by Vaibhav Gupta, Principal & Practice Head – Private Equity & Principal Investor, Zinnov; Prankur Sharma, Engagement Manager, Zinnov; Abhi Jain, Consultant, Zinnov
Over the past several years, different components of Industrial Control Systems (ICS) have empowered industrial automation. But in the last few years, industries have been migrating to Industry 4.0 and trying to be smarter and connected. This transformation is being enabled by Industrial Internet of Things (IIOT) technologies, which are bringing new opportunities to launch next-generation products and services. As an organization adopts these technologies and becomes more connected, the gap between IT (Information Technology) and OT (Operational Technology) is diminishing, making way for the so-called the IT-OT convergence.
COVID-19 has further accelerated this convergence as companies move to remote operations, ensure minimal physical contact, set up remote monitoring of devices, etc. Zinnov analysis reveals that there were ~13 Bn connected devices in 2015 – a number that has almost tripled in the last five years to touch ~35 Bn in 2020. This is further expected to grow at a CAGR of 25% to reach ~83 Bn by the end of 2024, and 60-70% of this will be in the Industrial/Manufacturing sector.
IT-OT convergence has influenced critical business applications and completely transformed the way operations are handled. And as digital transformation has turned industries sophisticated, it has also posed several new threats and challenges. Cybersecurity is one of the challenges that organizations now face, thanks to the integration of OT with IT, that has made Industrial Control Systems more vulnerable.
What is Industrial Cybersecurity/Operational Technology Security?
Industrial Cybersecurity is defined as a pool of technologies, software, and services to protect several components of the industrial infrastructure, including Field Controllers, Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), Safety Instrument Systems, Data Historian, Supervisory Control and Data Acquisition (SCADA ) servers, Human-Machine Interface (HMIs) , Engineering Workstations, Network Connections, and people from external threats and disruptions without hindering the operational continuity and the consistency of industrial processes.
This space is evolving and the complexity of threats and the potential damage due to an attack are much larger than what it was a few years ago. Though there are different cybersecurity models, databases, and frameworks by several players and government organizations, many industrial players are still in the nascent stages of understanding the nature of attacks to identify a robust and comprehensive strategy to overcome this. In this report, we have shed light on the latest framework for ICS, released by MITRE (a non-profit organization in the US, supporting R&D for different government agencies), in partnership with Mandiant (a US-based cybersecurity firm), known as MITRE’s ATT&CK Framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The database is being leveraged by most of the Industrial Cybersecurity players, including leaders such as Kaspersky, Nozomi Networks, Rapid7, ThreatQ, etc.
The MITRE’s ATT&CK Framework to the Rescue
The recent ATT&CK framework for ICS by MITRE highlights different attack techniques that are being leveraged by cyber attackers across the entire lifecycle, from gaining access to the system to eventually impacting ICS. The framework highlights 81 unique attack strategies that have been used in the past, and though most of them can be mitigated, there are a few techniques for which the mitigation methods are limited and not completely effective.
Some of these techniques are:
1. Graphical User Interface (GUI): In this technique, the adversaries try to gain access to a system via GUI to strengthen the execution capabilities. This allows users to move and click on interface objects, with a mouse and keyboard as the main input devices. One of the examples of this is the 2015 attack on the Ukrainian power grid, where the GUI of HMI was utilized to open breakers in the SCADA environment.
2. Network Connection Enumeration: Miscreants use this to discover information about device communication patterns through tools such as netstat, ipconfig. Industroyer, a malware used to impact ICS, contains a module that enumerates all connected network adapters to determine their TCP/IP subnet masks.
3. Screen Capture: To gain information about the ICS process, layout, control, and related schematics, adversaries try to take screenshots of workstations, HMIs, or other control devices. Several threat groups like Dragonfly, APT33, ALLANITE, etc., have been identified to collect and distribute screenshots of different ICS devices.
Similarly, there are a few other techniques like I/O Module Discovery, Monitor Process State, Manipulate I/O Image, etc., with limited/non-effective threat mitigation.
The Steadily Expanding Cybersecurity Market
As per IBM X-Force data, OT targeting increased 2000% YoY with more attacks on ICS and OT infrastructure, of which almost 30% of the attacks are on the SCADA systems. Even a small malware detected or a data breach within the system can halt operations, sometimes causing loss to the tune of millions of dollars to organizations. Recently, a cyberattack on Honda’s internal servers in Tokyo forced the automaker to shut down its production worldwide. There are hundreds of such examples of security breaches, that cause severe damage to processes. Additionally, with the cost of recovery increasing, organizations incur massive losses. Another case in point is Norsk Hydro, which suffered USD 40 Mn in losses after switching to manual operations while its systems were restored.
