Intensifying focus on advancing product security in OT and ICS environments amid escalating cyber threats

 

From a vendor’s perspective, the rising cyber threats and attacks have put a sharp focus on the need for product security within OT and ICS environments. It puts vendors in a position with challenges related to how best to implement adequate security assessments and integrate secure development practices to prevent threats. Such regulatory standards as NERC CIP and IEC 62443 need compliance, which requires rigorous testing and certification processes.

Besides, public-private partnerships and sharing of information are capable of enhancing security through increased collaboration and transparency. Other emerging trends that have been outlined include AI-driven threat detection and blockchain for secure transactions. The vendor-led security innovations in the future will include proactive measures in real-time monitoring for continuous improvement to protect critical infrastructure from ever-evolving cyber threats.

Uncovering product security challenges in OT and ICS environments

Industrial Cyber consulted cybersecurity experts to explore the importance of product security for vendors in OT and ICS environments, and to identify the common vulnerabilities and threats these products face.

Identifying that product security is critical for vendors in OT and ICS environments due to several unique factors, Itay Glick, vice president of products at OPSWAT, told Industrial Cyber that first, OT equipment typically has long lifecycles and is less frequently upgraded, meaning vulnerabilities can persist for extended periods. 

Itay Glick, vice president of products at OPSWAT
Itay Glick, vice president of products at OPSWAT

“Second, OT systems are often deployed in segregated networks, making updates and patches more complex and infrequent,” he added. “Third, OT environments often lack comprehensive controls such as network monitoring and asset visibility, increasing the risk of undetected vulnerabilities. Lastly, breaches in OT environments can have far-reaching consequences, potentially affecting millions of people and disrupting essential services and infrastructure.”

Jon Taylor, vice president of solution engineering at Fortress Information Security told Industrial Cyber that “OT and ICS products keep the services we rely on in the modern age running. That makes them an appealing target for both cyber criminals and adversarial countries. These devices face two general threats – first, they are designed for long service life cycles, and second, they generally do not have the onboard computing power required for onboard cyber defense software.”

Jon Taylor, vice president of solution engineering at Fortress Information Security
Jon Taylor, vice president of solution engineering at Fortress Information Security

He identified that there are three common vulnerabilities that bad actors exploit most often. Firstly, due to long service life cycles, much of this equipment is very old and runs old software that has known vulnerabilities. Secondly, in OT security ‘availability’ (in the CIA triad – confidentiality, integrity, and availability) is king in operational systems. Software updates – which can change the behavior or easily break ICS automation – are done less frequently and carry a much higher risk. Microsoft releases at least one patch a quarter that breaks another function, which is undesirable for the stability of water or electric facilities.

Thirdly, OT and ICS systems generally have much lower computational power onboard due to environmental constraints, operating systems that favor reliability of function over modern features, and overall cost. 

Taylor identified “This means that, even if the problems of update frequency and field access are solved, most of these devices don’t have the processing power to run modern cyber defense tools.”

Product security is a top concern for vendors in OT and ICS environments due to the critical nature of the infrastructure these devices support, Thomas Pace, co-founder and CEO of NetRise, told Industrial Cyber. “These environments control essential services like energy, water, and manufacturing, where security breaches can have severe consequences, including operational disruption, financial loss, and even threats to human safety.”

Thomas Pace, co-founder and CEO of NetRise
Thomas Pace, co-founder and CEO of NetRise

He added that common vulnerabilities in OT and ICS products include outdated firmware, insecure configurations, and a lack of regular updates. “These systems often face threats such as malware attacks, unauthorized access, and exploitation of known vulnerabilities. Attackers frequently target these systems to gain control over critical operations, causing significant disruptions or damaging infrastructure. Recently we have seen triple-digit increases in software supply chain attacks as attackers focus on much bigger payoffs from any single breach.”

Tony Turner, founder and CEO of Opswright
Tony Turner, founder and CEO of Opswright

Tony Turner, founder and CEO of Opswright, said that “products are the building blocks for everything we design, implement, and operate in OT, directly supporting our very way of life. The potential for harm to public good is more credible within the OT product space than what we see in IT, which makes the disparity in security spending even more concerning.”

He told Industrial Cyber “We largely have the same vulnerabilities as IT in the form of supply chain, software vulnerabilities, misconfigured networks and insecure remote access, but this is further exacerbated by the legacy technologies that were never designed for security which requires overcompensation to mitigate, as well as the overreliance on vendors for support which makes issues such as secure remote access even more important.”

“The fact is, that dependencies on IT infrastructure often create a weak chink in our protective measures since IT may not be deemed as critical,” Turner added. “We need to consider that any dependency for the OT environment; people, infrastructure, products, third parties, etc are equally as critical as the environments that depend on them.”

