While there seems to be interest in the OT/ICS cyber threat landscape, it’s truly a challenge to paint an accurate picture when organizations don’t report incidents – it’s like trying to paint a beautiful sunset with only black and white. Nonetheless, some organizations develop surveys with questions believed to capture the perceived issues and challenges in order to at least cover the broad strokes. The latest such survey report comes from the SANS Institute, for which 480 of your OT/ICS peers have spoken – A SANS 2021 Survey: OT/ICS Cybersecurity. Despite the findings, the report states the threat and risk landscape remains somewhat opaque and highlights that incidents often go unreported and insufficiently investigated. Specifically, “Public reporting on cyber incidents impacting OT networks is not broadly available. The community would benefit from more transparent reporting data, which might allow us to study these incidents further to better implement defensive measures to protect our operations.” While there is nothing wrong with these statements, it is recognized that organizations are often reticent to publicly share for fear of perceived negative stigma (among other things). But that’s where sector/industry ISACs shine – if organizations would simply report incidents to their sector ISAC, reports do not need to be made public, but could be anonymized and still reported to benefit the sector as a whole, essentially painting a better representation of the cyber threat landscape.

In addition to the challenges brought about by lack of reporting, other notable survey findings include the top three sectors believed most likely to have a successful ICS compromise with impact to the safe and reliable operations of the process – energy, healthcare and public health, and water/wastewater, respectively. Interestingly, the report indicates that most respondents did not select their own sector as most likely to have an impactful compromise, so it seems the results appear to be consistent with the high-profile incidents that have been widely reported – Colonial Pipeline, Oldsmar, and the overwhelming attacks against healthcare organizations.

Furthermore, other key insights in the survey report correlate with multiple initiatives undertaken by or in partnership with WaterISAC. For instance, similar results were obtained in the recent survey from the WSCC, Cybersecurity: 2021 State of the Sector, most notably the challenge of insufficient cybersecurity labor resources. Likewise, other challenges fall in-line with guidance from WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, such as the need for asset inventories, vulnerability management, monitoring, governance, and network segmentation – including the importance of securing initial attack vectors such as external remote services, internet accessible devices, and other public-facing applications from exploitation. To review many more insights and to download the survey, visit SANS (this does require a login). Likewise, Nozomi Networks has also written an overview for quick reference.