- By Jacob Chapman, Matjaz Demsar, Suresh Madaswamy & Alzbeta (Betty) Helienek
- January 17, 2023
- ISA
- Feature
Summary
The ISA Smart Manufacturing and IIoT Division highlights important industrial control system and IIoT cybersecurity developments in 2022.
Another year has passed, and members of the Smart Manufacturing and IIoT (SMIIoT) division of ISA—International Society of Automation are helping the industrial automation community take stock of where we’ve come, where we’re going and what we might have missed. 2022 was marked by significant change in:
- The way we live: Analysts estimate a whopping 14.4 billion active IoT connections today.
- The way we work: Approximately 16% of companies worldwide are have a fully remote workforce.
- The way we talk: The New York Times chose “goblin mode” as the 2022 word of the year.
The SMIIoT Cyber Security Technical Committee looked back at 2022 and—although it was hard to focus on industrial control system (ICS) cybersecurity while Kanye West was taking over headlines—we came up with nine big stories you may have missed.
1. Threat landscape shifts in 2022, amid Russia-Ukraine War
2020 and 2021 saw an increase in ransomware attacks and supply chain compromises (remember Solar Winds?). In 2022, a marked increase in wiper malware (think: permanent destruction of a computer) and information theft was seen. Related to the war, hacktivists attacked a Belarusian Railway to slow the movement of troops into Ukraine, and an attack on a Viasat communications satellite, primarily a military target, caused collateral damage in the form of a widespread outage of 5,800 wind turbines throughout Europe. If that weren’t enough, a hacking toolset named Incontroller was released, developed by a Nation-State threat actor, to aid in the attacking of ICS systems. This is all on top of the ‘ol run-of-the-mill ransomware attacks on industrial operators and critical infrastructure organizations, such as Toyota and Nordex.
The takeaway
Cybersecurity attacks are increasing in variety, not just quantity. Ransomware for monetary gain continues to lead the pack, but IP theft, espionage against governments through technology vendors, and wartime hacktivism and destruction are on the rise. Most profoundly, software toolsets are available for would-be attackers to develop their own attacks on ICS equipment, an foreboding sign that the red-hat ecosystem is scaling up.
The incidents also highlight the risk of interconnectivity between systems and organizations. An intrusion into a software vendor’s systems can be used to gain access to government systems, and an attack on communication infrastructure can mean power outages across a continent. Due to digitalization, real-time information sharing and decision-making through IoT and OT systems are possible, but cybersecurity designs to secure it require Zero Trust strategies which simply aren’t in place today.
2. 2021 supply chain attacks drove 2022 supply chain security
The Log4j vulnerability (disclosed end of 2021) meant a very busy start of 2022. Companies rushed to patch the vulnerability and the cybersecurity community reflected on how to be better prepared for next time. The consensus: software bills of materials (SBOMs) represent a major blind spot for organizations. We usually don’t know what underlying software packages are inside the firmware files we install onto devices, so when an underlying software dependency has a vulnerability, it’s impossible to know which devices are affected.
National cybersecurity centers are warning in 2022 to pay specific attention to who are you buying digital technology from and mange those relationships actively. And as we learned from the SolarWinds attack, your supply chain also includes your cybersecurity tools.
The takeaway
The increased level of Digital Transformation and the widespread use of COTS software means a vulnerability somewhere in the software stack now affects a wide swath of implementations and sectors. This is exactly what IT and OT convergence looks like from a vulnerability management perspective. IT’s also forcing an end to the “not my problem” mindset, where we need to take on responsibility for cybersecurity from a cross market and industry wide perspective.
3. European Parliament adopts the NIS 2 Directive
Signed into EU members national law within 21 months, it replaces he NIS-Regulation, which was introduced 2016 alongside GDPR. From the horse’s mouth: “The Council and the European Parliament agreed on measures for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.” NIS2 sets the baseline for cybersecurity risk management measures and reporting obligations across energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructures, and across three digital services (online marketplaces, online search engines and cloud computing services).
To be efficient, it sets minimum rules for a regulatory framework and lays down mechanisms - like the establishment of the European Cyber Crises Liaison Organisation Network, a.k.a. EU-CyCLONe - to coordinate relevant authorities in each member state. Plus, remedies and sanctions for enforcement are included.