Exploring security assessments and role of secure software development

The executives discuss the methods vendors use to conduct security assessments and testing on their products before release, and they explore the role of secure software development in ensuring product security for OT and ICS environments.

Glick said that implementing the right mechanisms is crucial for ensuring product security. “Key methods include static code analysis, dynamic code analysis, fuzz testing, and penetration testing. These techniques help identify and address vulnerabilities throughout the development process,” he added.

Additionally, he noted that generating and maintaining a Software Bill of Materials (SBOM) is essential. “An SBOM provides a detailed inventory of all components used in the software, enabling vendors to track and manage third-party components and their vulnerabilities effectively. Ensuring that all third-party components come from reputable sources and are regularly updated further enhances security.”

Glick also identified that adopting a secure-by-design methodology is also critical. “This approach integrates security principles and practices from the beginning of the development process, ensuring that the default deployment of the solution is secure. Secure-by-Design includes secure coding practices, regular security reviews, and thorough testing to minimize vulnerabilities and enhance the overall security posture of the product,” he added.

“The industrial controls product industry overall does very poor testing prior to release, and a worse job of monitoring vulnerabilities post-release,” according to Taylor. “Secure software development is decades behind IT or standard software practices, mostly due to the product needs and financial disincentive in the vendor product development models. Many of these devices that are still in the field were not intended to be connected for information network connection (web, remote access). While some product companies do product cyber assessments prior to release, many do not.”

He added that the secure development life cycle (SDLC) practice has traditionally been very weak in ICS companies. “Again, their development cost model had not / does not support the extra bulk, and they did not consider post-release updates for anything other than product functionality/quality issues. In most cases, ICS companies use the SoC (system on a chip) manufacturer-provider software to run the OS and driver-level software as the system base. The ICS companies added their application on top of this base.”

“There are two issues with this: first – the software base is rarely (if ever) updated from the manufacturer and results in outdated vulnerable software in the release, and second – the BSP software generally has all hardware functionality enabled, as the point is to show SoC capability, which leads to greater surface attack and software risk,” Taylor identified. “Since few ICS manufacturers have the OS experience to customize a kernel to their needs, they use the easy button and reuse the manufacturer OS (near) as is. Putting it simply – SDLC that is poorly executed and does not often adequately identify product risk.”

Pace observed that vendors conduct security assessments and testing for OT and ICS products through a multi-faceted approach that includes static code analysis, dynamic analysis, and penetration testing. “These assessments identify vulnerabilities within the software, helping vendors address weaknesses.”

“Secure software development involves integrating security practices throughout the software development lifecycle (SDLC), from initial design to deployment,” Pace added. “Techniques such as threat modeling, secure coding practices, and regular security reviews are employed to minimize risks. Additionally, vendors use SBOM to maintain a detailed inventory of all software components and dependencies, enabling better vulnerability management and compliance.”

Turner recognized that modern software release processes are far more automated than what we have seen in decades past. “So too are the security assessment processes. Traditionally activities such as threat modeling and penetration testing have led to some of the most important outcomes, providing opportunities to redesign and harden. That said, the most likely avenues for assessment on a continuous basis can be found in static code analysis and software bill of materials, secrets detection, automated platforms such as ASPM and CSPM tools and continuous monitoring of threat and vulnerability indicators,” he added. 

“But assessments need something to assess, and starting with rigorous design and secure software development methodologies can streamline testing and reduce their significance,” Turner added. “By eliminating the possibility of software defects through the use of secure by design engineering patterns such as memory safe languages and secure frameworks that eliminate entire classes of vulnerability when used correctly.” 

Turner further highlighted that approaches, such as Cyber Informed Engineering, ensure that product suppliers can start from a more solid starting point by applying the concepts of design thinking aligned with the need for consequence reduction in the most critical applications. “There are a variety of frameworks here, most notably the Secure Software Development Framework (SSDF) NIST SP 800-218 which is now a component of US federal contracting, yet still applicable as a set of modern secure development practices. When used in conjunction with IEC 62443, this establishes a mature baseline for secure product development,” he added.

Compliance with regulatory standards for OT and ICS product security 

The executives explore the regulatory standards and frameworks that vendors must adhere to for OT and ICS product security. Additionally, they discuss how vendors keep abreast of and comply with evolving cybersecurity regulations across various regions.

Glick said that vendors in the OT and ICS sector must adhere to key regulatory standards depending on their industry, such as NERC CIP and NRC for example, and IEC 62443-4-2. “NERC CIP 003-7 focuses on the security of removable media and transient cyber assets, while NRC mandates kiosks for scanning portable media and devices.” 

He added that to stay updated and compliant with evolving cybersecurity regulations, vendors should monitor regulatory updates, participate in industry forums and groups, conduct internal audits, and provide ongoing training for employees. These strategies ensure they can quickly adapt to new requirements and maintain security standards.

