《SANS:2022年及未来工业控制系统(ICS)于运营技术(OT)网络安全现状报告(英文版)(20页).pdf》由会员分享,可在线阅读,更多相关《SANS:2022年及未来工业控制系统(ICS)于运营技术(OT)网络安全现状报告(英文版)(20页).pdf(20页珍藏版)》请在三个皮匠报告上搜索。
1、SurveyThe State of ICS/OT Cybersecurity in 2022 and BeyondWritten by Dean ParsonsOctober 20222022 SANS Institute2The State of ICS/OT Cybersecurity in 2022 and BeyondExecutive SummaryThe industrial control system(ICS)/operational technology(OT)security community is seeing attacks that go beyond tradi
2、tional attacks on enterprise networks.Given the impacts to ICS/OT,fighting these attacks requires a different set of security skills,technologies,processes,and methods to manage the different risks and risk surfaces,setting ICS apart from traditional IT enterprise networks.Adversaries in critical in
3、frastructure networks have illustrated knowledge of control system components,industrial protocols,and engineering operations.From the previously observed impactful attacks,such as CRASHOVERRIDE1 in the electric sector,human machine interface hijacking through remote access2 in water management,and
4、ICS-specific ransomware3 in the manufacturing and energy sectors,to the more recent Incontroller/PIPEDREAM4 advanced scalable attack framework targeting multiple ICS sectors,ICS/OT attacks are more disruptive with the possibility of physically destructive capabilities.Threat intelligence supports th
5、e fact that industrial security defenders across all sectors must address new challenges and face serious threats.The 2022 SANS ICS/OT Cybersecurity survey results reveal several changes and significant focus on ICS operational improvements;however,progress in key areas needs more emphasis to defend
6、 our critical infrastructure into the future.Industrywide insights from this survey include:Significant change in who is being called to perform ICS incident response A shift in the responsibility for implementing security controls in ICS/OT Continued value and investment in ICS-specific training an
7、d skillset development Steady increase in obtaining the benefits of an ICS asset inventory A more dedicated focus on ICS operations A significant uptake in ICS-specific threat intelligence for active threat-hunt defense Industry struggles on actions related to threat detection coverage Continued ado
8、ption of MITRE ATT&CK for ICS frameworkIT and ICS/OT Security Differences Defined5 ICS/OT assets are often compared to traditional IT assets;however,traditional IT assets focus on data at rest or data in transit.ICS/OT systems monitor and manage data that makes real-time changes in the real world wi
9、th physical inputs and controlled physical actions.Some of the technical differences that set ICS apart from IT are:the prioritization of passive asset discovery and passive threat detection,low-bandwidth sites,critical yet legacy devices,proprietary engineering protocols,engineering systems not run
10、ning traditional endpoint operating systems,and requirements for engineering hardware to be ruggedized and operate extremely reliably in harsh and even hazardous environments,to name a few.1 “Alert(TA17-163A),CrashOverride Malware,”www.cisa.gov/uscert/ncas/alerts/TA17-163A2 “Alert(AA21-042A),Comprom
11、ise of U.S.Water Treatment Facility,”www.cisa.gov/uscert/ncas/alerts/aa21-042a3 “Ekans/Snake NJCCIC Threat Profile,”www.cyber.nj.gov/threat-center/threat-profiles/ransomware-variants/ekans-snake4 “Alert(AA22-103A),APT Cyber Tools Targeting ICS/SCADA Devices,”www.cisa.gov/uscert/ncas/alerts/aa22-103a
12、5 “The Differences Between ICS/OT and IT Security,”February 1,2022,www.sans.org/posters/the-differences-between-ics-ot-and-it-security3The State of ICS/OT Cybersecurity in 2022 and BeyondIts these primary differences between IT and ICS/OT industrial systems that drive differing requirements for inci
13、dent response,environment and safety concerns,cybersecurity controls,engineering,support,system design,threat detection,and network architecture.This is because IT focuses on the digital data world,whereas ICS/OT focuses on the physical and safety world.The 2022 SANS ICS/OT survey received 332 respo
14、nses representing a wide range of industrial verticals from the energy,chemical,critical manufacturing,nuclear,water management,and other industries.See Figure 1.Of the 63 subcategories across these verticals,many respondents are subclassified in electricity,oil and gas,equipment manufacturing,speci
15、alty chemicals,transportation equipment manufacturing,drinking water,and engineering services.Top 4 Industries RepresentedEach gear represents 5 respondents.Organizational SizeSmall(Up to 1,000)Small/Medium(1,0015,000)Medium(5,00115,000)Medium/Large(15,00150,000)Large(More than 50,000)Each building
16、represents 10 respondents.Top 4 Roles RepresentedBusiness ManagerOperations Manager/OM/OIMICS/OT Cybersecurity AnalystICS/OT Security Architect Each person represents 5 respondents.Operations and HeadquartersInformation Technology Ops:287HQ:261Ops:49HQ:5Ops:41HQ:4Ops:59HQ:4Ops:37HQ:3Ops:86HQ:16Ops:6
17、9HQ:7Ops:89HQ:32CommunicationsEnergyEngineering/Control Systems Figure 1.Demographics of the Survey Respondents4The State of ICS/OT Cybersecurity in 2022 and BeyondTwenty-two percent of survey respondents consider the current cybersecurity threats toward ICS as severe/critical,whereas 41%consider th
18、em to be high.This represents a slight but steady increase year over year across 2019(38%),2021(40%),and 2022(41%).Nearly 80%of respondents have roles that emphasize ICS operations,compared with 2021 when only about 50%did.Those indicating their roles emphasize both ICS and business-related activiti
19、es suggest there is still a convergence in responsibilities even though the areas have different missions,skillsets needed,and impacts during a security incident.Overall,respondents are spending most of their time on ICS operations.See Figure 2.People in the ICS security workforce are in high demand
20、.Hiring managers may be looking for specific ICS certifications.Existing employees may look to options to increase their knowledge or solidify their career path by obtaining accreditation in ICS security specifically,for example,in ICS active defense and incident response.6 Convergence:Where Are We?
