Innovation in ICS/OT Cybersecurity

As an industry, we cannot keep doing the same things and expect different outcomes. The previous approach to addressing OT/ICS cybersecurity threats through existing IT-based cyber technologies adoption will continue to present deficiencies. Cybersecurity innovation will be the backbone of this generation’s digital transformational journey.?

Contrary to the industry assumptions, the first wave of IT/OT integration began its journey in the early 2000s when the ICS industry transitioned from Unix-like and embedded digital controls to Windows operating systems. Its adoption and use of the ethernet IP-based protocol to encapsulate traditional ICS protocols paved the way for the proliferation of IT communication technologies within the ICS environment. The justification for the rapid adoption was driven by multiple factors, one being cost. CAPEX and OPEX costs for Unix-like control systems were high, affordable Windows operating system platforms seemed financially practical. Another factor was the duration from design to manufacturing, and installation and commissioning for Unix-like control systems were much longer in comparison to the duration of adopting and customizing Windows operating systems. The ease of exchange and integration of operational information and IT information as a business enabler encouraged the interconnection of OT and IT networks. Integrating OT with ERP systems improved organizational efforts to align resource allocation closely with production. This interconnection presented significant unknown challenges at the time, and the fault lines began appearing. For example, lifecycle parallels became obvious when the industry was confronted with the lifespan of Windows OS being 5 years with that of the Control Systems being 15 years and up to 25 years. This “I would say - bad marriage” resulted in OS upgrades, patch deployments, cybersecurity risks, incompatibility, and other operational issues. The ICS industry is still currently struggling with meeting cybersecurity risks that resulted from the first wave of IT/OT integration that happened in the 2000s. Asset owners are required to respond to every increasing OT threat and national regulations presenting significant challenges to maintain operational efficiency. We cannot make this mistake again as we continue to evolve our ICS environments.

Two major challenges resulted from the first wave of IT/OT integration. The first major challenge that I see is the inability of existing cybersecurity technologies that are designed for IT systems to address the unique ICS/OT cybersecurity requirements. IT cybersecurity risk response efforts often recommend technical security controls prioritizing confidentiality and availability. On the contrary, OT environments are required to prioritize reliability, safety, and availability at the outset. It’s true that ICS systems are designed with no security in mind, but also cybersecurity solutions are designed with "No OT" in mind. I have frequently seen IT cybersecurity technologies deployed in OT environments with limited success resulting in the failure to address the risk reduction or mitigation requirements and expectations. To address this problem, cybersecurity product manufacturers will need to ensure that research and development efforts are focused on ICS cybersecurity to ensure products are purpose-built for ICS environments. Asset owners need to encourage startup companies focused on ICS cybersecurity by encouraging technology partnerships and supporting angel investments.

The second major challenge that resulted from the first integration wave is that IT cybersecurity professionals lack the ICS-specific knowledge of the ICS environments they are tasked to secure. A traditional IT cybersecurity professional develops by first building competencies and professional experience as an operating system and network administrator or an application developer and subsequently transitioning into a cybersecurity role through training and development. The majority of the ICS/OT cybersecurity professionals, on the other hand, are IT cybersecurity professionals being thrust directly into the ICS/OT industry and applying the best practices and mindset of their IT experience, creating challenges. To address this challenge, we need to develop professionals who have blended knowledge of ICS/OT and cybersecurity. The blended team shall be trained on both ICS/OT and cybersecurity and shall be dedicated to such purpose with?the proper focus and support. Additionally, this team will have the right competencies to identify the true root causes of the problems and recommend innovative solutions and services.

The Second Wave of IT/OT integration has begun, driven by cost optimization, digital transformation, and green energy transition. IIOT solutions are being deployed in ICS/OT environments which will bring a much greater challenge for ICS/OT cybersecurity. Digital Transformation introduces immediate conflicts with existing national regulations and corporate standards. As stated previously, the industry has not yet solved the issues caused by the first wave of integration. This time, on the other hand, we must be better prepared. Following the traditional approach of applying IT cybersecurity solutions will not solve the problem, on the contrary, it will create significant inherent constraints in digital transformation efforts. The industry needs to have a paradigm shift in its mindset. ICS/OT-centric cybersecurity solutions must be developed through innovation.

The industrial revolution (IR.4) is increasing the deployment of smart technologies such as smart cities and smart grids. For example, smart meters are deployed as part of the smart grid. These distributed and intelligent technologies require interconnection at an unprecedented level introducing risks never encountered in the ICS environment.

Consumers’ demand for renewable energy sources, such as solar and hydrogen, has seen rapid growth. The green energy transition is introducing a new market for OT broadening the cybersecurity threat landscape. Green energy and renewables are decentralized in nature and use a variety of remote ICS/OT devices. These burgeoning technologies have significantly more inherent cyber risks than traditional energy technologies. Our “Green Future” depends on the Security and Cyber Resilience of these Renewable Technologies. For example, the windmills used to produce wind energy require ICS to control their movement. Windmill farms are typically decentralized by design incorporating smart technologies to regulate their ICS for performance and efficiency which are critical requirements to break even. If a malicious threat actor gains access to the windmill control systems, it will cause a major disruption to energy production and potentially safety.

In both of my previous points on IR.4 and the green energy transition, traditional approaches to cybersecurity will not mitigate the cybersecurity risks associated with the adoption of ICS systems and IIOT devices in these environments; not to mention the complexity of deploying such solutions that are not tailored for ICS. We do not want to repeat the same mistakes and inherit the challenges we still face as a result of the first wave of IT/OT integration. ICS cybersecurity controls will require innovation to address these challenges. For example, identity and access control management will require innovative solutions utilizing blockchain technology to control access to these widely distributed IIOT devices.

In conclusion, I personally believe that the industry is barely scratching the surface of the ICS cybersecurity market; the market has not been fully explored. This is still early days. What is currently happening is that cybersecurity professionals are replicating the cybersecurity solutions used in IT environments assuming and hoping it will integrate with ICS systems and achieve the desired objective of cyber risk response. If we take the antivirus solution as an example, many control systems vendors will tell asset owners to exclude some critical application and operating system files from being scanned in their entirety and not to run on the system under consideration on a daily basis in order not to interrupt the operation of ICS/OT systems. As a result of these constraints by the control system vendors, the effectiveness of antivirus as a cybersecurity control is reduced. Asset owners are looking for alternatives that are compatible with their environments and the constraints placed upon them. Another example of a lack of cybersecurity solutions with a deficient focus on ICS is the current GRC platforms which don’t account for ICS cybersecurity requirements such as the integration of cybersecurity and safety risk processes and the inclusion of essential international ICS cybersecurity standards such as IEC62443 functional requirements. Few startup companies took this opportunity and have developed cybersecurity solutions that are suitable for ICS environments. In my opinion, the appetite to invest in ICS cybersecurity solutions is immense and will continue to get larger.