Planned ICS Security Spending: Incident Response, Anomaly Detection

In the SANS State of ICS/OT Cybersecurity 2024 report, 530 professionals working in critical infrastructure sectors were asked which technologies they have in their OT environments and what they were planning to add in the next year and a half. The two lists highlight which technologies are widely deployed and what areas security teams are going to focus on next. 

As for technologies currently in use, access controls (81%); backup and recovery tools (74.4%); endpoint detection and response tools such as traditional antivirus (73%); implementing segmentation between control systems and higher risk networks (66%); and securing remote access by deploying multi-factor authentication (65%) were the top five. These categories have seen “massive jumps in implementation,” SANS said in the report. Just 53% of respondents reported using EDR in 2019, which comes out to a 20% increase in 2024.

“We often describe ICS/OT as the ‘M&M’ model: hard shell, gooey center. This is why we focus a lot on IT–OT boundaries (i.e., the hard shell),” the report said. “However, security professionals need to also focus on toughening up that gooey center.”

Securing that “gooey center” may be one of the reasons for a shift suggesting more non-technology spending, such as in training, simulations, and incident response. When asked what new technologies or solutions are planned for the next 18 months, the five most-planned activities were: implementing ICS-specific cybersecurity metrics or dashboards (37%); deploying ICS network security monitoring and anomaly detection (33%); rolling out control system enhancements and upgrades (32%); conducting ICS-specific cybersecurity training (31%); and running ICS-specific incident response tabletops or simulations (30%). 

With the exception of cybersecurity metrics and dashboards, these planned technologies are already in use by nearly half of the respondents. The fact that over 30% more are making plans to use them suggest the industry is on the brink of another jump in implementation in these areas.

It’s worth noting that the three least deployed technologies for ICS defense had a “”urprisingly” larger number of respondents planning to invest in them over the next year and a half. Roughly a quarter of respondents have deployed the following technologies and solutions at this time: software bill of materials (25%); industrial cloud security (26%); and security orchestration, automation, and response (28%). A higher than average number of respondents have plans to start using SBOM (28%), industrial control security (23%), and SOAR (30%). 

The planned rates indicate these technologies may become more common across ICS security programs toon, SANS said.