21、Traditional off-the-shelf operating systems,commonly seen in office environments,have been used in the upper levels of control networks for decades to help automate engineering operations.Given they have a mission of engineering and safety,they should be maintained and secured differently than tradi
22、tional IT assets;that is,they should be treated,managed,maintained,and secured as ICS/OT assets.ICS/OT Is the BusinessFacilities recognize the business is the control systems running critical engineering assets,and they must be protected for business survival.With the evolution of new attack framewo
23、rks,legacy devices,evolving technology options,and resource constraints,the biggest challenge with securing control systems technologies and processes is the technical integration of legacy and aging ICS/OT technology with modern IT systems.Facilities are confronted with the fact that traditional IT
24、 security technologies are not designed for control systems and cause disruption in ICS/OT environments,and they need direction on prioritizing ICS-specific controls to protect their priority assets.Figure 2.Primary ResponsibilitiesIn your role,what is the primary emphasis of your responsibilities?7
25、0%60%50%40%30%20%10%0%58.0%IT/ICS operations18.4%IT/business enterprise20.2%Both3.3%OtherAcross the verticals,the data continues to reveal industrial control system security training and certification is sought after.Slightly more than 80%of respondents hold certifications relevant to control system
26、s security.This is a significant jump from 54%in 2021,and shows continued industry investment in the value of certification.SANS certifications account for the top two categories:Global Industrial Cyber Security Professional(GICSP)(49%)and Global Response and Industrial Defense(GRID)(27%).6 “Protect
27、 Control Systems and Critical Infrastructure with GRID,”September 3,2021,www.sans.org/blog/protect-control-systems-and-critical-infrastructure-with-grid5The State of ICS/OT Cybersecurity in 2022 and BeyondSee Figure 3 for the biggest challenges faced in securing ICS/OT technologies and processes.The
28、se are ranked as:1.Legacy and aging OT technology must be technically integrated with modern IT systems.2.Traditional IT security technologies are not designed for control systems and cause disruption in OT environments.3.IT staff does not understand OT operational requirements.4.There are insuffici
29、ent labor resources to implement existing security plans.We can deal with these challenges with guidance in the people,process,and technology categories as follows:PeopleThe support for training in the ICS area is clear.Organizations recognize its value and will do well to obtain and retain ICS-spec
30、ific skilled resources;however,they may need to be flexible in hiring and look harder for the required skillsets.ProcessSecurity leaders will do well to ensure their teams leverage technology suited for control systems.ICS security managers should continue to strengthen the culture in which safety i
31、s the priorityICS security supports safetywhile further educating the business on the differences between IT and ICS/OT.However,as different as the environments are,a converged technical view of security events from both helps to understand,track,and defeat threats to the overall business.Technology
32、Integrating newer systems with legacy components presents a challenge that evolving and innovative technologies from ICS vendors can assist with.Facilities are reminded to test solutions and ensure ICS operations and security-specific questions are not only answered,but also demonstrated in a develo
33、pment environment through a proof-of-concept engagement with vendors before technology purchase and deployment.Aging engineering systems and technology challenges,together with insufficient labor resources to implement existing security plans,make for a challenging ask of ICS security teams.Without
34、a diligent ICS awareness campaign and specific ICS technology and processes deployed,the adversaries will have the upper hand.Figure 3.Biggest Challenges in Securing OT Technologies and ProcessesWhat are the biggest challenges your organization faces in securing OT technologies and processes?Select
35、all that apply.IT staff does not understand OT operational requirements.36.7%OtherTraditional IT security technologies are not designed for control systems and cause disruption in OT environments2.5%51.8%54.3%47.7%Insufficient labor resources to implement existing security plansTechnical integration
36、 of legacy and aging OT technology with modern IT systems0%10%60%50%40%20%30%ICS Security Is Not a“Copy/Paste”of IT Security Theres a misconception that IT security practices can be directly applied to ICS environments.Although theres a wealth of knowledge available from IT security,a“copy and paste
37、”of IT security tools,processes,and best practices into an ICS could have problematic or devastating impacts on production and safety.Examples include but are not limited to:(1)network and/or endpoint-based intrusion prevention systems could drop legitimate engineering commands that have been flagge
38、d as malicious but are false positives.These could be actual legitimate safety or real-time control system commands that are part of a facilitys operation,blocked and impending operations,and possible safety protocols.(2)A traditional antivirus system could incorrectly block an engineering applicati
39、on or process from running or executing a part of its operations due to a bad antivirus signature or heuristics-based rule,thus impeding the view,control,or safety of a control system.(3)Vulnerability scanning could be conducted on devices that do not correctly interrupt IT-type scanning software,th
40、us rendering engineering hardware unresponsive and directly impacting the functionality and reliability of control elements,such as an active safety instrumented system.6The State of ICS/OT Cybersecurity in 2022 and BeyondAnalysis of the top three business risks when it comes to the security of cont
41、rol systems is interesting.Year over year there is a downward trend on the importance of ensuring the health and safety of employees,which fell from 2nd(2019)to 7th(2021)and finally to 8th in 2022.This is surprising in a community that has historically placed so much emphasis on human safety and the
42、 protection of physical assets in potentially hazardous environments.This could be due to the community at large now having very high confidence in and coverage of ICS-specific controls in their control systems,and feeling that a compromise cannot have an impact on ensuring the health and safety of
43、employees in plants.Alternatively,safety could be less prioritized now,providing an opportunity to rebuild awareness that cyber incidents in ICS can cause serious,even catastrophic safety impacts to humans and physical assets.There has been no change in the top two business concerns:(1)ensuring reli
