The Year Of descriptors are done retrospectively and looking forward.
2021 from an OT and ICS Security standpoint was …
- The year when a cyber incident (Colonial Pipeline) finally had a significant impact on US critical infrastructure?
- The year of the ICS Security unicorn with multiple vendors valued at $1B+?
- A second year where Covid overwhelmed everything?
What will 2022 be best known for when we look back at OT and ICS security 12 months from now? Some candidates:
- Firmware / Software Analysis (including SBOM and VeX) of ICS Products – As I’ve predicted in 2021, this looks to be a safe bet if measured by seed, A and B round funding in late 2021 and 2022. If we look at actual use and impact in 2022, I’d bet against it. It is needed, and the products are good and getting better. 2022 will likely see it begin to move from inflated expectations to the trough of disillusionment in the hype cycle as the difficulty in using all this information sinks in.
- Increased Regulation In US And Globally – 2021 set the stage for this with the initiation of an increased US government bureaucratic infrastructure and some legislative and executive push to do this. AWWA actually proposed following a FERC/NERC CIP model for water, which could be viewed as trying to get ahead of something more onerous. A consequential attack on US critical infrastructure could be the push needed to make this a reality. The problem with that is things done quickly in government often aren’t well thought out (see TSA Pipeline requirements).
- Battle for ICS Security Services – Accenture and Deloitte have been gobbling up talent and boutique teams. Siemens, Rockwell, Yokogawa and many other vendors are pushing ICS security services. Engineering organizations like Burns & McDonnell have ICS security service companies, such as 1898 & Co. While the start-up companies in the space focus on products for margins and valuation multiples, the services market will grow much faster in 2022. This will be true even at the current level of awareness and demand. If there is an attack or regulation that jump starts demand it will be even more so. With limited ICS security professionals, recruiting, growing and retaining the team will be an even bigger deal in 2022.
How about three more that are a bit crazy, long shots.
4. Announcement of a Major Brand Virtualized PLC – There are a handful of virtualized Level 1 devices now, but nothing that is being seriously promoted by a big name. No major vendor throwing the gauntlet down saying this is the future. The benefits of virtualizing everything but I/O are huge and would change the market, perhaps not to the vendors’ benefit. If Rockwell Automation said the next evolution of Logix is the virtualized MetaLogix device or Siemens did something similar with S7 it could start the needed wave.
5. Financial Reporting And Insurance Drive ICS Cyber Risk Management – This is probably a 2023 – 2025 item, but it is possible it moves into 2022. There are already pushes for companies to be required to disclose cyber incidents to the US government. What if they were required to disclose ICS cyber risk information as part of their SEC disclosures to shareholders or disclosers to their insurers. Yes, some of this happens today, but not to the level to drive ICS cyber risk activities.
6. Widespread and Nasty ICS Focused Malware or Exploit Code – This falls into the long shot category because it hasn’t happened yet, and it’s been possible. This could be code that bricks a popular brand of PLC and has a Swiss army knife of distribution methods. Or if the attacker wants to be less nasty, maybe it just changes the IP address. For over a decade now the question is why haven’t we seen more ICS attacks. Possible reasons are there is more and easier money elsewhere for the criminals, until recently less knowledge of ICS in the attack community, the fear of blowback if you hit this kind of target, … your favorite answer here. Let’s hope 2022 is another year where we avoid this.