Common ICS Cybersecurity Myths: Lessons Learned

Misconceptions about ICS/OT cybersecurity are stubborn. This “mythbusting” blog series dispels five common myths related to ICS cybersecurity. Catch up on previous entries if you’re interested:

Now, let’s look back at this series with a few parting thoughts on the state of ICS cybersecurity today.

Lessons Learned from Recent Attacks and Industry Surveys

Major Trends in ICS Cybersecurity

  • ICS cyberattacks involving cyber criminals, hacktivists, and nation states are on the rise
  • Most organizations recognize risks to their ICS and are taking numerous initiatives to address these risks
  • The ICS cyber workforce/skills gap is widening
  • Governments are declaring cyber as a national security threat, and enacting more laws and regulations (NERC CIP, NIS Directive, CFATS, Nuclear, etc.)

According to a report from the World Energy Council, most technology executives feel they are losing ground to attackers and lack the facts to make effective decisions. The report also mentions that most companies have difficulty quantifying the impact of risks and mitigation plans.

Image source: World Energy Council

Many organizations feel that they are not prepared for cyber exploits and security breaches. A study conducted by Siemens and Ponemon Institute found that only 35 percent of respondents rate their organization’s cyber readiness in the OT environment as high, and 61 percent of respondents say their organization’s industrial control systems protection and security are not adequate.

Cyberattacks on ICS often go undetected due to lack of visibility, monitoring, and forensics capabilities. In the case of the cyberattack on the Ukrainian utilities in 2015, attackers gained initial access in July 2015 and remained in their network undetected until they caused a power outage on 23 December 2015.

Phishing attacks via email are one of the top attack vectors for initial point of entry. Other attack vectors into ICS include USB/removable media, remote access, and supplier networks. USB and social engineering vectors were used for STUXNET, and surprisingly, these are still two of the top 10 risks to ICS networks.

Cyber risks, especially across the supply chain, are challenging to address. According to a recent survey of the energy sector, 69 percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain, and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.

The biggest vulnerability to organizations is outdated and aging ICS. This is also the most difficult and time-consuming to address, and could adversely impact ICS due to compatibility issues, so mitigation requires careful planning and adequate testing.

Most organizations have realized that 100% effective security is not practically possible, and that they need to build incident response capabilities. Many organizations are taking the first step toward that goal by building visibility and baselining ICS networks.

Final Thoughts

Goodbye Air-Gapped Networks: Embracing Digitalization and Taking Back Control of ICS by Being Cyber Resilient

Hopefully, the facts and data presented in this blog series will help in cracking a false sense of security created by age-old beliefs and myths, and expose the ground reality of ICS cybersecurity.

ICS cybersecurity issues cannot be solved by adding new technologies and processes alone. It will require a huge change in culture that challenges the old beliefs and myths, and bridges the gaps between business objectives and ICS cybersecurity needs. Boards need to provide leadership by facilitating strong governance, risk management, and collaboration among all functions within their organizations-including OT, IT, ERM, and EHS.

The very first step required is understanding of the threat landscape and gaining visibility into assets. The MITRE ATT&CK framework for ICS can be leveraged for understanding threats. New systems should be designed with built-in security. Last but not least, a documented and tested incident response plan should be in place to handle emergency situations in the event of a cyberattack.

Suggested Reading for ICS Cybersecurity

Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.

Originally published at



International Society of Automation (ISA)

The International Society of Automation ( is a non-profit professional association founded in 1945 to create a better world through automation.