44、ability and availability of control systems,and(2)lowering risk/improving security.See Table 1.Theres an opportunity here to recall,leverage,and tie in the strong physical safety culture shared across many engineering sectors to keep employees and people safe,and then to remind ourselves that cybers
45、ecurity incidents(targeted or otherwise)can directly impact the safety of people and the environment.Compared to IT securitys CIA7 triad,ICS/OT does not have the same priorities,mission,risk surfaces,or systems;rather,the engineering safety culture,rightfully so,prioritizes safety first,is concerned
46、 about control system command integrity,requires availability of engineering systems,and maintains confidentiality internal to the ICS network.ICS/OT cybersecurity supports the safe operation of critical infrastructure,not the other way around.This may vary in some ICS sectors,however;for example,co
47、nfidentiality can take a higher priority when it comes to intellectual property in pharmaceuticals(e.g.,the formulas for medications or vaccines)or competitive product(s)in manufacturing.Table 1.Top Business ConcernsEnsuring reliability and availability of control systems 53.6%1 50.3%1 52.3%1Lowerin
48、g risk/improving security 39.9%2 45.5%2 34.8%3Preventing damage to systems 30.4%3 27.2%3 27.7%4Preventing information leakage 29.1%4 18.1%6 14.8%9Meeting regulatory compliance 22.9%5 19.8%5 22.3%5Protecting external people and property 21.9%6 15.2%8 20.7%6Providing or coordinating employee cybersecu
49、rity education and awareness programs 17.0%7 11.2%11 10.5%11Ensuring health and safety of employees 17.0%8 17.7%7 42.2%2Securing connections to external systems 15.7%9 23.3%4 11.7%10Creating,documenting,and managing security policies and procedures 13.7%10 13.1%9 8.2%13Protecting company reputation
50、and brand 13.1%11 11.6%10 17.6%8Protecting trade secrets and intellectual property 11.1%12 6.0%13 7.8%14Preventing company financial loss 7.8%13 7.9%12 18.8%7Minimizing impact on shareholders 6.9%14 3.3%14 9.8%12PercentRankPercentRankPercentRank2022202120197 “Information Security,”https:/en.wikipedi
51、a.org/wiki/Information_security7The State of ICS/OT Cybersecurity in 2022 and BeyondRisks to ICS and Our Critical InfrastructureAs ICS security professionals,we do not get to choose whether we are a target or what adversary group(s)target our infrastructure.However,we can select our defense teams,pr
52、ofessional training path,security technologies,and processes conducting ICS incident response.Looking at the ICS threat landscape,we are seeing some sectors more targeted than others;for example,this year,business services,healthcare and public health,and commercial facilities are the top three sect
53、ors deemed most likely to have a successful ICS compromise that will impact safe and reliable operations.See Figure 4.Only 11%positively reported that they had experienced an incident impacting their ICS/OT systems.Of these,most reported fewer than 50 incidents.See Figure 5.Yet even with these low n
54、umbers,disruptions could be impactful.See Table 2 for the correlation between number of events and percent disruptive.Based on your understanding of the ICS threat landscape,which sectors are most likely to have a successful ICS compromise with impact to the safe and reliable operation of the proces
55、s?Choose your top three.Commercial facilities25.1%20.7%8.4%18.9%7.9%16.7%5.7%14.1%4.4%12.3%0.0%Defense industrial baseITWater/WastewaterNuclearEnergyChemicalGovernmentEmergency servicesCritical manufacturingEngineering/control systemsOtherCommunicationsTransportationHealthcare and public health21.1%
56、9.3%23.3%26.9%27.3%25.6%22.9%9.3%Financial servicesFood and agricultureDamsBusiness services0%5%20%10%30%25%15%Figure 4.Sectors Most Likely to Be CompromisedHow many times did such events occur in the past 12 months?21-504.9%-100101-50011-202.4%7.3%19.5%36.6%24.4%4.9%51-70Fewer than 100%10
57、%40%20%30%Figure 5.Security Incidents in the Past 12 MonthsTable 2.Number of Events vs.Percent Disruptive0%2.3%2.3%0.0%0.0%0.0%0.0%0.0%0.0%0.0%10%22.7%18.2%0.0%4.5%0.0%0.0%0.0%0.0%0.0%20%25.0%6.8%9.1%4.5%0.0%4.5%0.0%0.0%0.0%30%22.7%4.5%6.8%4.5%2.3%2.3%0.0%2.3%0.0%40%13.6%2.3%2.3%6.8%2.3%0.0%0.0%0.0%
58、0.0%50%9.1%2.3%0.0%2.3%0.0%0.0%2.3%2.3%0.0%60%2.3%0.0%0.0%0.0%0.0%2.3%0.0%0.0%0.0%70%2.3%0.0%0.0%0.0%2.3%0.0%0.0%0.0%0.0%80%0.0%0.0%0.0%0.0%0.0%0.0%0.0%0.0%0.0%90%0.0%0.0%0.0%0.0%0.0%0.0%0.0%0.0%0.0%100%0.0%0.0%0.0%0.0%0.0%0.0%0.0%0.0%0.0%100.0%36.4%18.2%22.7%6.8%9.1%2.3%4.5%0.0%Total5001
59、000Occurance Total in 12 MonthsPercent Disruptive|Events8The State of ICS/OT Cybersecurity in 2022 and BeyondWhen asked which control system components were considered at greatest risk for compromise,the top componentthe engineering workstation or instrumentation laptopremains the same as last year,
60、at nearly 54%.See Figure 6.This year,however,servers running commercial operating systems dropped to the third spot while operator assets such as a human machine interface(HMI)or operator workstation took over the second spot at 43%,a notable jump from 32%the prior year.This could be attributed to t
61、he increased reporting from ICS threat intelligence showing how ICS adversaries now more than ever are“living off the land”in the control environments.It is surprising the plant historian is ranked second to last at 4%,given threat intelligence has illustrated data historians could be targeted for s
62、ensitive data exfiltration,are among the top five critical assets to protect,8 and are used by adversaries as pivot points from an IT compromise into the ICS networks.ICS attack groups have been observed“living off the land”;that is,abusing systems,features,and industry protocols native to industria
63、l environments,turning control systems against themselves.Some examples of living off the land are an attacker gaining access to an HMI with legitimate operator access but then using the HMI commands against the process to,for example,open circuit breakers in the field in an electric substation or c
64、hange the chemical mixture in a water treatment facility.No malware is used to cause the impact;rather,the adversaries are using built-in and legitimate engineering software,features,and/or ICS protocols to cause impacts.Living off the land can be seen as far back as HAVEX9 in 2014,more recently wit
65、h the tailored CRASHOVERRIDE10 ICS-specific framework targeting electric power,and the 2022 discovery of the Incontroller/PIPEDREAM11 scalable ICS attack framework.Which control system components do you consider at greatest risk for compromise?Select your top three in each category in no particular
66、order.Server assets running commercial OS(Windows,Unix,Linux)24.4%14.4%5.0%13.9%4.0%13.4%1.5%0.0%12.9%12.4%Connections to the field network(SCADA)Physical access systemsControl system applicationsField devices(sensors and actuators)OtherEmbedded controllers or components(e.g.,.PLCs,IEDs)Non-routable
67、 remote access(modems,VSAT,microwave)Control system communication protocolsPlant historianCloud-hosted OT assetsMobile devices(laptops,tablets,smartphones)Network devices(firewalls,switches,routers,gateways)OT wireless communication devices and protocols(Zigbee,WirelessHART,RF)Operator assets(HMI,wo
