Organizations have been getting faster at detecting incidents in industrial control system (ICS) and other operational technology (OT) environments, but incident response is still lacking, according to a new report from the SANS Institute.
SANS’s 2024 State of ICS/OT Cybersecurity report, which is based on a survey of more than 530 professionals in critical infrastructure sectors, shows that roughly 60% of respondents can detect a compromise in less than 24 hours, which is a significant improvement compared to five years ago when the same number of respondents said their compromise-to-detection time had been 2-7 days.
Ransomware attacks continue to hit OT organizations, but SANS’s survey found that there has been a decrease, with only 12% seeing ransomware over the past 12 months.
Half of those incidents impacted either both IT and OT networks or only the OT network, and 38% of incidents impacted the reliability or safety of physical processes.
In the case of non-ransomware cybersecurity incidents, 19% of respondents saw such incidents over the past 12 months. In nearly 46% of cases, the initial attack vector was an IT compromise that allowed access to OT systems.
External remote services, internet-exposed devices, engineering workstations, compromised USB drives, supply chain compromise, drive-by attacks, and spearphishing were each cited in roughly 20% of cases as the initial attack vector.
While organizations are getting better at detecting attacks, responding to an incident can still be a problem for many. Only 56% of respondents said their organization has an ICS/OT-specific incident response plan, and a majority test their plan once a year.
SANS discovered that organizations that conduct incident response tests every quarter (16%) or every month (8%) also target a broader set of aspects, such as threat intelligence, standards, and consequence-driven engineering scenarios. The more frequently they conduct testing, the more confident they are in their ability to operate their ICS in manual mode, the survey found.
The survey has also looked at workforce management and found that more than 50% of ICS/OT cybersecurity staff has less than five years experience in this field, and roughly the same percentage lacks ICS/OT-specific certifications.
Data collected by SANS in the past five years shows that the CISO was and remains the ‘primary owner’ of ICS/OT cybersecurity.
The complete SANS 2024 State of ICS/OT Cybersecurity report is available in PDF format.
Related: OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks
Related: American Water Bringing Systems Back Online After Cyberattack
Related: ICS Patch Tuesday: Advisories Published by Siemens, Schneider, Phoenix Contact, CERT@VDE