The takeaway
Not only does it lay the groundwork for wide-scale improvements, it has teeth (think: audits and fines for those that don’t comply). On the international stage it sets a precedent, and a vision for the public. The directive also “greases the wheels” by consolidating onto a single risk management framework and standardizing security requirements across sectors as much as possible. This will make many aspects easier – from training talent to building internal security programs, benchmarking and beyond.
4. U.S. asset owners required to report cyber incidents within 72 Hours
Signed into law in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires the Cybersecurity and Infrastructure Security Agency (CISA) to implement reporting regulations. Certain asset owners will have 72 hours to report an incident and/or 24 hours of a ransomware payment, and that information will be shared with other agencies. The goal of the reporting is to enhance response coordination and support warning efforts for other potential victims.
The takeaway
For the U.S. government and the broader public, we will have the first accurate dataset of malicious cyber activity on critical infrastructure organizations in the U.S., which may have a ripple effect on insurance premiums, defensive strategies, security spending, and more. Cybersecurity professionals have long stated that known attacks are just the “tip of the iceberg”, and we’re about to get our first glimpse under the water.
5. IT/OT convergence trend remains prominent despite its age
World events in 2022—like the war in Ukraine and the chip shortage—had slowed IoT proliferation in 2021, but it came back with a vengeance throughout 2022. That proliferation is snowballing into a mix of vertically connected Industrial IoT systems and distributed data platforms (think edge and cloud computing). Industrial software is being containerized and run at the network edge, and sophisticated IT/OT software integrations are recognizable signals of that change.
The takeaway
IT/OT Convergence has been a headline for years, but now it’s “getting real”. Not only is it changing the technical landscape in (somewhat) expected ways, it’s also straining existing talent shortages, driving IT software quality approaches into the industrial space, and driving corporate strategy. In security, this is manifesting as OT security tools taking on an IT appearance, integrated with IT tools, but with industrial-specific capabilities under the hood. It’s fair to expect OT security tools to continue adopting IT security approaches in the years to come.
6. M&As drive cyber consolidation towards mega corporations
Cybersecurity—especially industrial cybersecurity—is a relatively new industry. For any new industry, it is common for a large number of small providers to enter the space, which consolidate into a smaller number of larger providers over time. And that’s exactly what we’re seeing in the cybersecurity and ICS cybersecurity spaces. Google acquired Mandiant, Tenable acquired Bit Discovery, IBM acquired Randori, and CrowdStrike acquired Reposify. Significantly, each of these acquisition pairs involves at least one of the companies with a strategic focus on growing its business with industrial and IoT customers.
The takeaway
Mergers and acquisitions are a way for providers to enter the industrial market (which has a high barrier of entry). It also means increasing overlap in offerings (think: increasing competition between providers) and the presentation of solutions that solve a larger share of the customer’s problems. We can expect to see increased bundling of IT/OT security tools, the transplantation of OT-centric intellectual property into IT platforms (e.g., AI and ML technologies to support OT systems), and big-name players launching programs to sell into OT. This trend goes hand-in-hand with continuing IT/OT convergence.
7. The spotlight is on zero trust
Zero Trust is a security philosophy, and the antithesis of perimeter security. Put simply, Zero Trust preaches implementing security at every layer of the technical architecture, rather than having a high level of security “to get in”, and little security “on the inside.” Most home networks are a simple example of perimeter security (that Verizon router/firewall and your WiFi password are the only things protecting you from would-be attackers), and a data center is a good example of Zero Trust (every device must authenticate with any other device, networks are segmented into smaller zones, and even physical access is highly restricted).
Despite being first coined in 1994 and popularized by a Forrester analyst more than a decade ago, the concept is more popular than ever before. Google Trends shows popularity for the term has been growing steadily and December 2022 marks an all-time-high. Recently, U.S. Government agencies and The White House have been using the term to describe their cybersecurity strategy moving forward.
The takeaway
Broad acceptance of Zero Trust as a fundamental security philosophy can be thought of as a KPI of overall cybersecurity understanding and maturity worldwide. It signifies a shift in how we think, talk, (and purchase) in cybersecurity, especially for the layman. But the scale of non-technical individuals searching for “how to do Zero Trust” has also formed a breeding ground for providers marketing technology as “a Zero Trust solution.” Beware: no single tool can provide Zero Trust—no more than a single tool can make you secure.