68、rkstations)running commercial OS(Windows,Unix,Linux)15.4%6.0%17.4%42.8%53.7%40.3%15.4%7.0%Connections to other internal systems(office networks)Remote access(VPN)Engineering(engineering workstations,instrumentation laptops,calibration and test equipment)assets running commercial OS(Windows,Unix,Linu
69、x)0%10%40%20%60%50%30%Figure 6.Components at Greatest Risk for Compromise8 “Top 5 ICS Assets and How to Protect Them,”www.sans.org/webcasts/top-5-ics-assets-and-how-to-protect-them9 “ICS Alert(ICS-ALERT-14-176-02A),ICS Focused Malware(Update A),”https:/us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-176-02
70、A10 “CRASHOVERRIDE:Analysis of the Threat to Electric Grid Operations,” “Alert(AA22-103A),APT Cyber Tools Targeting ICS/SCADA Devices,”www.cisa.gov/uscert/ncas/alerts/aa22-103a9The State of ICS/OT Cybersecurity in 2022 and BeyondWhen changing the question to ask which ICS components are considered t
71、o have the greatest impact to the business if compromised or exploited,we see some alignment with the prior question.However,we must not forget to protect programmable logic controllers(PLCs),IEDs,and other embedded components(20%)from impacts through the manipulation of controller logic,unauthorize
72、d engineering configuration changes,or an unauthorized industrial control system network-based device(15%).See Figure 7.Engineering systems,although not equipped for traditional anti-malware agents,can be protected through network-based ICS-aware detection systems and industrial-based network archit
73、ecture practices.Additionally,as part of on-going engineering maintenance tasks for field devices,log capture or log forwarding and regular controller configuration verification are achievable ways to start protecting these critical assets.ICS Vulnerability Management and PatchingOnce safety risks a
74、nd operational impacts from a cyberattack are seen,its too late.So,looking for threats and vulnerabilities proactively is the most effective approach to defense and operational resilience.Most respondents(60%)use passive monitoring,with a network sniffer being the primary method(and arguably the saf
75、est approach)for vulnerability detection in hardware and software.See Figure 8.The second most common method is continual active vulnerability scanning.It is still important to note,active vulnerability scanning can be risky for legacy or other devices unable to properly interpret aggressive or unex
76、pected network scan traffic.However,vendors have caught on to using safer methods,like active querying using native ICS protocols,to obtain asset and vulnerability data.Ranking third is comparing configuration and control logic programs against known-good logic versions.Which control system componen
77、ts do you consider would have the greatest impact if compromised and exploited?Select your top three in each category in no particular order.Server assets running commercial OS(Windows,Unix,Linux)25.4%14.9%6.0%14.4%4.5%14.4%3.5%0.0%10.4%10.0%Connections to the field network(SCADA)Non-routable remote
78、 access(modems,VSAT,microwave)Control system applicationsOtherNetwork devices(firewalls,switches,routers,gateways)Physical access systemsControl system communication protocolsOT wireless communication devices and protocols(Zigbee,WirelessHART,RF)Plant historianEmbedded controllers or components(e.g.
79、,.PLCs,IEDs)Remote access(VPN)Cloud-hosted OT assetsField devices(sensors and actuators)Operator assets(HMI,workstations)running commercial OS(Windows,Unix,Linux)17.9%6.0%19.9%39.8%51.2%36.3%19.4%6.0%Connections to other internal systems(office networks)Mobile devices(laptops,tablets,smartphones)Eng
80、ineering(engineering workstations,instrumentation laptops,calibration and test equipment)assets running commercial OS(Windows,Unix,Linux)0%10%40%20%50%30%Figure 7.Components with the Greatest Impact If CompromisedFigure 8.Processes for Detecting VulnerabilitiesWhat processes are you using to detect
81、software or hardware vulnerabilities within your control system networks?Select all that apply.Comparison of configuration and control logic programs against known-goodMonitoring for notifications as they are publicly available(vendors,CERTs,etc.)40.6%Waiting for our ICS vendors to tell us or send a
82、 patchContinually using an active vulnerability scannerPeriodic scanning during system downtime36.5%34.5%34.5%2.5%49.7%59.9%41.6%Actively working with vendors to identify and mitigate vulnerabilities during FAT and SATOtherPassive monitoring using a network sniffer(deep packet inspection)0%10%50%40%
83、20%30%60%10The State of ICS/OT Cybersecurity in 2022 and BeyondOrganizations used to spend more time monitoring for vulnerability notifications disclosed by vendors,computer emergency readiness teams(CERTs),and the like as a method of vulnerability discovery.This approach was ranked number one(61%)i
84、n 2021;however,in 2022 this method tied for second to last(35%).Also important to note is that the number of respondents choosing to apply all outstanding patches and updates during routine downtime doubled in the past 12 months.This could be because organizations are electing to try to reduce the r
85、isk of patches causing unintended impacts during production.See Figure 9.To reduce many vulnerabilities in the first place,however,there is good return on investment in managing them during the factory acceptance testing(FAT)and site acceptance testing(SAT)phases before full production deployments.S
86、ome respondents have benefited from this,because its use has increased slightly in 2022 to 41%,up from 40%in 2021(see Figure 8).Managing ICS vulnerabilities in FAT and SAT,however,does not replace the requirement for vulnerability management in ICS in a regular,on-going cadence.Patching is not just
87、about reducing security vulnerabilities.Many vendors release non-security patches to fix bugs,furthering the stability of equipment,or to add new operational features.Once security vulnerabilities are detected,facilities have several options for handling them.Many facilities(30%)are handling patches
88、 by pretesting and deploying vendor-validated patches on a defined schedule.This is a reasonable goal that lagging facilities can set on their ICS security roadmap as a next step.Only 4%of facilities are taking no action on patching;in contrast,a great goal would be to align with the 15%of responden
89、ts that are applying all outstanding patches and updates on a continuous basis.Figure 9.Handling of Patches and Updates12 “Alert(AA21-042A),Compromise of U.S.Water Treatment Facility,”www.cisa.gov/uscert/ncas/alerts/aa21-042a13 “SANS ICS Site Visit Plan,”www.sans.org/blog/sans-ics-site-visit-planThe
90、 Oldsmar12 event draws attention to the importance of understanding risk surfaces,vulnerability management,and secure remote access that requires multifactor authentication(MFA)for external-facing and internet-connected devices.Common open source intelligence(OSINT)exercises tailored for ICS systems
