Why does ICS/OT need specific controls and its own cybersecurity budget today? Because treating ICS/OT security with an IT security playbook isn’t just ineffective—it’s high risk.
In the rapidly evolving domain of cybersecurity, the specific challenges and needs for Industrial Control Systems (ICS) and Operational Technology (OT) security distinctly stand out from traditional IT security. ICS/OT engineering systems, which power critical infrastructure such as electric power grids, oil and gas processing, heavy manufacturing, food and beverage processes, and water management facilities, require tailored cybersecurity strategies, and controls. This is due to the increasing attacks towards ICS/OT, their unique operational missions, a different risk surface than that of traditional IT networks, and the significant safety consequences from cyber incidents that impact the physical world.
Critical infrastructure should be protected against today’s threats to continue supporting national safety and economic stability. ICS/OT-specific controls and a dedicated cybersecurity strategy is an effective and responsible approach.
The Rising Cyber Threats to ICS/OT Environments
ICS technologies, crucial to modern infrastructure, are increasingly targeted in sophisticated cyber-attacks. These attacks, often aimed at causing irreversible physical damage to critical engineering assets, highlight the risks of interconnected and digitized systems. Recent incidents like TRISIS, CRASHOVERRIDE, Pipedream, and Fuxnet demonstrate the evolution of cyber threats from mere nuisances to potentially catastrophic events, orchestrated by state-sponsored groups and cybercriminals. These actors target not just financial gains but also disruptive outcomes and acts of warfare, blending cyber and physical attacks. Additionally, human-operated Ransomware and targeted ICS/OT ransomware pose concerns being on the rise in recent times.
When it comes to leveraging ICS/OT specific controls to detect threats to our critical infrastructure, recent data from the 2024 SANS ICS/OT Cybersecurity Survey revealed that only 31% of respondents have a SOC (Security Operations Center) that includes capabilities specific to ICS/OT, which is crucial for effective incident response and ongoing system monitoring.
As such, critical infrastructure, the engineering systems we rely on that make, move, and power our world, would do well to leverage ICS/OT specific threat detection and visibility, controls with an ICS specific budget to protect the engineering systems that operate our modern way of life.
Evaluating ICS/OT Cybersecurity Spending and Risk
There may be a risky imbalance in security budget allocation in some ICS/OT organizations. It’s understood, and rightfully so, that for the last few decades, security funding was almost solely dedicated to IT technology and IT networks due to traditional attacks using traditional vectors on traditional support systems. However, the threat landscape has changed due to interconnectivity. Now, IT networks and the Internet introduce significantly higher risks to connected ICS/OT environments than the risks ICS/OT and engineering environments had a few decades ago.
In fact, data from the 2024 SANS State of ICS/OT Cybersecurity Report indicate that 46% of attacks on ICS/OT environments are sourced from a compromise in IT support networks that allow threats into ICS/OT, impacting networks and operations.
This is concerning given the complex nature of ICS threats and the severe multi-sector cascading impacts that may result from a coordinated engineering cyber-attack in a vital critical infrastructure sector, such as the electric sector. Furthermore, attacks on ICS/OT can have serious consequences to the environment, and to the safety of people.
Evaluating ICS/OT Cybersecurity Controls
There may be a risky deployment of security controls in ICS/OT, if they are IT-centric. Despite their critical role, many ICS/OT systems remain under-protected in several areas, such as security controls dedicated to ICS/OT environments and incident response. For example, research from the 2023 SANS ICS/OT Cybersecurity Report revealed that only 52%
of these facilities have a dedicated regularly exercised ICS/OT incident response plan that is engineering-driven.
Traditional IT security measures, when applied to ICS/OT environments, can provide a false sense of security and disrupt engineering operations and safety. Thus, it is important to consider and prioritize the SANS Five ICS Cybersecurity Critical Controls. This freely available whitepaper sets forth the five most relevant critical controls for an ICS/OT cybersecurity strategy that can flex to an organization’s risk model and provides guidance for implementing them.
It is also important to note that using just one of the Five ICS Cybersecurity Critical Controls – ICS Network Visibility Monitoring as an example – has benefits far more than just security-related. For example, mature organizations cite the main benefits of this control in the following areas as directly contributing to safety and engineering across:
- Safe, passive industrial traffic analysis to identify engineering assets to build an ICS/OT asset inventory
- Engineering troubleshooting capabilities
- Safe, passive industrial traffic analysis to identify engineering system vulnerabilities
- Industrial and engineering-driven specific incident response capabilities
- Meeting compliance requirements
Strategic Realignment Opportunities
It is worth reevaluating ICS/OT risks, impacts, budgets, and controls to protect what makes an ICS organization a business – the engineering and operating technology systems. ICS/OT environments in many cases are not suited to leverage traditional IT security controls, where traditional IT security controls cause more problems than good.
By aligning security expenditures with the critical functions that drive business in ICS organizations and critical infrastructure—namely, the operational technologies at Purdue Levels 1 to Level 3.5 to start for example—organizations and utilities can enhance security to operate more safely and efficiently in today’s ICS/OT cyber threat landscape.
- Leadership and tactical analysts in ICS/OT critical infrastructure sector utilities can verify and/or implement the threat-driven prioritized SANS Five ICS Cybersecurity Critical Controls.
- Tactical analysts can attend my course run of ICS515 – a 6-day technical ICS/OT incident response and visibility training this February at the SANS New Orleans event Powered by ICS Security.
- Join industry peers, SANS expert instructors, and practitioners for hands-on workshop and ICS/OT security training at the 20th Annual ICS Security Summit in Orlando this coming June 15-17.
About the Author
Dean Parsons is a renowned ICS/OT security expert with over 20 years of experience in the field. As a prominent figure at SANS, Dean has devoted his career to advancing the defense posture of critical infrastructure in all sectors, worldwide.
Join Dean in class for ICS515 in New Orleans, Orlando, San Diego, or another convenient time in 2025 for tactical ICS/OT cybersecurity defense, and connect with him and other ICS/OT experts at this year’s 20th Anniversary SANS ICS Summit in June 2025 in Orlando.