The Current State of Industrial Cybersecurity: Takeaways from Industrial Cyber’s 2022 Buyers’ Guide

Industrial Cyber, in association with TakePoint Research, has recently published its annual buyer guide, compiled by TakePoint’s Directing Analyst, Jonathon Gordon. The report provides a detailed snapshot of the different players in the industry, along with an overview of industry trends and predictions for future developments. Here are a few takeaways from the buyer’s guide:

Focus on Risk Management

The goal of a cyber risk management is to minimize risk (i.e. minimize the potential impact of materialized threats) by determining which risks must be mitigated and which risks the management is willing to live with. This requires the development of a “transparent strategic methodology to determine and communicate the risk appetite, analyze and prioritize cyber risks and vulnerabilities, and establish a well-defined mechanism for mitigating the risks to be addressed.”

Adopting a risk-based approach also enables optimizing the cyber-security operation, so that the organization gets “more bang for the buck” in terms of OT security. It’s no surprise then that the move to risk management is rapidly being embraced by C-level and BOD decision makers, who are conscious of both the potentially-catastrophic impact of a cyberattack on their company as they are cost-conscious.

The rising importance of supply chain security

Supply chain attacks take advantage of network access rights granted to vendors to provision their components installed in customers’ industrial networks. In this way a malicious payload is attached to the data sent to the component, for the purpose of propagating within the OT network.

According to Industrial Cyber’s report, Supply chain security is turning out to be an imperative and indispensable element in understanding and mitigating the security risks across supply networks belonging to operational technology (OT) environments and critical infrastructure sectors.

Every connected device within the environment introduces unique vulnerabilities, where the weakest link is the best measure of the security of that entire supply chain. Putting it together in the present environment where an enterprise has vast exposure to the risk of every supplier in their supply chain means they must evolve their strategy around managing these risks.

The Vendor landscape is changing rapidly

Yesterday’s key sellers in OT cyber-security, namely network visibility and asset inventory have been supplanted by specialized solutions for different verticals (e.g. water treatment, medical, etc.) According to Industrial Cyber’s report, we are entering a phase of prolific expansion in terms of cyber awareness in the boardroom and in the rise of new technologies and startups to provide the needed solutions.”

For example, cyber-risk management solutions (like Radiflow’s CIARA platform) have gained much traction in the past year, with the promise of delivering a custom-tailored, high-ROI network hardening plan. Industry players that could offer such lucrative, targeted solutions to existing problems became highly sought-after candidates for investments, mergers and acquisitions (this was also the case with Radiflow, which was acquired by the Sabanci Group.) Investment in the industry is also very high, estimated in the hundreds of millions USD in 2022, reflecting the increasing demand for OT cybersecurity techniques and solutions.

Continued reliance on Public-Private partnerships for protecting national-critical infrastructure

Privately-managed and owned nationally-critical infrastructure networks (namely, in the U.S.) will continue to rely on government-funded threat intelligence research. This research provides situational awareness, appropriate operational and tactical risk management actions, and strategic planning and investment to build capabilities that strengthen critical infrastructure security and resilience. Examples include:

• MITRE and the U.S. Department of Energy (DOE), which announced a new special interest group (SIG) to help enhance cyber defenses for ICS and OT
• CISA’s ICS-CERT team expanded the scope of the Idaho National Laboratory’s Control Environment Laboratory Resource (CELR) research zone to deliver an interactive test site for ICS and OT environments. The move allows government and private industry partners to experience the possible effects of kinetic cyber- physical attacks.
• CISA expanded its Joint Cyber Defense Collaborative (JCDC) initiative to include the ICS industry consisting of security vendors, integrators, and distributors.
• The U.S. DOE announced funding of US$12 million to support six University-led projects that are set to enhance cybersecurity within American energy system

The OT cybersecurity “Skills Gap” is expected to widen

The demand for skilled industrial security experts has been high for many years, unmatched by the current or near-future availability of experts, putting industrial organizations at risk. Presently, the skills shortage is handled by a combination of in- house staff and outsourced contractors (e.g. OT-MSSPs), and that trend is not likely to change anytime soon.

As the skills gap isn’t expected to be filled in the coming years (even if there were an influx of candidates, it takes many years to train a cyber-security expert), the report indicates two stopgap trends:

• Reliance on outsourced security services, such as cloud-based managed security services providers (MSSPs). This includes MSSPs currently operating in the IT space that are expected to expand their offerings into industrial network monitoring and industrial risk management.
• Another consequence of the skills gap, mentioned in Industrial Cyber’s report, is that Vendor services are expected to expand their professional services as customers will increasingly look to the vendors to advise and guide them through deployment, installation, and integration provided either directly to the customer or through a partner.

Conclusion

Over the past few years OT security has developed into a discipline in its own right, rather than operating alongside “traditional” (IT) cybersecurity, due to the rise in cyber-threats aimed directly at industrial organizations. The post-pandemic cybersecurity market is more vibrant and mature, with greater emphasis on risk management and optimization for maximizing the business value of OT cybersecurity.