Guest post written by NexDefense Executives and Fellows. This is a companion to Voice America Interview with Mike Sayre, Co-founder, President and CEO of NexDefense. For leaders in a complex global environment, it is important for me to share best practices and solutions to address some of the key challenges we are facing. I believe NexDefense has created an interesting solution. I invite you to listen to Mike in his conversation as he shares his perspective on this important work and also his approach to leadership.
There has been no shortage of news, speculation and analysis of industrial control systems (ICS) cybersecurity in 2015. From projections that an attack on the United States power grid could cost the economy $1 trillion to the director of the U.S. National Security Agency, Admiral Mike Rogers proclaiming that a “digital Pearl Harbor” is all but inevitable; the prognostications for ICS security-related risks and threats have become significantly more frequent than good news reports.
The recognition of the burgeoning threat landscape to industry in 2015 has analysts bullish on ICS cybersecurity business growth. Security analysts see dark skies ahead; yet, market analysts see opportunities lining those clouds. Both groups agree there’s an ever-growing challenge of protecting the safe and reliable operation of ICS, and recognition that cyber risk is building demand for worthwhile solutions. In fact, the research firm MarketsandMarkets recently revised its financial projections for ICS cybersecurity, now forecasting the global industry to surpass $11 billion annually by 2019.
Forecasting the future is not a science. Nevertheless, given enough data and a fairly clear trajectory, the confidence in guessing an inevitable future becomes more doable. With that being said, here are the top five ICS security trends, challenges and opportunities we see as most likely for 2016:
Demand for ICS Security Jobs will Severely Exceed Supply
For an industry already contending with an aging workforce, a gap in cybersecurity resources has led some companies to adopt new technologies, rather than people, to streamline processes, often resulting in increased risk. Continued complications of the convergence of information technology (IT) and operational technology (OT) in industry will intensify, as will demand for a new generation of specialized workers. Filling this talent void will prove challenging as the majority of cybersecurity job seekers are not adequately trained for ICS careers and they lack the hybrid skillset necessary to serve both the IT and OT spaces. Starting in 2016, a more consistent mention by government and industry alike of STEM programs will arise as a gateway to building a new generation of ICS-competent cybersecurity workers to feed contemporary industry demands.
ICS Cybersecurity Insight Tools will Proliferate
Industry analysis continues to show that, on average, when a breach is discovered, the affected system had actually been compromised weeks and months earlier, often with few if any direct indications of compromise. The ability to efficiently monitor, visualize and analyze normal and anomalous ICS network traffic, and to detect potentially malicious activities, will continue to be sought by more owners and operators.
In 2016, a dizzying array of IT-specific cybersecurity tools will be presented to the OT world, and new ICS-specific tools created by OT experts will be expanded and introduced, too. A shortage of ICS security practitioners, coupled with the rising complexity of ICS networks, will result in new tools intended to help technicians and operators better understand, monitor and protect their systems. As a result, solutions that best address ICS-specific cybersecurity challenges, and deliver actionable intelligence, will move steps closer to becoming a permanent fixture in control systems of 2016 and beyond.
Supply Chain and System Integrators are Recognized as Vulnerable
Historically, the blame for weak ICS security was primarily directed at manufacturers, yet little attention has been given to other aspects of the supply chain. For example, machine builders and system integrators in many cases have a more active role in the security posture of an ICS. Add to this the proliferation of the Industrial Internet of Things (IIoT) and risks introduced through devices supplied by new vendors and inexperienced installers, and the burden placed on owners and operators only becomes heavier. Documented ICS malware such as Havex and BlackEnergy gained foothold within control systems through the product and services channels. Combined, such attacks vectors are quite likely a sign of a new normal, highlighting the growing risks from a complex and polluted supply chain.
2016 will likely see owners and operators push back on manufacturers and suppliers and refuse to accept full accountability for cybersecurity risks to their control systems. These new market forces will push vendors to be more accountable for the security of their products, services and solutions they deliver.
‘Bug Bounty’ Program Established by Major ICS Manufacturer –
Google and other leading tech companies offer Bug Bounty programs, providing independent researcher-sanctioned opportunities to discover and disclose security vulnerabilities in browsers, mobile and general web applications in exchange for compensation and public recognition. This approach allows Google to attract the attention of some of industry’s top talent to find product weaknesses before the marketplace is affected. For Google and others like it, the program allows them to maintain a diversified security posture and proactively issue patches and updates before adversaries can exploit vulnerabilities.
While a Bug Bounty program has yet to emerge in the industrial control market, it would prove very high on opportunity and low on cost. Provided the researchers disclose vulnerabilities without publishing key details, the benefit of a Bug Bounty program to ICS is significant. It has never been more likely than now for a Bug Bounty program to be introduced by an ICS manufacturer, and there’s a real possibility 2016 could be the year it happens.
ICS Manufacturers Proactively Disclose Vulnerabilities in Products –
Many ICS manufacturers have been conservative about the proactive disclosure of vulnerabilities in their products and systems. That changed in 2015, when OSIsoft announced that it addressed 56 vulnerabilities in its PI System software. The company essentially set a precedent for a new level of transparency from an automation product manufacturer. OSIsoft’s action to self-disclose goes a step further by openly sharing insight into their cybersecurity continuous improvement processes. While their self-disclosure may not be the very first for industry, the breadth and completeness of what they released may set a new standard of care. Industry adoption of this vulnerability disclosure strategy is worth keeping an eye on in 2016. Those who embrace it will likely see positive returns including a stronger brand and reputation and even new sales from customers who realize their aging systems have reached their end of life.
We can’t say with complete certainty that these predictions will prove true, but indications suggest that these trends are likely to gain momentum. More importantly, as 2016 approaches, the industry must recognize that cybersecurity remains a moving target that creates business growth opportunity with every challenge it brings. Without question, 2016 should see industry come together in a more cohesive way to innovate and better protect systems from threats affecting the safety and operational integrity of the systems on which society relies. We’re counting on it.
Check out the companion interview and past episodes of Innovating Leadership, Co-creating Our Future, via iTunes, TuneIn, Stitcher, Spotify, Amazon Music, Audible, iHeartRADIO, and NPR One. Stay up-to-date on new shows airing by following the Innovative Leadership Institute LinkedIn.