Survey Shows Decrease in 2023 ICS/OT Security Budgets
A recent survey conducted by the SANS Institute reveals that budgets allocated for the security of industrial control systems (ICS) and other operational technology (OT) have decreased significantly in 2023 compared to the previous year. The survey, titled the 2023 ICS/OT Cybersecurity Survey, collected responses from over 700 individuals representing organizations across various industries and geographical locations.
Decline in Security Budgets
According to the survey, more than 21% of respondents stated that their organizations do not have a dedicated budget for ICS/OT cybersecurity, a significant increase from the 7% reported in 2022. In addition, most organizations reported a decrease in their security budgets compared to the previous year.
Investing in Visibility and Anomaly Detection
Despite the overall decrease in budgets, the survey found that over 60% of organizations plan to invest in products that improve visibility into control system assets and configurations in the next 18 months. Additionally, 30% of respondents expressed their intention to invest in anomaly and intrusion detection tools for control system networks.
SANS Institute emphasizes the importance of organizations continuing to focus on their ICS cybersecurity roadmap, even if they are currently in a low budget cycle. They recommend prioritizing spending on areas that provide the highest return on investment in reducing known risks. This includes investing in security awareness, leveraging ICS tools from trusted sources for assessments (such as from MITRE), adopting a risk-based approach to vulnerability management, and aligning with the five ICS cybersecurity critical controls.
Threat Vectors and Penetration Testing
The survey also highlights the ways in which threat actors gain access to ICS/OT systems. According to the respondents, the most common initial attack vector is by compromising IT systems, named by 38% of participants. Other reported vectors include engineering workstations, external remote services, and exploited internet-exposed applications.
Regarding penetration testing efforts, over half of the respondents said they target Level 3 and the DMZ of the Purdue Model. Level 3 includes customized OT devices that manage production, while the DMZ includes firewalls, patch management servers, application servers, and remote access servers. Additionally, more than 40% of respondents target Level 2 (HMI and SCADA systems) and Level 4 (enterprise network) during their testing.
Emulating TTPs and Leveraging Threat Intelligence
SANS Institute suggests emulating tactics, techniques, and procedures (TTPs) across IT into ICS as a practical penetration testing approach. This involves starting the test with an established IT foothold, such as in Level 4, and then attempting to move into the ICS network DMZ or lower towards traditional operating system-based HMIs or engineering workstations.
Furthermore, the survey reveals that 61% of respondents rely on publicly available information for threat intelligence, while 30% rely on intelligence provided by security vendors. Additionally, more than 40% of respondents leverage information sharing partnerships, IT threat intelligence, and intelligence from ICS manufacturers or integrators to improve their OT defense posture.
Implications and Recommendations
The decrease in ICS/OT security budgets raises concerns about the overall cybersecurity posture of organizations that rely on these systems to manage critical infrastructure and operations. As the threat landscape evolves and threat actors continue to target ICS/OT systems, it is crucial for organizations to allocate sufficient resources to ensure robust security measures.
Editorial:
This decrease in security budgets may be a result of organizations prioritizing other areas of their operations or underestimating the potential consequences of a cyber-attack on their ICS/OT systems. However, as the threat landscape becomes increasingly sophisticated and attackers exploit vulnerabilities in IT systems to gain access to critical infrastructure, organizations must prioritize cybersecurity investments to safeguard against potential threats.
Internet Security:
The reliance on publicly available threat intelligence and security vendor-provided intelligence highlights the need for organizations to ensure the quality and accuracy of the information they rely on. It is crucial for organizations to establish trusted partnerships and leverage information from reputable sources to stay informed about the latest threats and implement effective defenses.
Philosophical Discussion:
This decrease in security budgets raises important questions about the underlying priorities and values of organizations. While it is understandable that organizations may need to allocate resources to various areas, neglecting cybersecurity can have severe consequences. Protecting critical infrastructure and ensuring the availability and integrity of ICS/OT systems is not only an organizational responsibility but also a societal one. Without proper investments in cybersecurity, the potential impact of attacks on these systems can have far-reaching consequences for public safety, economic stability, and national security.
Conclusion
The decrease in ICS/OT security budgets reported in the SANS survey is a concerning trend that highlights the need for organizations to prioritize cybersecurity investments. As the threat landscape evolves, organizations must allocate sufficient resources to protect their critical infrastructure and operations. Leveraging trusted threat intelligence sources, conducting thorough penetration testing, and following best practices in ICS/OT cybersecurity can help organizations mitigate risks and ensure the resilience and reliability of their systems.
<< photo by Mediamodifier >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Applying the Brakes: BIND Updates Patch Two High-Severity DoS Vulnerabilities
- The Evolution of Akira Ransomware: Linux Systems Targeted with New TTPs
- Guardians of the Cyberverse: Cultivating Cybersecurity Resilience
- Air Canada Cyberattack: Protecting Employee Information in the Age of Technology
- The KEV Catalog Initiative: Accelerating Patching to Validate CISA’s Efforts