91、 can be used to uncover vulnerable or weakly secured systems directly connected to the internet and prioritize them for protection and vulnerability remediation.13 Vulnerability management could be prioritized by patching devices directly connected to the internet first,followed by edge network fire
92、walls and switches,remote access solutions,data historians,ICS internal core network infrastructure,critical engineering assets such as the HMIs,engineering workstations,and so on.How are patches and updates handled on your critical control system assets?Select the most applicable method.Apply all o
93、utstanding patches and updates during routine downtimeTake no action.Dont patch or layer controls around themLayer additional controls instead of patchingApply vendor-validated patches on a continuous basisUnknown1.0%Apply all outstanding patches and updates on a continuous basisOtherPre-test and ap
94、ply vendor-validated patches on a defined schedule14.6%15.1%10.6%4.0%4.5%20.1%0%5%25%20%10%15%30%30.2%11The State of ICS/OT Cybersecurity in 2022 and BeyondICS vulnerability mitigation can be prioritized by having an asset inventory combined with ICS threat intelligence to understand the ICS risk su
95、rface,and knowing the placement of assets in the control networkshow those assets could be accessed for possible exploitation and protecting critical assets first.When asked who performed the most recent ICS security assessment,the most common were OT security consultants,at 27%.This was up slightly
96、 from last years 25%and just ahead of internal IT team(s),followed by internal OT team(s).A separation may be emerging in which internal IT teams are less likely to be called on for ICS security assessments;however,it is too early to say whether it is a lasting trend at this time.Critical infrastruc
97、ture owners and operations may wish to consider Critical Infrastructure Vulnerability Assessments offered by CISA.14 Implementing ICS Security ControlsResponsibility for implementing ICS security controls has shifted this year,with the majority of organizations claiming the responsibility belongs to
98、 the owner or operator of the ICS(38%)or the engineering manager(36%).See Figure 10.In 2021,this responsibility was most often assigned to the IT manager role,which fell to third in 2022.This shift in responsible parties appears to align with those working day to day more directly focused on enginee
99、ring operations and safety.Although there are some security practices and principles applicable to both environments,organizations are realizing the enterprise IT and ICS/OT environments are not the same.They not only have different types of systems,but also have technologies that are not directly c
100、ross-compatible,the missions and risk surfaces differeven initial attack vectors,impacts,and approaches to incident response are different.14 CISA,“Critical Infrastructure Vulnerability Assessments,”www.cisa.gov/critical-infrastructure-vulnerability-assessmentsWho in your organization is responsible
101、 for implementation of security controls around control systems?Select all that apply.IT managerVendor or supplier who built the solution21.1%Plant system managerOtherEngineering managerInternal auditors19.1%15.6%13.6%7.5%2.0%36.2%37.7%30.2%Corporate-level position(CIO/CISO)External security provide
102、r(MSSP)Owner or operator of the control system0%10%40%20%30%Figure 10.Position Responsible for Security Control Implementation12The State of ICS/OT Cybersecurity in 2022 and BeyondICS Incident Response:Identified Gaps and ImpactsWe asked who would be contacted when there are signs of an infection or
103、 infiltration of the control system cyber assets or network.The leading resource remains a cybersecurity solution provider,reaching 57%in 2022,up from 48%in 2021.This is followed with a tie between control system vendor and engineering consultant at 35%,showing a continued upward trend for engineeri
104、ng consultant across 2019(13%),2021(19%),and 2022(35%).See Table 3.A reliance on external cybersecurity solution providers for ICS does not mean a fully outsourced ICS cyber defense team;rather,it could mean an augmentation of internal resources with the use of external incident response retainers t
105、o close resource gaps as the ICS security teams are spinning up or starting to mature.In 2021,40%of survey participants indicated they leveraged IT consultancy to support their ICS incident response efforts;in 2022 we see a positive and significant drop to 13%.This downward trend is a benefit becaus
106、e ICS-aware resources are being called in for ICS incident response vs.observed suboptimal response efforts from IT-only experts.Internal resources fall to fourth position at 32%compared to its second position in 2021 at 44%.Overall,this shift indicates an increased reliance on external,yet ICS-spec
107、ific resources,and a sharp decline in the reliance on specific IT consultancy for ICS incident response efforts.Facilities appear to be requiring resources specifically trained and experienced in ICS incident response to work in ICS environments.Table 3.Who Is ContactedCybersecurity solution provide
108、r 56.5%48.1%35.6%Control system vendor 34.8%32.7%45.6%Engineering consultant 34.8%19.2%13.4%Internal resources 32.6%44.2%59.0%Non-regulatory government organizations (e.g.,CISA,FBI,National Guard,state or 23.9%32.7%40.6%local law enforcement)System integrator 19.6%11.5%15.1%Security consultant 17.4%
109、32.7%37.2%IT consultant 13.0%40.4%18.4%Main automation contractor 8.7%11.5%8.4%Other 0.0%3.8%2.1%202220192021Incident impacts in IT and ICS are different.Incidents in ICS environments range from the loss of visibility or control of a physical process to the manipulation of the physical process by un
110、authorized users,which can ultimately lead to serious personnel safety risks,injury,or death.The Department of Homeland Security makes an accurate statement:“Standard cyber incident remediation actions deployed in IT business systems may result in ineffective and even disastrous results when applied
111、 to ICS cyber incidents,if prior thought and planning specific to operational ICS is not done.”15When selecting and verifying incident response partners for ICS,it is vital to understand the teams ICS-specific skillsets and prior experience(anonymized case history)specifically in response to inciden
112、ts in control system environments.15 “Recommended Practice:Developing an Industrial Control Systems Cybersecurity Incident Response Capability,”www.cisa.gov/uscert/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf13The State of ICS/OT Cybersecurity in
113、2022 and BeyondInitial Attack VectorsWhen sharing data on the initial attack vectors involved in control system incidents,survey participants cite a compromise in IT allowing threats into the ICS/OT control networks as the highest-ranking threat vector.Interestingly,only 4%chose wireless compromise.
