC-62443 industrial cybersecurity standards.  This may be an artifact of the industry breakdown of survey participants, which strongly favors process industries and other continuous processes like power plants, water and wastewater facilities, etc.  However, other ARC research shows that these standards are being applied across a wide range of industries, from discrete manufacturing to medical systems. 

Use of the NIST Framework is also strongly encouraged.  This guidance is strongly endorsed by the US Government as a tool for structuring and comparing critical infrastructure cybersecurity programs and identifying relevant standards.  Certain industry-specific versions are also available.    

Industrial Cybersecurity Survey

Focusing Cybersecurity Efforts

While companies should consider all issues identified in ARC’s cybersecurity maturity model, plants have limited resources and need to prioritize their efforts.  The following charts show the kinds of threats and attack vectors that experienced companies are most concerned with and recommend close attention. 

Companies are concerned with all kinds of attackers, but two categories stand out as major concerns – attacks by internal personnel and sophisticated attackers.  Internal people are granted broad system access to do their work.  As demonstrated in documented incidents like the Maroochy Shire Sewage Spill[2], this access can also enable disgruntled employees to disrupt system operation.  Well-meaning employees can also cause problems accidentally.  For example, when they make mistakes when changing critical operating parameters and programming. 

Reports of compromises of sophisticated, well-protected public and corporate IT systems demonstrate that cyber defenses cannot keep out sophisticated attackers, especially when they are dedicated and well-resourced.  Most plants today have connections to corporate systems and enable remote support through the internet, so they should also be concerned with sophisticated attackers.  They are also more vulnerable, as 24x7x365 operation prevents timely action on published security alerts.  Like most companies in the ARC survey, industrial facilities in critical industries and regions should have a high level of concern with attacks by well-resourced, nation state and criminal cyber teams. 

Industrial Cybersecurity Survey

Attack vectors that participants in ARC’s survey are most concerned with further reflect their concern with internal threats.  Plants rely extensively on support from control system vendors and system integrators and this opens the door to malware being introduced through USB devices, contractor devices that are brought into a facility, and remote support interfaces. 

Spear phishing of plant employees has been identified as the root vector for several plant attacks by sophisticated hackers.  It has also been the key vector for some of the broad-based attacks that have ultimately impacted plants.  While attackers are external to facilities, they leverage the broad system accessibility of internal people to gain privileged access to ICS equipment. 

Addressing Cybersecurity Resource Challenges

ARC research consistently shows that many industrial companies lack the resources and expertise to effectively sustain and utilize their cybersecurity technology investments.  Those that recognize how this is undermining security are finding ways to leverage external resources to fill this gap.  Several approaches being employed: pooling of ICS resources across the corporation; integrating IT and OT cybersecurity programs; and, engaging the support of third parties.  The best approach depends upon a variety of factors.  Allocation of tasks among groups is another important issue that must be addressed to ensure success. 

ARC’s industrial cybersecurity survey explored these issues through several questions.  As companies are reluctant to share actual cybersecurity practices, participants were only asked to share their views regarding the best way to distribute cybersecurity responsibilities given each of the resource augmentation strategies.  Our findings follow.

ICS Cybersecurity Resource Pooling Strategies

ARC continually interacts with industrial companies across many industries and geographic regions.  We have seen a variety approaches to pooling of corporate ICS cybersecurity expertise.  Normally these programs include people who are dedicated to, and stationed within, specific plants (local resources) and people outside the plants who support many plants, business units, or the entire corporation (central resources).  People within the plants may be dedicated to cybersecurity, but more often they have non-cybersecurity roles and limited ICS cybersecurity expertise.  Their system knowledge and proximity are leveraged for tactical maintenance tasks, like patching and collection of compliance information, that require close coordination with operating personnel and direct access to ICS equipment.  Central resources, on the other hand, are generally more dedicated to cybersecurity.  They are tasked with setting cybersecurity policy, establishing standard practices, selecting technology, and providing support for complex issues and incident management. 

Industrial Cybersecurity Survey

Responses to ARC’s 2017 industrial cybersecurity survey reflects the general use of the approaches that many ARC clients employ.  The survey also shows a strong preference for equal responsibility in most of the activities.  This aligns with ARC’s observation that successful strategies also include consideration of ways to facilitate adoption of common practices and team building.        

IT-OT Cybersecurity Program Integration

Plant automation and IT personnel generally have a good foundation in IT and networking. But few have, or want to have, the deep cybersecurity expertise needed to manage an actual cyber incident.  Perceptions that an attack is unlikely make it difficult to justify the costs of adding additional plant resources with such expertise. 

