Technology
Products
Resources
Company
English
Technology
Products
Blog
Resources
Company

SANS ICS Security Summit 2021 recap: Industry on the move

David Masson, Director of Enterprise Security | Friday March 26, 2021

Shining a light into the murky world of industrial cyber security — where major incidents can be kept hush, and information is often not made publicly available — the SANS Institute held its 16th annual ICS Security Summit in March. With virtual events across APAC, EMEA, and the US, the round-the-clock summit stressed the importance of having good visibility and a strong understanding of industrial networks for anomaly detection and incident response. Speakers at the event also emphasized how automation can be used in industrial security to address budget restraints and skill shortages.

The summit also detailed the direction of developments in both industrial technologies and the surrounding threat landscape, including the adoption of cloud technologies for Industrial Control Systems, the broadening scope of threat actors, and the inherent limitations of patching and vulnerability management.

In addition to framing the key points of the summit, this blog will hone in on the program’s most salient points: namely, how building an in-depth understanding of ‘self’ for an ICS ecosystem can help fend off the rising tide of threat actors, and at the same time allow organizations to embrace new technologies in the face of their associated risks. Ultimately, by ‘knowing thyself,’ organizations will be able to simultaneously fight external threats, and also gain visibility into new areas of vulnerability that arise inside an organization as it evolves its industrial environment.

SANS Summit 2021: An overview

The following table provides a high-level overview of the major topics discussed throughout the SANS summit:

‘Know thyself’: Learning ‘self’ to identify emerging threats

A wide variety of threat actors are making their debut in the global ICS threat landscape. First, new state-sponsored advanced persistant threat groups (APTs) are targeting industrial ecosystems every year. 2020 also saw the addition of organized crime groups targeting ICS with new ransomware strains such as EKANS.

Accordingly, cyber-attacks on industrial systems are no longer the sole domain of nation states. With ransomware-as-a-service becoming increasingly available on the Dark Web, the barrier of entry for attacking critical infrastructure and manufacturing is demonstrably lowering. In light of this, experts at the SANS conference recommend gaining a detailed understanding of your network and making use of the defender’s home advantage with defence-in-depth.

With attacks growing in scale and sophistication, there is a growing recognition that defenses that sit at the border of organizations and attempt to keep threats out are no longer enough. Organizations must move to a model that assumes a breach, and adopt technologies that can identify cyber-threats once they are inside. This can only be achieved with a real-time, granular understanding of ‘normal’ behavior for every device and controller.

By learning, from scratch, the normal ‘pattern of life’ for all devices, users, and peer groups across industrial networks, Darktrace’s Industrial Immune System builds a sense of self for everything seen in an ICS ecosystem, as well as the digital environment as a whole. In this way, Darktrace allows organizations to ‘know thyself’ to a unparalleled degree, building a dynamic understanding of normal rather than relying on static baselines.

New solutions bring new risks

Throughout the summit, speakers discussed how they have used digital solutions such as cloud and virtualization to solve problems and cut costs. In particular, the renewable energy sector is a big adopter of cloud solutions, or “ICS as a Service” (ICSaaS). A wind farm in California, for example, might be remotely controlled by engineers on the east coast, or a vendor might maintain and run equipment for a hydroelectric plant in Latin America from their European headquarters.

As customers move to adopt these kinds of digital solutions — and with these decisions typically being made at board-level, rather than by the engineers — it seems more a question of when, not if, we see wider adoption of these technologies in the ICS community.

As OT converges with IT in the cloud, so do their associated risks. These new risks create headwinds to change, but some sectors are still adopting these new solutions and making big savings. Unified visibility across IT, OT, and the cloud have thus become a necessity for organizations seeking to accelerate digital transformation while also managing the risks of digitization and of their increasingly dynamic workforces.

A changing landscape

In the face of a new era of cyber-threats, the focus for OT specialists should not be on reactive measures, but embracing new self-learning technologies that develop an evolving understanding of ‘normal’ across industrial systems, the corporate network, cloud environments, and beyond.

By adapting to changes in the digital infrastructure, AI-powered defenses can detect and respond to zero-day threats, while alleviating the burden of security teams by automating much of the manual processes required in post-incident investigation. And by unifying insights across a range of different technologies, organizations can benefit from an enterprise-wide approach to security rather than relying on siloed defenses that lack the context for accurate decision-making.

In this age of advanced cyber-criminal rings and state-sponsored attacks, critical infrastructure and other industrial environments are now the focal point for cyber espionage and intrusions seeking to disrupt operations. The SANS ICS Security Summit reminds us of the need for defenders to face this new landscape with new and adaptive technologies that can disrupt the early signs of a threat, whether known or unknown.

Thanks to Darktrace analyst Oakley Cox for his insights.

Learn more about how Darktrace defends complex industrial environments

David Masson

David Masson is Darktrace’s Director of Enterprise Security, and has over two decades of experience working in fast moving security and intelligence environments in the UK, Canada and worldwide. With skills developed in the civilian, military and diplomatic worlds, he has been influential in the efficient and effective resolution of various unique national security issues. David is an operational solutions expert and has a solid reputation across the UK and Canada for delivery tailored to customer needs. At Darktrace, David advises strategic customers across North America and is also a regular contributor to major international and national media outlets in Canada where he is based. He holds a master’s degree from Edinburgh University.