114、See Figure 11.This highlights data historians or other trusted and targeted devices with connectivity to both IT and ICS/OT as being a likely target.For example,data historians targeted for possible process data exfiltration could also be leveraged as a pivot point from an IT compromise into the con
115、trol network(s).Risk of threats through removable media(USBs,external hard drives,etc.)is a close second.It is worth noting that 83%of respondents have a formal policy in place to manage transient device risks such as removable media devices,and 76%have a threat detection technology in place to mana
116、ge transient assets.Seventy percent are using commercial threat detection tools,49%are using homemade solutions,and 23%have deployed ad-hoc threat detection to manage this risk.Engineering workstations have control system software that is used to program or change logic controllers and other field d
117、evice settings or configurations.This critical asset could also be a mobile laptopessentially a transient deviceused for engineering device maintenance that could travel throughout facility sites or elsewhere outside the protection of a segmented plant network.Figure 11.Initial Attack VectorsWhat we
118、re the initial attack vectors involved in your OT/control systems incidents?Select all that apply.Replication through removable mediaData historian compromise34.7%Exploit of public-facing applicationInternet-accessible deviceCompromise in IT allowed threat(s)into OT/ICS network(s)External remote ser
119、vices32.7%32.7%26.5%24.5%20.4%40.8%36.7%Engineering workstation compromiseSpearphishing attachmentUnknown(sources were unidentified)Drive-by compromiseOtherSupply chain compromise18.4%16.3%6.1%4.1%0.0%Wireless compromise0%30%40%20%10%The IT business network remains a common initial intrusion point f
120、or adversaries as a possible Stage 1 attack,helping adversaries prepare for a potential pivot into the ICS environment for an ICS Cyber Kill Chain16 Stage 2 attack with direct impact on engineering operations.Those wishing to fortify network architecture to segment and protect the ICS network(s)from
121、 external networks,such as IT networks and the internet,can leverage guidance from the ICS410 SCADA Reference Model17 on network architecture and ICS asset placement.The MITRE ATT&CK ICS framework has recently been updated to include methods to mitigate risk in this area tracked as Transient Cyber A
122、sset(T0864)18 and Replication Through Removable Media(T0847).19 16 “The Industrial Control System Cyber Kill Chain,”www.sans.org/white-papers/3629717 “ICS410 SCADA Reference Model,”www.sans.org/posters/control-systems-are-a-target18 “Transient Cyber Asset,”https:/attack.mitre.org/techniques/T086419
123、“Replication Through Removable Media,”https:/attack.mitre.org/techniques/T084714The State of ICS/OT Cybersecurity in 2022 and BeyondTop Vectors,Top Threat ConcernsWhen inquiring about the top threat vectors of concern to respondents,with the influx of ransomware seen globally,it is no surprise that
124、ransomware,extortion,or other financially motivated crimes rank as number one(40%).See Figure 12.Even ransomware impacting IT business networks may have an impact on ICS operations.This would depend on the location of ICS support services and network architecture,such as dependencies on the enterpri
125、se resource planning(ERP)system and manufacturing execution system(MES)for ICS being located on IT networks,and similar takeaways from the Colonial Pipeline20 ransomware event.Detection and neutralization of ransomware is more complicated when ransomware is tailored to industrial control systems,as
126、seen with the Ekans/Snake21 ransomware.Organizations can consider ICS-specific endpoint detection and response(EDR)technologies on traditional operating systems in Purdue Level 3 and the ICS DMZ as a control against ransomware that may propagate from IT into ICS/OT networks.Organizations must still
127、test and verify their backup and recovery strategies on a regular cadence.This needs to include not only traditional operating systems in the ICS network,but also engineering systemsspecifically,the recovery of controller configuration and logic code,protection control relays,remote terminal units,a
128、nd process configurations to ensure engineering process recovery meets the facilitys mean time to repair(MTTR)objectives.Select the top three threat vectors with which you are most concerned.Non-state cyberattack(non-ransomware criminal,terrorism,hacktivism)30.4%15.2%5.1%15.2%4.2%13.9%2.5%13.1%12.7%
129、Industrial espionageTransient cyber assetInternal threat(accidental)Wireless compromiseThird-party connectivity (vendors,integrator,contractors,etc.)User account compromise on OT/ICS networkMalware families spreading indiscriminatelyUser account compromise on IT networkIntegration of IT into control
130、 system networksPhishing scamsDevices and“things”(that cannot protect themselves)added to networkInternal threat(intentional)Nation-state cyberattack19.0%5.1%20.7%38.8%39.7%32.1%20.7%11.8%Risk from partnerships(hardware/software supply chain or joint ventures)Supply chain compromiseRansomware,extort
131、ion,or other financially motivated crimes0%10%40%20%30%Figure 12.Top Threat Vectors 20 “Ransoming Critical Infrastructure:Emergency Webcast Transcript,”www.sans.org/blog/ransoming-critical-infrastructure-emergency-webcast-transcript21 “Ekans/Snake:NJCCIC Threat Profile,”www.cyber.nj.gov/threat-cente
132、r/threat-profiles/ransomware-variants/ekans-snake22 “Honda Shuts Down Factories After Cyberattack,” “European Power Giant Enel Hit by Ransomware Gang Netwalker,”https:/ ICS facilities fell victim to the Ekans ICS-tailored ransomware,including Honda22 and multinational energy company Enel Group,23 wh
133、ere the adversary group demanded$14 million in ransom for the decryption key and to prevent the attackers from release terabytes of stolen data.15The State of ICS/OT Cybersecurity in 2022 and BeyondROI on ICS Asset InventoryA formal ICS asset inventory of engineering devices is a prerequisite for th
134、e maturity of an ICS security program in any sector,and facilities are realizing the benefits.We cannot protect what we do not know we have.Slightly more than 70%of respondents shared they have a formal process to inventory ICS/OT assets,a 13%jump from 2021.There is still value to be gained,however,
135、for the 23%of facilities that do not yet have a formal process and the 6%of organizations that are unsure or unaware of an existing formal process in this area.Facilities can expand an existing engineering asset inventory or build one by using any one of or a combination of the four main methodologi
136、es for ICS asset identification.One approach is to prioritize physical inspection combined with passive traffic analysis.Details on the basic attributes to capture and an example approach are available online,24 starting with commonly targeted devices:data historians,human machine interfaces,program