Identifying that there are none across all industries, Taylor said that the ISA99/IEC62443 has guidelines for ICS device security, but it is not a regulatory standard. “Automotive ISO 21434 is the most advanced and has mandated SDLC which has been adopted by the EU but is not a worldwide regulatory standard. Some industries have requirements for their specific industry that influence security in ICS devices, but it’s generally functional requirements, not development standards. Ex: NERC CIP and NIST 800-82, SunSpec, IEEE 2030.5,” he added. 

Pace pointed out that vendors must adhere to various regulatory standards and frameworks to ensure OT and ICS product security. “Key requirements include maintaining detailed SBOMs and comprehensive software inventories. Some of the critical regulatory standards and frameworks are NIST SP 800-53 and NIST SP 800-82, IEC 62443, ISO/IEC 27001, Executive Order 14028 (U.S.), CISA’s Cybersecurity Performance Goals (CPGs), the EU Cybersecurity Act, and GDPR (General Data Protection Regulation),” he added.

“To stay updated and compliant, vendors must continuously monitor regulatory changes through dedicated compliance teams, industry associations, and cybersecurity frameworks,” according to Pace. “They participate in standards development organizations and leverage automated compliance tools to ensure their products meet the latest security requirements.”

“We are currently seeing a product security renaissance when you consider CISA Secure by Design and the SbD pledge, SSDF and EO 14028, and the EU Cyber Resilience Act (CRA) that are all driving product security requirements,” according to Turner. “Much of this is due to consumer level protection, not necessarily focused on industrial applications, but as they say, ‘a rising tide raises all ships.’ Still, most current regulations are industry-specific, and even looking at initiatives like the CRA you may note that automotive is not in scope because it already comes under rigorous security requirements. These initiatives appear to be filling in the gaps,” he added.

Pointing out that it is interesting though to see that even in some of these regulatory initiatives, there is very little focus on ICS-specific security drivers, Turner added that there are zero secure development requirements for products destined for grid operations, and in fact, one could implement extremely insecure products if they can meet the compliance obligations of CIP. “This means that for the foreseeable future, security will likely be an afterthought, though the rapid adoption of Cyber Informed Engineering within electric power may help to at least address the need for secure integration and design, even if the products are still insecure.”

He further said that “the more meaningful measures will be produced through secure acquisition processes such as what is proposed in EO 14028 for federal procurement requiring self-attestation of secure development processes or through product certification testing schemes such as ISASecure. Until mandatory regulatory requirements force secure development for ICS, this will likely be a market-driven initiative.”

Impact of public-private partnerships, information sharing on OT and ICS product security

The executives analyze the role of public-private partnerships in enhancing the security of OT and ICS products. They also discuss why information sharing among vendors and industry stakeholders is crucial for improving product security.

“Sharing knowledge between the public and private sectors is crucial because governments typically have broader visibility into cyber threats than individual organizations,” Glick said. “Many countries establish specific CERTs (Computer Emergency Response Teams) or SOCs (Security Operations Centers) for different industry sectors to provide precise guidelines, share cases and incidents, and promote standardized security approaches. These efforts enhance the overall cybersecurity maturity of the industry.”

Most importantly, Glick added that these initiatives foster a community of experts who can advise and guide other members, facilitating collective learning and the ability to overcome challenges together. “This collaboration ensures that best practices are disseminated, emerging threats are quickly addressed, and all stakeholders benefit from shared expertise and resources.”

Taylor said that public-private partnerships are essential for improving security in ICS. “Because of the nature of ICS businesses, cyber is generally not the vendor’s focus or strength, and they don’t have deep cyber or software teams who are all able and willing to focus on security only. The public partnerships enable them to get insight and actionable information from public sources without having a full-time expert.”

He added “The same applies to industry sharing. The ICS security community is too small to hoard information. We must share our knowledge and practical experience to help protect our critical infrastructure. If sharing your defensive knowledge puts your company at risk, you’ve already lost because someone else already knows.”

Pace identifies that public-private partnerships enhance the security of OT and ICS products by enabling collaboration and efficient information exchange between government entities and private sector companies. “These partnerships leverage the strengths of both sectors to develop comprehensive security strategies, improve threat intelligence and sharing, and implement best practices across the industry.” 

He pointed out that key benefits include enhanced threat intelligence by sharing threat data and attack patterns between public and private entities allows for quicker identification and mitigation of security threats. He also identified improved best practices through collaborative efforts that help establish industry-wide security standards and guidelines, ensuring stakeholders adhere to the highest security protocols. Lastly, Pace listed resource sharing as public-private partnerships that enable resource pooling, providing access to advanced security tools and technologies that might be cost-prohibitive for individual companies, especially smaller organizations.

“Information sharing among vendors and industry stakeholders helps improve product security through reducing blind spots, accelerating response times, and strengthening the ecosystem,” Pace added.