Many companies want to leverage expertise in their IT groups to address the expertise gap.  Integrated IT-OT cybersecurity teams offer additional benefits in managing attack vectors that exploit connections between plant and corporate IT systems.  Establishing clear divisions of responsibility is essential to overcoming the cultural gaps that exist in most companies between ICS/OT and IT groups. 

Industrial Cybersecurity Survey

The following charts show how participants in ARC’s 2017 industrial cybersecurity survey would divide responsibilities between ICS/OT and IT groups for the many kinds of cyber assets, applications and network connections commonly found in modern control systems. 

Industrial Cybersecurity Survey

As with the responsibility sharing between local and central groups, survey participants encourage ICS/OT and IT groups to collaborate to manage certain assets and applications.  These are primarily cases in which conventional IT equipment and operating systems are used. 

Integration of Third-Party Cybersecurity Resources

Most industrial facilities operate with lean staffs focused primarily on operational issues like efficiency, productivity, and process optimization.  While they have maintenance staffs, many companies still rely on third parties, like automation suppliers, system integrators and other service providers to keep their production and control equipment in proper working order.  Today, this includes cybersecurity.

Cybersecurity services come with a variety of options and delivery methods.  Support can include assessments, training, configuration and patch management, incident management, and active system monitoring by cybersecurity experts.  These services may be delivered on-site or through secure remote access interfaces. 

The following chart shows how companies in ARC’s survey leverage external support groups in their ICS/OT cybersecurity programs. Not surprisingly, companies rely extensively on external parties for plant assessments/audits and security training.  Many also leverage these resources to fill cybersecurity expertise gaps that limit their ability to monitor system events and incident management.  Consistent with the findings regarding use of local versus corporate groups, few plants rely upon external resources when it comes to basic security hygiene tasks like configuration and patch management, probably because these need close coordination with operations. 

Industrial Cybersecurity Survey

ARC’s research often finds that industrial companies have a general preference to rely on their automation suppliers’ service groups to support their control system equipment and applications due to the deep understanding of the technology they have.  Automation suppliers, in turn, want to make sure the equipment operates properly so the company will choose them for upgrades.  It is reasonable to expect that automation suppliers would also be the preferred source for ICS cybersecurity support. 

Industrial companies also try to get their service providers to accept responsibility for all service needs and all plant equipment and software.  This eliminates delays when identifying, diagnosing, and fixing a problem involves products from different suppliers.   

The industrial cybersecurity survey results suggest that the choice of cybersecurity service providers follows a different, more task-specific pattern.  While automation suppliers are preferred for security hygiene tasks, companies seem to want companies that highlight their ICS cybersecurity expertise to help them monitor systems for threats and manage incidents.  They also prefer training from organizations like the SANS Institute that offer a wide range of security courses for different kinds of people.   

Industrial Cybersecurity Survey

Industrial Cybersecurity Technology Adoption Strategies

While cybersecurity strategies involve more than technology, technology is an essential element.  Today’s cybersecurity technology can block many attacks and help companies detect/manage compromises.  All industrial facilities should be equipped with an appropriate set of endpoint, network, and system-wide security solutions.  They also need to ensure staffs have the right tools to sustain the effectiveness of each technology investment. 

ARC’s industrial cybersecurity model provides guidance for the kinds of technologies that can be used to build an effective risk mitigation strategy.  It also provides a roadmap for implementing these solutions according to a plant’s ability to sustain their effectiveness (cybersecurity maturity).  Technology investments that go beyond a plant’s resource capabilities do nothing to reduce cyber risks and can even reduce overall security if they divert limited resources from properly maintaining other, more basic technologies. 

ARC’s industrial cybersecurity survey explored technology decisions through a series of questions regarding the use and adoption plans for various kinds of technologies.  The goal was to provide users with feedback on the technologies that experienced companies use[3] or are planning to use in the short term.  This information is valuable because it reflects actual industrial concern with cyber risks, the relative effectiveness of different technologies, and the challenges faced to maintain these solutions. 

Endpoint Protection Solutions

The first level of security in ARC’s cybersecurity maturity model focuses on endpoint protection.  This is addressed through a set of steps including: developing an accurate asset inventory; system hardening; implementing access control and endpoint protection technologies; and instituting a proper vulnerability management program. 