To overcome these attacks, ecosystem players have been constantly innovating and developing solutions. Zinnov analysis reveals that the global industrial cybersecurity market is expected to reach ~USD 18 Bn by 2025, growing at a CAGR of ~28%. What is interesting to note is that services account for 55% of the overall market, while the remaining 45% accounts for software. Services have a higher share compared to other industries due to the complexity and interdependency of the industrial infrastructure, which necessitates continuous assessment and monitoring to ensure that the security systems are up to date and to prevent potential threats.
Peeling the different layers of security, we found that almost ~45% of the cybersecurity spend is directed towards securing networks, followed by devices security, which accounts for ~35% of the total spend, and the remaining ~20% is spent on cloud and applications.
Ecosystem players are catering to numerous use cases that are important in the cybersecurity portfolio, and some of the major vendors include Claroty, Dragos, Radiflow, Armis, Waterfall Security, Belden, Palo Alto, Bayshore Networks, etc. Not just these cybersecurity-specific vendors, but industrial automation players like Rockwell Automation, Schneider Electric, Siemens, ABB, Bosch, Honeywell, etc., and even tech giants like Microsoft have a big cybersecurity portfolio across both software and services.
Mitigating Cyber Attacks
A cyberattack or threat does not mean that it cannot be prevented; at the same time, not every attack that gets initiated eventually ends up impacting the whole system. There are several methods through which these attacks can be avoided at different stages of the attack lifecycle. We have analyzed all the mitigation methods across each attack technique to identify some of the major and important mitigation methods that are being leveraged by companies to fight these attacks.
As illustrated above, there are several methods/use cases that have a high occurrence, and hence a must for an organization to have in their cybersecurity portfolio. A few strategies that stand out include –
Audit: Assessing and evaluating the current state of industrial infrastructure, performing periodic integrity checks of devices, and validating them with their original state to identify potential risks and vulnerabilities.
Access Management: Software and technologies used to enforce authorization policies and decisions to prevent access to unauthorized users.
Software Process & Device Authentication: Authentication of devices and software, especially those that connect remotely to other systems.
Communication Authenticity: Restricting communications from untrusted networks and utilizing tools and methods that authenticate the message integrity and its sender.
Human User Authentication: Authentication before allowing users access to data or accepting commands to the device.
Network Segmentation: Designing network sections to isolate critical systems, functions, or resources, and using physical and logical segmentation to prevent access to sensitive systems and information.
Network Allowlists: These can be implemented through either host-based files or system host files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device.
Filter Network Traffic: Using network appliances and software at endpoints to filter ingress or egress traffic and perform protocol-based filtering.
Services in Industrial Cybersecurity – A Critical Component
Services have a higher share in the Industrial Cybersecurity market, which is expected to reach ~USD 10 Bn by 2025. This is because of long and complex operational processes, heavy configuration and deployment requirements, no centralized systems, lack of domain knowledge and understanding, continuous maintenance requirements, etc. We have analyzed services offerings by different ecosystem players and the consumption model favored by enterprises, and classified these services into three broader buckets.
- Advisory Services: These account for ~10% of the overall services market and includes consulting services that are offered for defining the business case of an organization to opt for cybersecurity.
- Implementation Services: Accounting for ~30% market share, these services typically include the assessment of industrial infrastructure to identify security requirements and then fulfilling those by helping customers with the implementation of security transformation plans.
- Managed Services: Having ~60% market share, these services consist of broader services offerings that run continuously and are not a one-time thing. These include services like training services, maintenance services, monitoring services, security operations center to analyze network and server activities, and provide continuous support to the organization.
Given services are an important aspect of the Industrial Cybersecurity market, Industrial Automation players that focus on this have strengthened their portfolio of offerings by taking several strategic initiatives like establishing partnerships with Service Providers, Governments, and cybersecurity players; acquiring companies, initiating co-innovation programs, setting up dedicated Centers of Excellence (COEs), and launching marketplaces. A few cases in point include – Siemens extended its partnership with Atos to deliver cybersecurity solutions. Emerson opened an industrial cybersecurity hub in India to help manufacturers adopt digital transformation. Rockwell Automation acquired Oylo, an industrial cybersecurity services provider, based in Spain.
Cybersecurity has been a peripheral focus for technology and business leaders for a long time now, especially in the IT environment. However, it’s time that this peripheral focus become a business priority, because it is more than data breaches, frauds, etc., especially when it comes to Industrial Cybersecurity. It has the potential for organizations to incur monetary and information losses, but can also lead to the loss of life, adversely affect nature, and can even end in long term disaster. Therefore, though IT-OT convergence, Industry 4.0, and Industrial IOT may sound attractive because of their inherent advantages, organizations must ensure a proper playbook to deploy cybersecurity and secure their industrial infrastructure.
Wondering how to assess your current industrial cybersecurity maturity state and how to outline a robust roadmap? Speak to our consultants by dropping us a note at firstname.lastname@example.org for more information.
Speak with our consultants