“The reality is that there is a security value chain driven by more than just buyer and seller, or even government stakeholders,” Turner said. “The biggest gap in the conversation is that of the integrator, a critical role that ISA has long recognized as a key contributor to IACS. But, the regulations and government initiatives have largely ignored the subject of actual design thinking in favor of simpler compliance-based approaches. Even now, the Secure by Design effort reads more like a set of compliance objectives.”

He added that the value of multiple stakeholders coming to the table together cannot be overstated, but so too must the business drivers for each of these parties. “Security is not always in the best interest of all parties, and when asset owners are not demanding it in their procurement, it seems unwise for integrators and product vendors to expend resources to invest in security when there is no return and may result in higher costs and fewer customers.”

“So too is the need for information sharing. For instance, vendors may know the product better than anyone else downstream, but they do not typically operate the infrastructure their products are installed in,” according to Turner. “There is a need for bilateral information sharing such that PSIRT teams monitor threat and vulnerability indicators and intake this intelligence into a triage, remediate, and communication process, but these inputs need to come from actual customers as well as the internet and security community at large.”

Emerging trends and future of vendor-led security innovations in OT and ICS environments

The executives discuss emerging trends in OT and ICS product security that vendors should be aware of, and they explore the future of vendor-led security innovations in these environments.

Glick said that one of the most significant emerging trends in OT and ICS product security is the adoption of a zero-trust approach, which originally emerged from the IT world but is now being rapidly integrated into OT environments. “This approach emphasizes verifying the security of devices entering the network, devices already on the network, remote access devices, and files entering the network.” 

Additionally, he added that new Secure-by-Design elements are being incorporated into OT security products to enhance overall security. These include implementing multi-factor authentication (MFA) for accessing secure devices, comprehensive auditing capabilities, the utilization of encrypted communications and storage, and strict adherence to standards such as NERC CIP and ISO-62443.

“The future of vendor-led security innovations in OT and ICS environments looks promising, with a continued focus on integrating advanced security practices and technologies to protect critical infrastructure,” according to Glick. “Vendors are expected to develop more sophisticated security solutions that are deeply embedded into the lifecycle of their products, ensuring resiliency against cyber threats.”

Taylor expects that the industry will continue to grow in connectivity – ignoring cyber is a catastrophic risk, not just to ICS vendors, but to national defense and security. “AI will not necessarily make adversaries smarter, but it will increase the speed and volume of attacks they launch and techniques they apply, making it even harder to keep ahead of security. Geopolitical risks are higher for ICS systems than ever, and the damage capability is incalculable.” 

He added “We’ve made progress on issues like on-device public key infrastructure (PKI), but it is still costly and difficult to implement in the field. PKI will be critical to protecting OT devices going forward. I believe the next two years in OT/ICS will be as challenging as the early 2000s rush to connect devices, but with much tougher adversaries to deal with.”

Pace detailed that some of the key trends in OT and ICS product security include integration of IT and OT security as the industry is moving closer to a unified security strategy that protects both operational and informational assets; and increasing software visibility and monitoring, as for years there been a focus on asset discovery in OT/ICS, primarily hardware. Now there is movement in software discovery and visibility in OT/ICS. Comprehensive visibility across the software stack supports stronger and more timely supply chain detection and response to vulnerabilities.

He also pointed to zero trust architectures, as such models assume threats can exist both inside and outside the OT/ICS network and are being adopted in small steps throughout the OT/ICS world. Continued adoption of AI and machine learning, as these techniques are growing in use for anomaly detection, predictive analytics, and automated threat response can revolutionize security in OT/ICS environments. Also, regulatory compliance and frameworks with more stringent regulatory standards and frameworks will continue to drive improvements in product security, pushing vendors to maintain compliance and adopt best practices.

“The future of vendor-led security innovations in OT and ICS environments will likely be characterized by increased collaboration, advanced automation, and a relentless focus on securing the software supply chain,” according to Pace.

Turner recognized that one of the most prevalent trends today is that of AI-enabled capabilities, both as a problem-solving as well as a marketing tool. “But this too creates new sets of risks, not only from the need for additional external connectivity and potential leakage of sensitive information but also increases in compute power, potentially lower confidence results, and more. AI promises many benefits, but the rate of adoption appears to be outstripping the ability of stakeholders to design and implement governance strategies for the adoption of these technologies,” he added.

“But this also presents other opportunities around the sharing and correlation of data. While ICS has been traditionally more siloed, the need for data sharing and new capabilities for data historians and data aggregation and correlation creates rich opportunities for the defender,” according to Turner. “Even without AI, the data fabric of OT is expanding dramatically which creates rich opportunities, as well as a treasure trove of information for our adversaries. As with anything else, tools can be used for good or evil, and this is no different,” he concluded.

Comments