Industrial Cybersecurity Survey

Endpoint protection technologies include three kinds of solutions: traditional (signature-based) anti-malware software; next-generation (signatureless) anti-malware software; and, application whitelisting. 

Not surprisingly, most companies have already implemented traditional anti-malware software.  Despite its recognized weaknesses, companies continue to spend their limited resources maintaining signatures, etc.  Other ARC research suggests that this is because companies are still concerned about common malware with known signatures.  These products also offer protection against malware intrusions through compromised USB devices. 

As indicated by the survey results, many participants believe in the underlying concepts and benefits of application whitelisting.  This is consistent with other ARC research showing that industrial people think it is a good fit for the relatively limited and static industrial IT environment.  But others have also reported difficulties in deploying and maintaining these products when the inevitable system patches and updates are required.  These people recommend that users involve their automation suppliers in any decisions to adopt application whitelisting. 

Next-generation anti-malware software should be appealing to industrial users.  It provides a way to overcome the challenges of keeping signatures updated and enables detection of file-less attacks.  The low use of next-generation anti-malware is likely due to the relative “newness” of these solutions.  Also, many of these solutions have been developed for IT environments and rely on interfaces with cloud applications, which is unacceptable in industrial facilities. 

Network Security Solutions

Network security solutions help plants defend perimeters, isolate control zones, and protect individual assets from suspicious commands.  They vary according to the intended use and the level of security desired. 

The high use of conventional firewalls for perimeters and zone isolation aligns with previous ARC surveys and because many companies installed these defenses when conventional firewalls were the only option.  The high adoption of next-generation firewall solutions likely reflects the fact that these enhanced products are becoming the norm for conventional firewall suppliers and offer some additional protection.  Automation suppliers are also using NGFW products in new systems and system upgrades. 

Industrial Cybersecurity Survey

ICS/OT deep packet inspection (DPI) firewalls are a recognized compensatory control for protecting cyber assets that can’t be supported by other endpoint protection methods like application whitelisting.  The low percentage of use today may reflect a lack of concern with individual asset protection or high confidence in the ability of perimeter and zone protection to stop attacks.  The high adoption rate may reflect increased concern with sophisticated attacks that evade firewalls.    

One-way communication devices are generally recognized as the most secure approach for protecting plants from external attacks.  But many companies tell ARC that they are concerned with the restrictions that one-way communication might impose on their ability to support broader integration of IT and OT systems.  Apparently, many companies are still unaware that product suppliers have developed solutions in this area.     

Anomaly and Breach Detection Solutions

Anomaly and breach detection is another hot topic in ICS cybersecurity.  It includes a range of products for monitoring plant networks and endpoint assets. This is a distinct segment of the overall anomaly and detection solutions market, as industrial solutions understand the unique network messages and controllers used in the automation systems that control critical industrial assets and infrastructure.

Industrial Cybersecurity Survey

ARC divides anomaly and breach detection into two major categories: endpoint breach detection solutions that assess control system integrity by monitoring the status of individual endpoint devices; and, anomalous network message detection solutions that assess system integrity by monitoring communications within the control system. Each category is further divided according to the methodology used for monitoring and evaluation.

Endpoint breach detection solutions can be classified according to the locus of the monitoring software. Agent-based solutions use software within the endpoint device to detect unexpected changes and send pertinent alerts to a central system for analysis and dissemination. Agent-less endpoint breach detection solutions utilize a separate server within the control system to periodically collect relevant information from all connected devices in a way that minimizes any effect on network bandwidth.  Changes are detected through comparisons with the latest validated versions.

Anomalous network message detection solutions passively monitor network traffic within a control system for illegal or unusual messages and traffic patterns.  The deep packet inspection and parsing capabilities of these solutions are comparable to industrial protocol firewalls, but access the network and respond to anomalies differently. Anomalous network message detection solutions connect passively to networks, often using firewall spanning or mirroring ports.  Policy-based solutions rely upon users to define legal operations and normal traffic patterns.  Behavior-based solutions include capabilities to automatically “learn” what is normal.  Data collected during a system training period is analyzed using a variety of statistical classification and machine learning techniques.

Most users are familiar with agent-based breach detection as this is a common approach in IT systems.  But its ICS use has been constrained since many industrial cyber assets can’t support agents.  The survey results suggest that this will continue to constrain use of these solutions.  Agent-less solutions are less familiar and early adoption has been constrained by user concern with the potential impact of active scanning on time-sensitive industrial networks.  Strong growth in use could indicate that these user concerns have subsided as suppliers have addressed these concerns. 

While anomalous message detection is a relative new development with a relatively low level of current use, ARC is beginning to see increasing adoption, probably driven by users recognizing that these solutions can provide early warning of many kinds of system malfunctions, cyber or otherwise, and help them minimize operational disruptions.     

Industrial Cybersecurity Management Solutions

As noted earlier in this report, many industrial facilities suffer from a lack of cybersecurity resources and expertise.  Industrial cybersecurity management solutions can help alleviate this burden and enable companies to manage and sustain the security posture of industrial assets and facilities. The kinds of support provided can be classified into five categories:

  • Security Management Dashboard – Central platform for managing all security information about cyber assets, vulnerability alerts, patches, and firmware/software/hardware updates; launchpad and integration platform for a variety of security maintenance support modules.
  • Security Maintenance Support – Modules that enhance staff cybersecurity management capabilities and reduce the time required to perform security maintenance tasks like asset discovery and inventories, change and patch management, backup management, and policy compliance.
  • Remote Security Management Support - Secure remote access soft-ware/services that enable remote maintenance of cyber assets and incident response support. 
  • Incident Management Support - Security information and event management (SIEM) and other solutions that manage security event information (alerts, configuration changes, etc.), help people analyze and deal with suspicious situations.
  • NERC Compliance Support - NERC CIP Compliance Reporting Software
Industrial Cybersecurity Survey

The chart above shows the survey results for the use of cybersecurity management tools.  Consistent with ARC’s other research, most companies still lack even the most basic tools for cybersecurity management.  While 50 percent have anti-malware update tools this still lags the 70 percent of companies using signature-based anti-malware software.  The low use of SIEM products also indicates that companies are not monitoring security events.  The low use of integrated solutions, ARC’s recommended approach, is probably more related to the newness of these products than lack of interest.  Hopefully, the strong rate of growth in use in every category signals that companies are recognizing and addressing their cybersecurity maintenance issues.  Enabling efficiency is a good, logical first step.  

Given the importance of cybersecurity maintenance, the ARC survey included a followup question regarding the kinds of features that are most needed.  This information was included to help users and suppliers focus their efforts. 

Industrial Cybersecurity Survey

Secure Remote Access Solutions

Remote access to industrial equipment and control systems is essential in today’s competitive environment.  Remote support from suppliers is needed to ensure high availability of complex automation and control equipment.  Remote access to smart sensors and process data underlies new industrial internet of things (IIoT) optimization strategies.  Safety risks and operating costs are driving companies to implement remote operating strategies for complex systems like off-shore platforms.

While necessary, remote access can create significant operating risks. Connections to public networks expose critical cyber assets to malware attacks that can jeopardize safety and operational continuity. Access to sensors and systems creates opportunities for theft of confidential information. People with remote access can make incorrect changes to software and undermine required change management policies.

Industrial organizations understand these security risks and as the survey results below indicate many have implemented some technology to secure their remote access.  The two most popular approaches are to use VPN and conventional IT remote access techniques.  While these approaches provide some level of protection, they also have significant weaknesses.  VPN connections can protect messages in-transit, but these ports are visible to external networks and do nothing to protect plants against compromises on the user end.  IT remote access solutions give users complete access to connected cyber assets.  ICS/OT-secure remote access solutions address these issues, but users are apparently unaware of the issues or the availability of more appropriate solutions. 

Industrial Cybersecurity Survey

A proper ICS-secure remote access solution ensures proper authentication of all users before they gain access to system resources, tight control of what they can see and do while they have access, and complete auditing of everything that was done to be able to identify and rectify any policy violations.

A followup survey question shows that users need many of the key features of ICS-secure remote access solutions.  This suggests that the low adoption is driven more by lack of awareness that such solutions exist, than lack of concern with the security weaknesses of the more popular methods. 

Industrial Cybersecurity Survey

Research Methodology

The survey results discussed in this report were collected through a web survey of industrial companies in the fall of 2017.  The following charts show the demographics of the participants.   

Industrial Cybersecurity SurveyIndustrial Cybersecurity Survey

 

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

 

 

 


[1] The terms, industrial control systems (ICS) and operational technology (OT) are used interchangeably in this report to recognize the growing use of OT to describe new and conventional control products in industrial and commercial applications. 

[3] Participants were asked respond based on their active use of the technology, not just the fact that they have purchased the technology.  This was done to filter out technology investments that are not being maintained and fully leveraged.


 

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients