Plaintext: Building Trust in ICS/OT and IoT World

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Dragos . In this issue of Plaintext, we highlight some intriguing findings from a recent ICS/OT report from SANS Institute . We also take a look at the soon-to-come Cyber Trust Mark, the IoT security labeling program. If you enjoy Plaintext, please share with friends and colleagues!

The ICS/OT Investment Picture: Industry research shows cybersecurity incidents against OT/ICS are increasing in volume and frequency. CISA released six ICS advisories on Sept. 26 , listing vulnerabilities in a products from a range of vendors, including Suprema, Hitachi, Mitsubishi Electric, and Advantech. Which is why the fact that the 2023 ICS/OT Cybersecurity Survey by SANS Institute showing a decline in ICS/OT security budgets is worrisome. More than 21% of respondents in the SANS survey say they don’t have a dedicated ICS/OT cybersecurity budget, compared to just 7% that said so in 2022. Of those that do still have a budget, the amount allocated is shrinking: just over 24% have a budget between $100,000 and $499,999 (compared to 27% in 2022) and 14% have between $500,000 to $999,999 (compared to 25% in 2022). Despite the budgetary constraints, over 60% of respondents say they plan to invest over the next 18 months in products to help increase visibility into control system assets and configurations, while 30% plan on investing in anomaly and intrusion detection tools. Another interesting finding: there is an IT/OT staff convergence , as more and more security professionals report being responsible for both ICS and IT security.

“Although some facilities may be in a low budget cycle for 2023, it’s imperative that they continue focusing on their ICS cybersecurity roadmap,” SANS said in the report. “This means spending on what will provide the highest return to reduce the highest known risks. Security awareness, leveraging ICS tools from trusted sources for assessments (such as from MITRE), a risk-based approach to vulnerability management, and alignment with the five ICS cybersecurity critical controls, are solid places to shift the strategy for 2023 .”

There is also an IT/OT staff convergence – with 38% of respondents indicating they are responsible for both ICS and IT security, compared to just 20% in 2022 (Source: 2023 ICS/OT Cybersecurity Survey, SANS Institute).

Earlier this month, MITRE and the US Cybersecurity and Infrastructure Security Agency released Caldera for OT , an open source operational technology attack emulation tool. The tool will allow cybersecurity professionals to run automated adversary emulation exercises and test existing security controls and defenses. The initial release, available as an extension to the Caldera platform , includes support for BACnet, Modbus, and DNP3 protocols.

Dark Reading in Plaintext is brought to you by Dragos

These CEOs Tackle Manufacturing Cyber Threats & Challenges

Join Rockwell Automation & Dragos CEOs on the Oct. 6 webinar for manufacturing threat landscape insights and supply chain risks. Reshape the way you approach cybersecurity in manufacturing. Register now →

“Energy Star” Labels for IoT On the Way The U.S. Cyber Trust Mark, announced over the summer, will inform consumers which of the internet-connected devices they are buying includes strong cybersecurity protections against attacks. Just as consumers look for the “Energy Star” designation when buying household appliances, the hope is to influence consumers to look for a shied logo when buying Internet of Things such as fitness trackers, routers, and baby monitors. A Blackberry survey found that 69% of millennials would pay more for a device labelled as secure through a star system, as would 75% of Gen Z buyers. (The figure was markedly lower for older buyers.) The criteria for getting the security designation include requiring unique and strong default passwords, protect both stored and transmitted data, offer regular security updates, and ship with incident detection capabilities. NIST is still defining the standards for consumer-grade routers, with the aim of covering routers when the mark launches in 2024. The program is currently voluntary – and there are concerns that its effectiveness will be limited if it is not a mandatory program. “If real change and secure devices is the end goal, then make it mandatory,” Thomas Pace, co-founder of NetRise, said in a statement. “We don't need more compliance frameworks that sit on a shelf and are totally ignored.” This was the same concern from Tammy Parker, principal analyst at GlobalData, noting that many manufacturers will opt out, especially those from outside the U.S.

“Manufacturers, retailers, broadband service providers, and others in the smart device value chain need to continue educating consumers on how to protect themselves even after the Cyber Trust Mark program is implemented,” Parker said in an analyst note. “Opting in for automatic software updates, never reusing passwords on multiple devices or websites, protecting personally identifiable information, and remaining skeptical regarding all digital communications are simple practices that can go a long way toward protecting consumers from cyber criminals.”

What We Are Reading

• (Dragos Whitepaper) Leveraging Threat Scenarios to Improve OT Cybersecurity in Manufacturing Environments
• Ask the Experts : I want to work in Industrial IoT Security. What lingo do I need to know?
• NFL is working with CISA and more than 100 partners to prepare for potential cyberattacks on Super Bowl LVIII
• Clorox is expecting product shortage as the company cleans up after the cyberattack —and there’s no timeline for normal operations to resume.
• Ask the Experts : Can I Use the Same Security Tools in IT and OT?

What We Heard On-Air

Tune in to our on-demand webinar?“Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy ” to hear how threat intelligence should be a part of your organization’s security strategy.

“Challenge the assumptions around the scope of what threat intelligence can do for your organization.” Jake Williams, cybersecurity expert

From Our Library

Check out some of the latest reports from our?Dark Reading Library .

• (Dragos ) Intel Brief: Russian Programs Threatening Critical Infrastructure
• Tech Insight: Where and When Automation Makes Sense for Enterprise Security
• Tech Insight: How Supply Chain Attacks Work, and How to Stop Them
• How to Use Threat Intelligence to Mitigate Third-Party Risk

On That Note

Dark Reading is exploring how your security team is confronting concerns with generative AI through a brief 10-minute survey. How does your cybersecurity team plan to combat challenges like security breaches and fraud, the lack of transparency, inaccuracy, and non-compliance with copyright laws associated with generative AI? All responses are anonymous and the data we collect will be reported in aggregate in an upcoming in-depth report. Please take the survey!

Dark Reading in Plaintext is brought to you by?Dragos

Dragos has a global mission: to safeguard civilization from those trying to disrupt the industrial infrastructure we depend on every day.