Why do ICS/OTs need special controls and their own cybersecurity budget today? Because treating ICS/OT security with an IT security playbook isn’t just ineffective—it’s high risk.
In the rapidly evolving field of cybersecurity, the specific security challenges and needs of industrial control systems (ICS) and operational technology (OT) are distinctly different from traditional IT security. Engineering ICS/OT systems that power critical infrastructure such as power grids, oil and gas processing, heavy manufacturing, food and beverage processing, and water management facilities require customized cybersecurity strategies and controls. This is due to the increasing number of attacks on ICS/OT, their unique operational missions, a different risk surface than traditional IT networks, and the significant security implications of cyber incidents affecting the physical world.
Critical infrastructure must be protected against today’s threats to continue to support national security and economic stability. Dedicated ICS/OT controls and a dedicated cyber security strategy is an effective and responsible approach.
Growing cyber threats to the ICS/OT environment
ICS technologies, critical to today’s infrastructure, are increasingly being targeted by sophisticated cyberattacks. These attacks, often aimed at causing irreversible physical damage to critical engineering assets, highlight the risks of interconnected and digitized systems. Recent incidents such as TRISIS, CRASHOVERRIDE, Pipedream and Fuxnet demonstrate the evolution of cyber threats from simple nuisances to potentially catastrophic events orchestrated by state-sponsored groups and cybercriminals. These actors aim not only for financial gain, but also for destructive results and combat, combining cyber and physical attacks. Additionally, human-driven ransomware and ICS/OT-targeted ransomware have been on the rise recently.
When it comes to using dedicated ICS/OT controls to detect threats to our critical infrastructure, the latest data from SANS ICS/OT Cyber Security Study 2024 showed that only 31% of respondents have a SOC (Security Center) that includes ICS/OT-specific capabilities, which is critical for effective incident response and continuous system monitoring.
Therefore, the critical infrastructure, the engineering systems we rely on that build, move and power our world, would be well suited to use dedicated ICS/OT threat detection and visibility, management tools with a dedicated ICS budget to protect the engineering systems that manage our modern way of life.
ICS/OT Cyber Security Cost and Risk Assessment
In some ICS/OT organizations, there may be a risk imbalance in the allocation of the security budget. It is clear, and rightfully so, that security funding has been almost exclusively focused on IT technologies and IT networks over the past few decades due to traditional attack vectors using traditional support systems. However, the threat landscape has changed due to interconnectedness. IT networks and the Internet now pose far greater risks to connected ICS/OT environments than the risks posed to ICS/OT and engineering environments decades ago.
In fact, the data from SANS State of ICS/OT Cyber Security 2024 Report show that 46% of attacks on ICS/OT environments result from breaches in IT support networks that allow threats to penetrate ICS/OT, affecting networks and operations.
This is a cause for concern given the complex nature of ICS threats and the serious multi-sector cascading effects that could result from a coordinated engineered cyber attack in a vital infrastructure sector such as the electricity sector. In addition, attacks on ICS/OT can have serious consequences for the environment and human safety.
Assessment of ICS/OT Cyber Security Controls
It can be risky to deploy security controls in ICS/OT if they are IT oriented. Despite their critical role, many ICS/OT systems remain undersecured in several areas, such as security controls for the ICS/OT environment and incident response. For example, studies from SANS ICS/OT Cyber Security Report 2023 found that only 52%
of these facilities have a dedicated ICS/OT incident response plan that is regularly executed and managed by engineers.
Traditional IT security measures, when applied to an ICS/OT environment, can create a false sense of security and disrupt engineering operations and security. Therefore, it is important to consider and prioritize SANS The Five Critical Elements of ICS Cyber Security Management. This freely available white paper outlines the five most important controls for an ICS/OT cybersecurity strategy that can adapt to an organization’s risk model and provides guidance on how to implement them.
It’s also important to note that using just one of the five critical ICS cybersecurity controls – ICS network visibility monitoring as an example – provides benefits far beyond just security. For example, mature organizations note the main benefits of this control in the following areas as a direct contribution to security and engineering:
- Analysis of secure, passive industrial traffic to determine engineering means to create an inventory of ICS/OT assets
- Engineering troubleshooting capabilities
- Analysis of secure passive industrial traffic to detect vulnerabilities in engineering systems
- Specific industrial and engineering incident response capabilities
- Compliance with compliance requirements
Strategic opportunities for restructuring
ICS/OT risks, exposures, budgets and controls should be reviewed to protect what makes an ICS organization a business – engineering and operating technology systems. ICS/OT environments are in many cases not suitable for using traditional IT security controls, where traditional IT security controls create more problems than benefits.
By aligning security spending with the critical functions that drive business in ICS and critical infrastructure organizations, namely operational technology in Purdue Levels For example, Level 1 to Level 3.5 for starters—organizations and utilities can improve security to operate more securely and efficiently in today’s ICS/OT cyber threat landscape.
- Management and tactical analysts in critical infrastructure sector ICS/OT utilities can review and/or implement threat-based priorities SANS The Five Critical Elements of ICS Cyber Security Management.
- Tactical analysts can attend my course ICS515 – 6-day technical ICS/OT incident response and visibility training this February in SANS New Orleans event Powered by ICS Security.
- Join industry peers, SANS expert instructors and practitioners for hands-on ICS/OT security workshop and training at the 20th Annual ICS Security Summit in Orlando, June 15-17.
About the author
Dean Parsons is a renowned ICS/OT security expert with over 20 years of experience in the field. As a prominent figure in SANS, Dean has dedicated his career to advancing the defense posture of critical infrastructure in all sectors around the world.
Join Dean in class ICS515 at New Orleans, Orlando, San Diegoor another convenient time in 2025 for ICS/OT Tactical Cyber Security Defense and connect with him and other ICS/OT experts at this year’s 20th Anniversary SANS ICS Summit June 2025 in Orlando.
