2023 has been an eventful year for the industrial cybersecurity landscape, to say the least. From the launch of new platforms such as ‘ETHOS’ to the efforts of organizations to bridge the diversity gap, it’s been exciting to see the direction our industry’s headed in. But of course, you can’t have sunshine without a little rain, and a series of concerns continue to create challenges for us all. In this blog, we’ll cover 6 of the most pressing business concerns industrial cybersecurity is facing in 2023 and offer insight as to what their solutions may be. Keep reading to find out more!
Information and operational technology are becoming more intertwined within industrial enterprises globally. Consequently, they’re transforming into distributed, large-scale cyber-physical systems that are increasingly complex to manage. Likewise, the ever-changing threat landscape and heightened risks have made it crucial for firms to prioritize industrial cybersecurity as part of their operations. To be successful in mitigating the risks, a multidisciplinary approach is needed, which requires companies to come together with all their stakeholders and ensure everyone is in alignment. While this may be initially challenging to accomplish, it’s essential in protecting the industrial environment.
There’s currently a lack of solid definitions for roles and responsibilities among personnel, and in the event of an incident, this has the potential to be disastrous. Having solid definitions in place and communicating them to operational staff can make a measurable difference when reducing the impact of an incident. Often, using a tool such as the RACI (Responsible, Accountable, Consulted, and Informed) model can provide clarity and structure in defining the responsibilities of various stakeholders.
In 2023, industrial cybersecurity governance remains low. In its absence, organizations often select and align with various industries or government-agency-led frameworks, such as NIST, IEC, and MITRE. Industrial enterprises and organizations are increasingly taking on the responsibility for aligning the adopted framework with their security policies, conducting risk assessments, planning for security, and preparing for incident response.
Cross-organizational/cross-border partnerships and information sharing have become essential for protecting critical infrastructure and advancing cybersecurity. However, trust and complexity issues currently hinder information sharing among public-private partnerships, posing an increased threat to national and economic security. While we’ve seen relevant government and industry programs launched in 2023, such as ETHOS, many more developments are needed to further facilitate report and information sharing, which will add power to an organization’s defense against mitigating attacks.
With nation-state actors becoming more audacious in their cyber-attacks, organizations must ensure they have comprehensive incident response plansーmost of which already do. However, threat groups are increasingly difficult to track, and previous attributes such as Tactics, Techniques, Procedures (TTPs), and motives are no longer valid indicators. As a result, implementing a well-defined incident response plan is now, more than ever, vital for accurately locating issues and efficiently recovering the system. Industrial incident responses must therefore include proactive elements, such as planning, incident prevention, and post-incident analysis/forensics, alongside reactive elements, which focus on detecting and managing an incident.
In March 2023, insurance company Lloyd’s of London announced that ‘catastrophic’ state-backed attacks will no longer be covered in their cyber insurance policies. Consequently, the wider industry is now reconsidering risk transfer in mitigation strategies. Lloyd’s decision and various litigation cases have exposed the fragility of the cybersecurity insurance sector. As a result of the ambiguous language and various exclusions in cybersecurity insurance policies, it’s likely that industrial enterprises may reallocate budgets to improve their risk management solutions rather than relying on their insurance.