8. Cyber insurance booms while liability is debated in courts
Insurers continue to wrestle with how to price insurance premiums and where liability lands in various scenarios. The Council of Insurance Agents & Brokers (CIAB) reported a 28% increase in premiums from Q4 2021 to Q1 2022 alone (albeit, prices levelled-off in the latter half of the year). Meanwhile, litigation is exposing debate between insurers and claimants, with one notable case leaving the claimant (International Control Services Inc.) on the hook for the ransomware costs because they did not have multi-factor authentication implemented. And in spite of both, the cybersecurity insurance market is forecasted to boom for several more years, with a CAGR as high as 25.7% in some geographies.
The takeaway
A stabilizing insurance market means more providers are entering the mix (greater competition), assessments and pricing processes are becoming more sophisticated, and communication between governments, organizations and the insurance industry is improving. Further, the stabilization at such a high price point means insurers have greater influence on their buyer’s practices, as evidenced by the International Control Services Inc. case.
9. Forward-focus on improved information sharing
CISA Director Jen Easterly announced last year at S4x22 conference the founding of the Joint Cyber Defence Collaborative, focused on information sharing via public-private partnerships. 2022 has seen the JCDC build momentum via shared, funded services and information sharing programs. 2023 is widely anticipated to see more significant momentum and implementations of threat sharing implementations with a more global, creative and proactive lens.
The takeaway
Cybersecurity is a team sport, and information sharing is a good thing for everyone. But it also represents whitespace for vendors and service providers to fill with new technologies for anonymous data sharing and, services for information consumption and curation, and a cause for strategic partnerships. We can expect the trend towards information sharing to affect everything from the software features to regulatory requirements as well as public discourse.
Join the SMIIoT Division if you want to learn, contribute, and network around one or more of its topics, and help division members and ISA create a better world through automation. Visit the division website or contact the authors to find out more.
About The Author
Jacob Chapman, Solutions Architect, BD and Alliances, Nozomi Networks
Jacob maintains involvement and leadership positions in international societies and standard bodies - including the Cybersecurity Committee Chair of ISA’s Smart Manufacturing & IIoT Division. The committee advises the public on recent trends and new technologies for OT cybersecurity through technical articles and events. Further, Jacob is a Registered U.S. Expert to TC65 of the IEC, member of Manufacturing Enterprise Solutions Association's Cybersecurity Workgroup, and a member of the ISA99 standards development committee.
Jacob Chapman has a background in automation engineering, project management, account management, industrial networking, and ICS cybersecurity within the food and beverage, pharmaceutical, and energy generation sectors, among others. Jacob is currently a Solutions Architect with a general focus on commercial BD and Alliances at Nozomi Networks, the leader in OT & IoT security and visibility.
Matjaz Demsar, Industrial Security Services Consultant, Siemens
Matjaz has a career focus on cybersecurity for industrial control system environments. An ISA Member since 2019, Matjaz maintains involvement in ISA99 for the development of ISA/IEC-62443 international cybersecurity standards, the Smart Manufacturing & IIoT Division of ISA, and ICS4ICS. Matjaz is a certified ISA/IEC-62443 risk and design specialist as well as a member of Siemens TRSC.
Suresh Madaswamy, Senior Cybersecurity Architect, Schneider Electric
Suresh has more than a decade of proven experience in cybersecurity applied to Industrial automation software, system, and cloud platform. Having recognized achievements working with a background in both research and development.
An ISA Member since 2021, Suresh has maintained involvement in ISA99 for the development of ISA/IEC-62443 4-2 standards, the Smart Manufacturing & IIoT Division of ISA. Suresh is an ISC2 member since 2019, currently certified in CISSP, and CSSLP.
Alzbeta (Betty) Helienek, Cyber Security Lead ITS, WSP
Betty is a highly experienced, certified and chartered technical and business leader with over 25 years’ experience delivering cybersecurity and large-scale infrastructure projects in road, rail, oil and energy sectors.
As cybersecurity capability lead for WSP, Betty is responsible for providing strategic advice on cybersecurity to senior decision-makers across WSP clients, mainly in the National Critical Infrastructure sectors. She is also providing technical and operational expertise to support projects across several sectors and representing WSP and supporting development of cyber best-practice at industry forums and as a public speaker she is leading the development of cybersecurity and specifically OT cybersecurity expertise.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..
Subscribe