137、mable logic controllers(PLCs),engineering workstations,core network devices,and active safety instrumented systems(SIS).ICS Threat IntelligenceThe ICS threat intelligence market has come a long way in 12 months.More facilities are using vendor-provided threat intelligence for more immediate and acti
138、onable defense steps.Unlike most respondents in 2021,respondents in 2022 are no longer just relying on publicly available threat intel.Rather,they are now primarily benefiting from vendor-provided ICS-specific threat intelligence,and secondarily are looking to ICS manufacturers or integrators.This s
139、hows less of a reliance on peer information sharing partnerships(e.g.,information sharing and analysis centers ISACs)and IT threat intel.This is a sign of increased maturity and awareness of the value of ICS-vendor-specific threat intelligence,as well as budget allocation for improved proactive defe
140、nse in this area.See Figure 13.24 “SANS ICS Site Visit Plan,”www.sans.org/blog/sans-ics-site-visit-planFigure 13.ICS-Specific Threat IntelligenceAre you leveraging ICS-specific threat intelligence in your OT defensive posture?Select all that apply.Publicly available threat intelOperational technolog
141、y incidents47.6%Internally developedICS manufacturer or integrator providedIT threat intel27.6%26.2%18.7%52.4%48.9%Peer information sharing partnerships(such as ISACs)ICS threat intel (vendor-provided)0%10%50%40%20%30%60%51.1%16The State of ICS/OT Cybersecurity in 2022 and BeyondIts commonplace and
142、valuable to leverage indicators of compromise(IoCs)for technical reactive defense,such as scoping for attacker artifacts in an environment to determine if and where a compromise may be during an incident.Those looking to mature ICS security programs can focus more on threat intelligence tactics,tech
143、niques,and procedures(TTP);that is,implementing proactive security changes based on observed adversary tradecraft.This lends itself to longer-lasting proactive defense measures because it makes it harder for the adversary to thrive in the environment.Facilities leveraging the MITRE ATT&CK framework
144、for ICS can understand and track their detection,mitigation,and security event log data source coverage against sector-specific attacker techniques and tactics observed in previous attacks.The framework can be used to find gaps,tune deployed technologies,and evaluate new vendor solutions and their a
145、lignment to the framework in these areas.In fact,to facilitate this,many technology vendors are building MITRE ATT&CK for ICS dashboards directly into their products.We are seeing an increasing number of organizations do exactly this2022 results show that 78%of respondent organizations have complete
146、d a MITRE assessment.Although the adoption rate to complete assessments has increased in the last 12 months,it reveals that work is still needed to action identified gaps.For example,an area to improve is initial access,to help prevent adversaries from gaining a foothold in the network in the first
147、place.Only 20%of organizations have 5175%coverage for this tactic,and only 4%have full coverage for it.See Figure 14.ICS managers will do well to support their tactical teams in leveraging MITRE ATT&CK for ICS to track metrics and show maturity across their detection,mitigation,and security event lo
148、g data source coverage of their deployed technologies.As ICS cybersecurity programs mature with the use of MITRE ATT&CK for ICS and close identified gaps,more advanced defense through ICS threat hunts25 will provide much more ROI.Publicly available threat intelligence could come at low or no cost an
149、d is a great place to start consuming threat intelligence.Commercial ICS/OT intel services excel in providing improved relevance and timeliness for proactive defense steps against emerging threats and could be more sector specific in some cases.If you have completed an assessment of your MITRE ATT&C
150、K ICS technique coverage in your ICS,what coverage do you have in each of these areas?0%10%5%20%30%25%35%15%0%125%2650%5175%7699%100%Initial Access20.5%30.3%3.8%2.3%31.8%8.3%Discovery24.8%31.8%1.6%10.1%17.8%14.0%Inhibit Response Function21.9%29.7%6.3%4.7%17.2%20.3%Persistence21.4%27.5%3.1%5.3%23.7%1
151、9.1%Collection24.8%21.7%6.2%7.8%26.4%13.2%Execution20.2%27.9%2.3%3.1%32.6%14.0%Lateral Movement17.8%30.2%1.6%6.2%24.8%19.4%Impact25.8%22.7%4.5%4.7%26.6%15.6%Evasion14.7%22.5%2.3%12.4%31.0%17.1%Command and Control17.8%31.8%7.8%3.9%27.1%11.6%Figure 14.MITRE ATT&CK Area Coverage25 “ICS Threat Hunting:T
152、heyre Shootin at the Lights!Part 1,”www.sans.org/blog/ics-threat-hunting-they-are-shootin-at-the-lights-part-117The State of ICS/OT Cybersecurity in 2022 and BeyondTomorrows Defense,Implemented TodayDedicated resources for people and tools will drive the ICS security program to meet our modern chall
153、enges.Only asset owners who continue to invest in control system security can hope to mature,detect,protect,and defend it.Positively,year over year,more organizations are obtaining an ICS security budget,with 2022 seeing only 8%of facilities without one.Most organizations now have budgets allocated
154、between$100,000 and$499,999 USD(27%)or between$500,000 and$999,999 USD(25%).This is positive yet not a massive allocation,so decisions will need to be made wisely.See Table 4.Looking to the next 18 months,respondents are allocating those budgets toward several initiatives;planning for increased visi
155、bility into cyber assets and their configurations(42%)and the implementation of network-based anomaly and intrusion detection tools(34%)showed the highest focus.Closely behind theres a focus on network-based intrusion prevention tools on control-system networks(26%)followed by increased consulting s
156、ervices.See Figure 15.Intrusion prevention systems could wrongly stop critical control system software or network commands and disrupt operations.For this reason,facilities are strongly encouraged to prioritize intrusion detection systems.This is especially important when first deploying network-bas
157、ed detection and response technologies that could remain safely in detection-only mode.Both ICS endpoint and network visibility are critical for any ICS defense program,for all ICS sectors.We think this is recognized in the community and expect to see a continued investment here in the short term wi
158、th long-term benefits.ICS network visibility is especially important in the case of adversaries“living off the land”because its possible endpoint security agents would not detect the abuse of legitimate control system functions or network protocols being abused.Additionally,attacks destined for endp
