Increase In Community Size/Talent and “The Dip”

In December I was preparing my 15-minute mini-keynote to kick off for S4x20 in January, and I was having a hard time finding anything truly unique or significant change in ICS security in 2019. So I asked eight people I respect in the ICS security community what they thought was significant in 2019. The answers where essentially … nothing.

It hit me seeing and talking to the 719 people at S4 that the big change in ICS security in 2019 was the growth in ICS security professionals in numbers and skills. I’m still very concerned that we are spending a large amount of the time doing the wrong things, but it is necessary to have this larger community to have any chance of success.

The larger numbers are most notable in the ICS security teams in the consulting companies. There are many teams with 15, 25 or even 50+ ICS security pro’s, and these numbers had at least doubled in the 2019. There is similar growth in the ICS security product companies with a handful having more than 100 employees.

The increased numbers in the asset owners is less visible. Still there were two data points. First, we were seeing asset owners send more people to the event. Some experienced and some entering the field. Second, in discussions with the asset owner attendees I ran into fewer examples where the attendee was THE OT security person at the asset owner. Instead they were part of an expanding team with all different models of construction, OT Security, OT expert in IT, etc.

The Dip (or The Pause)

At S4, I continued asking some in the community why did they think that it was a slow year in both attacks and defense and regulation and other areas. I wish I could credit the specific people who led me to the below conclusion, it was a whirlwind 4-days. My conclusion is we are at a dip or a pause, as people are absorbing and learning before making the next major advances that we will see in 2020 or 2021.

On the offense / attack side, adversaries are learning how IT style attacks can be used in OT as well as the unique ways to attack and cause high consequence events in an ICS. The electric sector 2016 attack in Ukraine and Triton showed that a Stuxnet level effort will not be required to cause a physical impact. Ransomware leaking into ICS is likely leading to thoughts of ransomware in PLC’s. Perhaps this pause is while the adversaries are putting together their teams (hacker / engineer / automation pro) and their kits to launch these new attacks.

On the ICS security product side we saw a flurry of new products and capabilities in 2017 and 2018. 2019 was a year of marginal improvement and even more of early adopter asset owners trying to use these new offerings. This is not easy. Even the early adopters don’t need more new offerings now. Better, yes, but not more. This product dip or pause is likely to be longer, at least through 2020, with asset owners getting a handle on asset management, detection and incident response. Related managed services may move faster as asset owners realize the talent and team required to get the benefits.

A final example is cloud based ICS security services. GE’s Digital Ghost example at S4x19 showed the potential of using digital twins and process variable anomaly detection to identify sensor data that was not possible based on physics or the process. We saw little in the way of commercial efforts to pursue this approach. I remain wondering when deep packet inspection (DPI) deployed at the edge will be combined with cloud services to be able to not only specify, but also enforce, what control capabilities are allowed from ICS vendors and service providers in the cloud. We still live in a world, in almost all cases, where asset owners either have to choose between one-way (outbound) only or unlimited two-way without function code / coil / register / point restriction for cloud services.

There are more examples. Ask yourself, what was the big thing in ICS security that happened in 2019, and if you have an answer leave it in the comments. I don’t believe the major changes and excitement is over. 2019 was a time when many areas were just catching their breath.

2020 Hopes

If I write an article like this in 2021 I hope the two significant items were achieved in 2020.

  1. The ICS security community shifted its attention and efforts away from “cyber hygiene” and placed its activities and energy on tasks and projects that focused on risk reduction.
  2. The ICS security community improved a great deal in communicating and working with executives. Item 1 would help with this.