A third of organisations don’t know if they were hacked in the last year

We used to have more distance from cybercrime and things going generally wrong with technology. In the real world, issues were just dealt with by ‘the tech people’ and in the fictional world, we enjoyed – albeit with some anxiety – what seemed to be fantastic and impossible depictions of dystopian tech futures played out on the cinema screen.

2001: A Space Odyssey showed a group of astronauts tangled up in a battle between man and machine in a mystifying journey through space and time. The Terminator franchise brings generations of good, bad, sometimes both killing machines through space and time to save or destroy the world, depending on their motives. Recently, Silk Road tells the story of the anonymous dark web market launched in early 2011 and eventually shut down by the FBI.

The list goes on, but what we’re now seeing is the very real impact of cybercriminal activity on our day-to-day lives. As our dependency on things that are connected grows, so too does the impact of cyber-attacks and the incentive for cybercriminals to cause harm.

What is the state of global cybersecurity?

The overall rise in activity is one thing, but where it’s being directed is another. Examples are in the news every day where attackers are increasingly concentrating their efforts on our most critical industries across the world. It’s good news then, that recent research sponsored by Nozomi Networks shows cyber defences in these industries are improving.

Increased vigilance and budgets

The SANS 2022 OT/ICS Cybersecurity Report – which focuses on the operational technology (OT) and industrial control systems (ICS) environments needed to operate critical infrastructure – shows that 87.5% of respondents have conducted a security audit of their OT/control systems or networks in the past year. This is up from 75.9% last year.

Further, 66% say their control system security budget increased over the past two years, up from 47% last year. 56% are now detecting compromises within the first 24 hours of an incident, and the majority move from ‘detection’ to containment within just six-to-24 hours.

Some countries are also re-evaluating what industries should be deemed most critical to society. Australia’s Security Legislation Amendment (Critical Infrastructure Protection) Act 2022, based on amendments to the Security of Critical Infrastructure Act 2018 (SOCI), enshrined industries such as retail, data centres, and telecoms as critical infrastructure needing protection from evolving threats including nation-state based cyber security.

All in all, we’re seeing a much more sharpened focus from government, industry, and people across varying engineering roles on cyber security and how it needs to be applied and adhered to in different environments. While the trajectory is positive, we can’t rest on our laurels. The threats are still evolving and regularly slip past organisations without alarm.

Critical industries are placing a focus on skills development, with 83% of respondents holding professional control system certifications – a significant jump from 54% – and almost 80% having roles that emphasise ICS operations, up from 50%. While there is still room to grow in every component, the trend is pointing the right way. Firms are seeing the need to bolster cyber security posture and practices in the environments of the most important industries.

Engineering workstation an infection vector

The same Nozomi SANS report also showed 35% of respondents did not know whether their firm had been compromised in the past year. The figure is down from 48% the previous year, but there’s still plenty of malicious activity happening beyond the gaze of ICS and OT pros.

While the number of respondents who said they had experienced a breach in the last 12 months dropped to 10.5% (down from 15% in 2021) 35% of those said the engineering workstation was an initial infection vector, a two-fold increase from the year before.

That means ‘the bad guys’ see engineering stations as a weak spot and they’re concentrating their efforts there. This must be a focus as we improve security in industrial environments. It’s clear adversaries targeting critical infrastructure ICS/OT environments have deeper knowledge of engineering components, industrial protocols, and engineering operations.

Nozomi Networks’ Labs team has observed this in their powerful attacks, targeted ransomware, and a new scalable ICS-tailored attack framework that could be leveraged to inflict disruptive – possibly destructive – safety impacts, human injury, and even death.

It’s important that defence efforts are becoming stronger and that this trend continues. Together, critical infrastructure asset owners and vendors are stepping up to meet new challenges and serious impactful threats the community is facing. Asset owners have made great strides and several changes with a genuine focus on ICS operational improvements.

How can businesses improve their cybersecurity posture?

While vendors are improving their approach for specific ICS needs, they know it’s not the same as IT because ICS/OT has different missions and asset types, and they know tech for one must be adapted to suit the other. The ICS security workforce is also becoming more valued. Workers coming into or already in place in ICS security are seeking and obtaining the control system security certifications they need to defend against evolving threats.

Engineering and cyber skills shortages mean it may be difficult to find the right people, so facilities need to be flexible in their training efforts. The shift in who has responsibility for implementing ICS security controls, and those who are called on for ICS incident response cases, shows a trust level with engineering and ICS trained staff over IT-only skilled experts.

The improvements in training which leverage threat intelligence and align with standard frameworks for assessments are encouraging and can lead to better threat hunting.

The key message here is: ‘the progress is good, but it must continue’, and I’m positive about the outlook. We are seeing the pinnacle of threats and their impact on industry and people, but also seeing defences catch up and become stronger to prevent and protect us from the next generation of industrial cyber-attacks. The movie’s not over yet.


Andrea Carcano is Co-Founder and CPO of OT and IoT security Nozomi Networks.