159、oints must traverse the network first.Network devices and network detection systems are more difficult to compromise than endpoint applications and could have more capabilities for active incident response.Generally,the network is first to see most attacks and prepositioning attack setups.Table 4.IC
160、S Security BudgetWe dont have one.7.7%23.7%-16.0%Less than$100,000 USD 10.2%19.1%-8.9%$100,000 to$499,999 USD 27.0%24.2%2.8%$500,000 to$999,999 USD 25.0%10.8%14.2%$1 million to$2.49 million USD 15.3%10.8%4.5%$2.5 million to$9.99 million USD 7.7%5.2%2.5%Greater than$10 million USD 7.1%6.2%0.9%2022%Ch
161、ange2021Select your top three initiatives for increasing the security of control systems and control systems networks your organization has budgeted during the next 18 months.Implement intrusion prevention tools on control system networks25.8%17.5%5.0%16.3%4.6%13.3%3.8%2.9%2.1%11.7%9.2%Perform secur
162、ity assessment or audit of control systems and control system networksImplement an OT SOCImplement MITRE ATT&CK ICS lexicon for ICS securityOtherInvest in general cybersecurity awareness programs for employees including IT,OT,and hybrid IT/OT personnelCombine IT/OT SOCsImplement greater controls for
163、 mobile devices and wireless communicationsBridging IT and OT initiativesInvest in sensor/actuator/level 0 securityInvest in OT/ICS specific tabletop incident response exercisesInvest in cybersecurity education and training for IT,OT,and hybrid IT/OT personnelIntroduce automation to reduce human err
164、ors for setting up and maintaining securityIncreased physical security to better control physical access to control systems and control system networksImplement OT threat hunting capabilityImplement anomaly and intrusion detection tools on control system networks21.3%6.7%25.4%33.8%41.7%26.3%25.4%7.5
165、%Increased consulting services to secure control systems and control system networksStreamline and improve security for third-party accessIncreased visibility into control system cyber assets and configurations0%10%40%20%50%30%Figure 15.Top Initiatives for Increasing Security18The State of ICS/OT Cy
166、bersecurity in 2022 and BeyondConclusionAdversaries targeting ICS/OT in critical infrastructure have illustrated knowledge of engineering components,industrial protocols,and engineering operations.This reflects in their impactful attacks,targeted ransomware,and a new scalable ICS tailored attack fra
167、mework26 that could be leveraged to inflict disruptive,possibly destructive,safety impacts,human injury,and/or death.Defense efforts are gradually becoming stronger.Together,asset owners and vendors are stepping up to meet new challenges and serious impactful threats the community is facing.The adve
168、rsaries have clearly upped their game,and it only makes sense that we must up our defenses and staff skillsets to meet the evolving threat.Asset owners have made great strides and several changes with significant focus on ICS operational improvements.Vendors are improving their approach for specific
169、 ICS needs;they know its not the same as IT because ICS/OT has different missions and asset types,and they know technologies for one must be adapted to suit the other.The ICS security workforce is becoming more skilled and valued.Workers coming into or already in place in ICS security are further se
170、eking and obtaining control system security training and certifications.It may be difficult to find and attract people in this space,so facilities may need to be flexible to ensure they get the right people with the right skills to train and retain them.The shift in who has responsibility for implem
171、enting ICS security controls,and those who are called on for ICS incident response cases,shows a trust level with engineering and ICS trained staff over IT-only skilled experts.The clear improvements in training staff,leveraging sector-specific threat intelligence,and alignment with standard framewo
172、rks for assessments like MITRE ATT&CK for ICS are encouraging and can lead to more threat hunting.There is,however,a growing concern that organizations may be holding safety as less important.This may or may not be caused by a lack of awareness or the business not fully embracing the differences bet
173、ween ITs and ICS/OTs missions,risk surfaces,technologies for defense,and finally impacts.26 “Alert(AA22-103A),APT Cyber Tools Targeting ICS/SCADA Devices,”www.cisa.gov/uscert/ncas/alerts/aa22-103a19The State of ICS/OT Cybersecurity in 2022 and BeyondClear defense improvements are seen in investments
174、 such as asset inventorying,network detection systems,and arming staff with specific ICS security knowledge.Further progress in key areas is still needed.Those responsible for ICS/OT security at facilities would do well to consider these top takeaways to kick-start or mature their ICS cybersecurity
175、program:Obtain,train,and retain a skilled ICS security workforce.Without obtaining and retaining skilled resources,we cannot expect to be able to act on existing security plans,let alone keep ahead of evolving threats against our critical infrastructure.Further educate the organization to embrace IC
176、S/OT and IT differences.Understand and embrace the differences between IT and ICS/OT by prioritizing the safety of human life and the reliability of operations as the mission.ICS/OT cybersecurity will support safety and reliability,not the other way around.Leverage what makes sense from IT security
177、while realizing it is never a“copy and paste”from IT security into a control system environment.Adapt processes and methodologies,ensuring security solutions are tailored and specific to suit the unique objectives and mission of ICS.Enable ICS active defense.Establish a solid foundation first.Align
178、the ICS network architecture with the Purdue model and prepare for the active defense position on the Sliding Scale of Cyber Security.27 Augment the network with endpoint solutions.Both endpoint security solutions tailored for traditional operating systems and ICS-aware network solutions are importa
179、nt.Consider augmenting one with the other,as long as it fits the ICS requirements and is ICS-capable.Use ICS asset discovery,inventory,and management.This is a prerequisite for effective cybersecurity that enables active cyber defense cycle(ACDC)and streamlines threat and risk analysis by quickly un
180、derstanding a facilitys risk surface on engineering and OT systems.The four main methodologies of creating an ICS asset discovery and inventory can be combined for increased accuracy.We must remain focused and diligent;circle back to ensure strong ICS-specific controls and processes are established;
181、and prepare for the long haul.Remember,ICS defense is totally doable,and ICS/OT security and risk management is a marathon,not a sprint.27 “The Sliding Scale of Cyber Security,”www.sans.org/white-papers/3624020The State of ICS/OT Cybersecurity in 2022 and BeyondSponsors SANS would like to thank this papers sponsors: