These agile controls and processes can help critical infrastructure organizations build an ICS security program tailored to their own risk profile.

Dean Parsons, SANS Certified Instructor and CEO & Principal Consultant, ICS Defense Force

March 9, 2023

5 Min Read
abstract graphic of a city connected by the internet and wifi
Source: zapp2photo via Adobe Stock

It's no secret that the industrial control system (ICS) attack surface is rapidly expanding (PDF). From advancements in business digitalization, IT-OT convergence, and Internet of Things (IoT) adoption to the ripple effects of escalating geopolitical tensions, organizations in critical infrastructure sectors must be positioned to combat accelerating ICS attacks that, in addition to forcing prolonged operational downtime, can potentially put people and communities at severe risk.

After all, there's a clear differentiator regarding the nature of ICS/OT threats. Unlike traditional attacks against enterprise IT networks that are primarily rooted in monetary gain or data theft, state-sponsored adversaries often target critical infrastructure systems with the malicious intent to disrupt operations, inflict physical damage, or even facilitate catastrophic incidents that lead to loss of life.

This isn't fable or fiction — it's reality. In early February, leaders of two US House subcommittees called on the US Energy Department to provide information regarding three nuclear research laboratories targeted by the Russian hacking group Cold River last summer. Or take the Russian state-sponsored Crashoverride incident (PDF) of 2016, which manipulated ICS equipment through the abuse of legitimate ICS protocols to disrupt the flow of electricity across Ukraine's power grid at the transmission substation level. As a result, part of Ukraine's capital, Kyiv, experienced a one-hour outage overnight.

The incident served as a microcosm to an evolving era of cyber-risk, signifying the importance of trained defenders with engineering backgrounds who can effectively monitor ICS networks and actively respond to attacks before impact. After all, a weak ICS/OT security posture can pose risk to public health, environmental safety, and national security.

That said, critical infrastructure organizations have a responsibility to deploy a robust ICS/OT security framework that protects their operational assets from sophisticated attacks. This isn't a matter of meeting mandatory compliance minimums to avoid fines or regulatory penalties. It's about leaving no stone unturned to protect people from the real-world impact of cybercrime — not only their own personnel, but those living and working in the surrounding communities from which they operate.

The Five Components of Effective ICS/OT Security

Balanced priorities are essential to effective ICS/OT security, as made clear by a recent SANS Institute whitepaper, "The Five ICS Cybersecurity Critical Controls." Prevention bias is a common theme across the cybersecurity community. Between 60% and 95%of the best-known and utilized security frameworks are preventative in nature but fall behind in detection and response. As a result, many organizations invest as little as 5% of their resources toward detecting, responding, operating through an attack, and recovering from compromises. Because the volume and velocity of ICS-related attacks are rapidly increasing, even the most stringent prevention measures are bound to be bypassed. Organizations must be prepared for when that happens — and integrating AI-enabled detection and response approaches that drive agile mitigation and recovery action.

Adopting an ICS/OT security framework that encompasses the following five critical controls is key to achieving that balance.

  1. ICS incident response: An operations-informed incident response plan is designed with focused system integrity and recovery capabilities to reduce the complexity of responding to attacks in operational settings. These exercises reinforce risk scenarios and use cases tailored to their security environment — prioritizing actions based on the potential for operational impact and how to position the system to operate through an attack. They also enhance operational resilience by facilitating root cause analysis of potential failure events. 

  2. Defensible architecture: An effective ICS-defensible architecture supports visibility, log collection, asset identification, segmentation, industrial demilitarized zones, and process-communication enforcement. It helps bridge the gap between technologies and humans, reducing risk through system design and implementation while driving efficient security team processes. 

  3. ICS network visibility monitoring: Due to the "systems of systems" nature of ICS attacks, it's vital to implement continuous network security monitoring of the ICS environment with protocol-aware tool sets and systems of systems interaction analysis. These capabilities can be leveraged to inform operations teams of potential vulnerabilities to alleviate, aiding in general resilience and recovery. 

  4. Remote access security: Following the societal adoption of cloud-based hybrid work structures, adversaries are increasingly exploiting remote access to infiltrate OT networks. In the past, the primary attack path to an OT network was through that organization's IT network, but now threat actors can also capitalize on the IT network vulnerabilities of their entire supply chain. In turn, maintaining secure remote access controls is nonnegotiable for modern industrial operations. 

  5. Risk-based vulnerability management: A risk-based vulnerability management program empowers organizations to define and prioritize the ICS vulnerabilities that generate the highest level of risk. Often, they are vulnerabilities that allow adversaries to gain access to the ICS or introduce new functionality that can be leveraged to cause operational issues such as the loss of view, control, or safety within an industrial environment. Adopting risk-based vulnerability management requires having controls and device operating conditions in place that drive risk-based decisioning during prevention, response, mitigation, and recovery action.

Fostering a Safer Future

For facilities struggling to get a handle on their own ICS/OT security program, I recommend using the five critical controls as a starting point. These five pillars can serve as a road map for critical infrastructure organizations to build an ICS security program tailored to their own risk profile. And while the controls are invaluable to ICS/OT security, their potency still relies on an organizational culture of alignment where the severity of cyber-risk is understood and prioritized at every level — ranging from the board and executive leadership down to their security teams.

ICS/OT security must follow a team sport approach, combining the strength of agile controls and well-defined processes to keep pace with the accelerating nature of ICS attacks. With the right framework in place, critical infrastructure organizations can take proactive steps to drive their own defenses against malicious adversaries.

About the Author(s)

Dean Parsons

SANS Certified Instructor and CEO & Principal Consultant, ICS Defense Force

Dean Parsons is the CEO and Principal Consultant of ICS Defense Force and brings over 20 years of technical and management experience to the classroom. He has worked in both Information Technology and Industrial Control System (ICS) Cyber Defense in critical infrastructure sectors such as telecommunications, and electricity generation, transmission, distribution, and oil & gas refineries, storage, and distribution. His mission as an instructor is to empower each of his students, and he earnestly preaches that "Defense is Do-able!" Over the course of his career, Dean's accomplishments include establishing entire ICS security programs for critical infrastructure sectors, successfully containing and eradicating malware and ransomware infections in electricity generation and manufacturing control networks, performing malware analysis triage and ICS digital forensics, building converged IT/OT incident response and threat hunt teams, and conducting ICS assessments in electric substations, oil and gas refineries, manufacturing, and telecommunications networks.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights