Incident Response, Anomaly Detection Rank High on Planned ICS Security Spending

In the "SANS 2024 State of ICS/OT Cybersecurity" report, 530 professionals working in critical infrastructure sectors were asked which technologies they have in their operational technology (OT) environments and which ones they were planning to add in the next year-and-a-half. The two lists highlight which technologies are widely deployed and what areas security teams are going to focus on next. 

The top technologies currently in use are access controls (81%); backup and recovery tools (74.4%); endpoint detection and response (EDR) tools, such as traditional antivirus (73%); segmentation between control systems and higher risk networks (66%); and secure remote access with multifactor authentication (65%). These categories have seen "massive jumps in implementation," SANS said in the report. Just 53% of respondents reported using EDR in 2019, which comes out to a 20% increase in 2024.

"We often describe ICS/OT as the 'M&M' model: hard shell, gooey center. This is why we focus a lot on IT–OT boundaries (i.e., the hard shell)," the report said. "However, security professionals need to also focus on toughening up that gooey center."

Securing that "gooey center" may be one of the reasons for a shift suggesting more nontechnology spending, such as for training, simulations, and incident response. Indeed, the five most-planned activities for the next 18 months are implementing industrial control system (ICS) specific cybersecurity metrics or dashboards (37%), deploying ICS network security monitoring and anomaly detection (33%), rolling out control system enhancements and upgrades (32%), conducting ICS-specific cybersecurity training (31%), and running ICS-specific incident response tabletops or simulations (30%). 

With the exception of cybersecurity metrics and dashboards, these planned technologies are already in use by nearly half of the respondents. The fact that another 30%-plus are making plans to use them suggests that the industry is on the brink of another jump in implementation in these areas.

It's worth noting that the three least deployed technologies for ICS defense had a "surprisingly" larger number of respondents planning to invest in them over the next year-and-a-half. Roughly a quarter of respondents have deployed the following technologies and solutions at this time: software bill of materials, or SBOM(25%), industrial cloud security (26%), and security orchestration, automation, and response, or SOAR (28%). A higher-than-average number of respondents have plans to start using SBOM (28%), industrial control security (23%), and SOAR (30%). 

The planned rates indicate these technologies may become more common across ICS security programs soon, SANS said.