Progress in addressing OT / ICS cyber risk remains painfully slow as it has over the past two decades. There is progress, and the fact that we are seeing the increased attention and are achieving progress during these Covid years is worth highlighting at year’s end.

Consequence

The long awaited Bochman / Freeman book on the Consequence Driven, Cyber Informed Engineering was published and led the way in increased attention on reducing consequence as a risk management strategy. It’s just the start, but an important start. After an initial set of security controls that reduce the likelihood of an incident are in place, reducing the consequence of high consequence events is often the most efficient risk reduction activity.

Security people tend to flock to and lead with security controls. We need to fight this urge, get the engineers involved, and consider if consequence reduction warrants some of those OT cyber risk reduction resources.

Two-Factor Authentication For ICS Remote Access

I couldn’t believe my ears. US Senators were emphasizing the importance of two-factor authentication after the Colonial Pipeline incident. Anything that helps this to be an early and omnipresent security control is progress.

ICS Security Vendor Unicorns

Dragos had a published post money valuation of $1.7B. Claroty and Nozomi likely have valuations close to $1B. And there are companies, like Armis valued at $3.4B, that are active in OT and IT. The VC community investment at all stages is of course great for ICS security product and service companies.

It’s also progress in terms of bringing solutions to market and increasing awareness of the need to address OT cyber risk at all levels in asset owner organizations.

Increased Visibility and Incident Detection

While I disagree with many on where in an ICS security program’s maturity detection systems belong, there is no disagreement that they are an important security control. Even more important for ICS due to the insecure by design devices and protocols making protection near impossible once the perimeter has been breached.

The electric sector has greatly increased its detection capability. One data point is 150 utilities are now sharing data with the US government. There is a push to increase detection in oil & gas and water & wastewater.

Not only is the amount of deployed visibility and incident detection solutions increased in 2021, but the capabilities of these solutions have also increased. The highlights are Splunk and ServiceNow releasing interfaces to pull this information in from OT focused solutions.

SBOM and VEX

Industry and government efforts, both in the US and around the world, to develop and agree upon the structure of software bills of material (SBOM) had a lot of energy and made substantial progress in 2021. The Vulnerability Exploitability eXchange (VEX) is an important addition to these efforts. The work in 2021 on this structure and proof of concept projects should have a big impact in 2022 and 2023.

Asset owners will struggle to use the torrent of information SBOMs will provide and tasks they could trigger. There are some early wins in identifying where high profile / high risk vulnerabilities are in the system. Even more important and easier is to evaluate your vendors’ control of their products. Simply, do they have a SBOM? Are many of the components they would install with their system vulnerability-ridden? What is their process for updating all of their software in the product to address published vulnerabilities?

Increased Awareness

The fact that there are many asset owners just beginning their OT/ICS security program is depressing in one sense. For those who have been in the ICSsec community for years or decades and seen so many events that are eye-openers or game-changers, it is hard to believe the need for OT cyber risk management is not well understood in the executive suite. Universally, it isn’t yet.

Still 2021 saw many companies whose ICS produce their product or service for which the company exists finally get awareness of OT cyber risk at the executive and board level. Awareness leading to resources.

—–

On an individual basis I know that most in the community continue to push to improve OT and ICS security on a day to day, week to week, month to month basis. It’s a slog with sometimes steps backwards. Asset owner by asset owner progress is being made. Hopefully you can recognize it and celebrate it, if only for an hour or day.

My hope for 2022 is we can accelerate our progress and find creative ways to reduce OT cyber risk.