SANS Institute has released the findings of its highly anticipated SANS 2024 State of ICS/OT Cybersecurity survey, revealing significant strides in securing industrial control systems (ICS) and operational technology (OT) environments. Notably, the report sounds a clear warning that while some organizations are raising the bar, many are still leaving critical systems exposed, with significant gaps between the “haves” and the “have-nots” in ICS/OT security.
The survey, presented by SANS certified instructor and survey author Jason D. Christopher, revealed that organizations using both ICS/OT cybersecurity standards and threat intelligence to guide their program are lightyears ahead of their peers in terms of maturity and capabilities. Such organizations are quicker to detect cyber events, are more likely to have mapped all external connections to the industrial environment, and typically have ICS/OT-specific security operation centers (SOCs). In comparison, organizations without such guiding principles tend to lack central governance for industrial cyber risk management and lack basic capabilities, like a dedicated incident response plan.
For the first time since its inception, the 2024 State of ICS/OT Cybersecurity also examines historical trends over the past five years with some hopeful trends outlining improved security for industrial facilities. For example, in 2019 a majority of respondents that suffered an ICS/OT cybersecurity incident took, on average, 2-7 days to detect a compromise. Five years later, over half of respondents reported the same capability took less than 24 hours—a marked improvement for critical infrastructure asset owners and operators. Similarly, basic security protections like endpoint protection and multifactor authentication for remote access saw drastic increases in their deployments since 2019.
“There’s a growing recognition of the importance of ICS/OT security, and the good news is that the industry is maturing,” said Jason Christopher. “We’re seeing more time, resources, and strategy being allocated to protect these systems. However, the gaps we’re identifying, particularly around ICS/OT-specific security operations and visibility into industrial environments, highlight that we still have a lot of work to do.”
Key Findings of the 2024 Survey Include:
- Improved Detection Capabilities: In 2019, OT-specific monitoring was used by only 33% of respondents seeing a significant jump to 52% in 2024—highlighting the importance in visibility for these critical networks.
- Significant Gaps in Preparation and Workforce: Only a small percentage (34%) of respondents prepare for cyber incidents using range environments with ICS/OT-specific tools. Combined with the majority (51%) of respondents protecting these systems without a relevant certification, and there’s cause for concern when examining how prepared security teams are in recovering from an industrial cyber incident.
- Growing Adoption of Cloud Solutions: Despite concerns, cloud-based ICS/OT solutions saw a +15% increase in adoption, especially in non-regulated environments.
- Limited AI Adoption: AI remains largely experimental, with few organizations applying it to ICS/OT due to lack of use cases and safety/reliability concerns.
“The gap between security leaders and the rest of the industry is growing,” Christopher continued. “We see some organizations doing incredible work, leveraging both industry standards and ICS-specific threat intelligence to improve security posture. Still, many others are just beginning to grasp the complexity of securing these critical environments and this disparity poses a major risk as interconnectedness increases.”
These findings and more will be explored in depth during the SANS 2024 ICS/OT Cybersecurity Survey Webcast on October 9, 2024, at 10:30 AM EDT. The webcast will feature survey author Jason Christopher, along with industry experts, offering actionable recommendations and analysis on strengthening ICS/OT security strategies. Registrants will also receive a complimentary copy of the survey whitepaper.