Written by Kirill Naboyshchikov, Business Development Manager, Kaspersky Industrial CyberSecurity
Cybersecurity for industrial control systems (ICS) is experiencing strong growth. According to various estimates, by 2025-26, the sector will be worth between $22.5 billion and $22.8 billion, with an estimated CAGR of 5.81% to 7.2%. Thanks to researchers, investigations of increasing attacks on industrial facilities, and growing interest from corporate and government sectors, the industry has already amassed a solid store of knowledge and protection offerings.
Now is the time to look at how cybersecurity for ICS will develop further and what challenges it will face in the future. Organizations can use this knowledge to shape or adjust their safety strategies today.
Layered cake of operational technology protection
But first, we need to look at the current state of play. Industrial infrastructure protection is a complex task, as it means using a variety of tools for each level – from field devices and operation management to boundaries of ICS and corporate IT. These are technologies for various industrial controllers, networks, computer protection, and the overall security management for enterprises or even a holding.
The primary cybersecurity task for any industrial organization and facility, such as factories or substations, is to timely detect and eliminate threats in endpoints and in the network to safeguard the perimeter. The sooner a malicious object or activity is found, the less negative impact the attack will have.
If the industrial site has complex automation and control systems, it is important to protect it from accidental failures or deliberate attacks. Some examples of how these systems are: substation or power plant automation, discrete or continuous process automation, distributed or centralized control systems, field, supervisory or telecontrol systems. That is, to use dedicated tools to track minor anomalies in performance indicators, for example, an indicator of pressure inside an oil refinery tank or power plant, to act before a breakdown occurs.
Organizing timely updates and vulnerability fixes in the industrial firmware is crucial to decrease the risk of cyberattack. The fewer vulnerabilities in the equipment, the less potential doors attackers have to compromise the network. Unfortunately, it is not always possible to detect and patch them by simply checking an update from the vendor’s website. There should be a process of obtaining information from a reliable source about vulnerabilities, which provides the most complete information about the affected device and its configuration. This helps make an informed decision whether to patch or use an optional mitigation measure if the patch is not available or justified.
Last but not least, organizations need dedicated threat detection and response capabilities against advanced threats. Ideally, the ICS security system must collect and analyze all security events across the entire network so that an internal security operation center or external expert service can identify signs of targeted attacks. This will help the company stop them in time and investigate the causes. This should work against APTs to prevent them lurking undetected inside the network, as it was for the Lazarus attack, targeting the defense industry with a custom backdoor that Kaspersky researchers highlighted in 2020. The backdoor moved laterally through infected networks gathering sensitive information.
And this is where the difficulties begin
The OT systems become more complex with all the variety of devices, remote connections and geographically distributed facilities, the same happens with protection. Different tools, including those listed above but not limited to them, work for different needs, some require integration, and each has its own control panel. As a result, managing protection for the entire system becomes the most challenging task for enterprises. Our global survey confirmed, that two thirds of industrial organizations consider the lack of visibility in the infrastructure and consistent security management as the harshest obstacles against advanced threats (67% and 68% respectively).
Configuring each tool separately and managing everything manually can be hard work, ineffective and may ultimately reduce the level of protection. Different solutions do not share threat intelligence, and there is no visibility within the entire OT system.
Bringing security to a common denominator
Addressing this issue means having all parts of security converged at a single point – an ecosystem that should offer customers access to all possible solutions and services and adapt to the tasks of small, medium, and large enterprises. It should offer a single platform for managing all security tasks, including those from third-party services. Thus, all teams involved in OT security issues will be able to access the necessary data and processes.
An important feature of the platform should be monitoring and processing security events from different sources, be it an anti-malware agent at endpoints, EDR, threat intelligence, SIEM, or any other tool, and correlate them with events in the IT network. Data from different sources, analysis, and search for correlations with the help of a SOAR-like system (Security Orchestration, Automation, and Response) will make it possible to detect complex targeted attacks more effectively.
A similar task has a solution in cybersecurity for corporate IT already. To ensure that business data and continuity are safe, enterprises want to improve the speed and effectiveness of threat detection and investigation. The approach of XDR – Extended Detection and Response – combining threat detection, investigation and response across all infrastructure elements is already gaining momentum in corporate IT security. The same method can be adapted for OT security needs.
Such an ecosystem initiative will bring OT security up to a more mature level. According to Kaspersky’s vision, this will be the next step of the OT security evolution. This means that organizations will be able to protect their assets in a more systematic way, better understand what is happening in their networks, and build a secure foundation for subsequent digitalization. The platform will make it possible to create or strengthen centers for monitoring and ensure industrial safety within large enterprises. It can be used at the level of regions or even countries and unions, to empower state and international CERT organizations, as well as managed service providers.