Cyber risk, and ICS cyber threat in particular, could be charted as a growing wave, with perceived risk increasing every year, about to crash … until the COVID-19 pandemic. The diagram below is from the Solarium report issued just last month, although the chart is from a Pew Research Center Survey in Spring 2018. Cyber attacks were perceived to be the most likely major threat to Americans.
There has been a steady stream of articles since that Spring 2018 survey highlighting (hyping?) ICS cyber threat. Those active in the sector know the insecure by design nature of most of the protocols and systems, and as researchers and hackers have turned their attention to ICS and identified numerous vulnerabilities and a poor state of security in the products. Despite these issues and agreement by most in the know that many sectors could suffer large losses if targeted, the loss amount related to the ICS cyber threat remains very low, tiny in fact. One of the most common questions ICS security experts get is “why don’t we see more successful attacks on ICS?”
There have been a handful of high profile incidents, such as Stuxnet, Triton and Ukraine Power, and little else. Most of the cyber security incidents in the last three years that have affected ICS and resulted in losses, directly or indirectly, have been ransomware and other malware that is not ICS targeted. ICS and the products and services they create have been collateral damage.
While the question of what is the actual risk related to the actual ICS cyber threat is an important question, perceived risk can be more important because this is what drives action and behavior. Now that we have a real pandemic with real losses, and one that was not generally perceived as a likely threat by most businesses, how will this affect the perception and actions to address the ICS cyber threat?
My answer is perceived ICS cyber threat will move from a pre-Corona wave to a 2020 – 2021 Corona-recovery barbell as depicted below.
The right side of the barbell, with a strong perceived threat, will be the sectors and market leaders who have seen been addressing ICS cyber related risk for over ten years. The large petrochemical vendors, early adopter/enlightened water systems, and electric utilities who have had regulatory requirements. The understanding of ICS cyber threat is baked into these organizations.
The other component of the right side will be newcomers to ICS. Sectors where ICS are being put in or becoming much more critical to revenue generation. Data centers are one example. Smart buildings are another. Sectors like these often go into any system assuming it is not acceptable to be insecure by design. That security is a part of the solution and cost.
The left side of the barbell is everything else. It’s organizations and sectors that didn’t want to spend resources on ICS security and now may be fighting for survival. There is an old saying in the ICS world that places that don’t have power or water don’t care if a new plant that will provide that is cyber secure. Right or wrong, interest in spending money on ICS cyber security in a serious budget cutting environment is going to be low for many if there is not solid loss data. Since executive management is responsible for managing risk, perceived ICS cyber threat must decrease or they are not doing their jobs. At a minimum the perceived ICS cyber threat relative to other threats to the business, security and others, must be reduced.
The perceived ICS cyber threat and readily available funding over the past five years has resulted in a large and unsustainable number of ICS security product and service companies. The economic downturn will accelerate the shakeout in this ICS security market, and the amount of threat promotion will increase from an already high level. Any sublteness will be overwhelmed by business survival needs.
While the vendor promotion of ICS cyber threat is likely to grow from an already high level, we may actually see a decrease in the coverage of it by the media. These stories may get less clicks when a real threat is causing so much real harm. And I’ve been wondering when the public would tire of ICS security hacking as they do about most other issues over time.
This is likely a temporary shift in perceived threat. The wave may never be as large again relative to other perceived threats, but it will swell again. And for good reason in my opinion. I believe it is only a matter of time before criminals start seeing the value of PLC bricking ransomware and other financially motivated techniques, and the defend forward / cult of the offensive approach to cyber weapons and related warfare is likely to lead to incidents as limits are tested and exceeded.