SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsThe 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029.
Next year will mark the 20th anniversary of the SANS ICS Security Summit—our community’s largest asset owner/operator-driven educational event. In the two decades since its launch, our industry has grown considerably. In the pre-Stuxnet age, we were influenced by increased communications and data flowing across the IT-OT boundary (if such a boundary even existed).
Today, those communications and data flows have increased in both quantity and sophistication—and so have the threats.
Since 2017, the annual SANS State of ICS/OT Cybersecurity survey has provided industry with a wealth of information to help calibrate and further refine our industrial cyber risk programs. By highlighting trends across critical infrastructure sectors, asset owners and operators can effectively benchmark aspects of their ICS/OT security capabilities. Since our first publication, the document has become a vital tool for CISOs, security leaders, and ICS/OT practitioners.
I am proud to have authored this year’s report, which continues the SANS tradition of providing actionable information for asset owners/operators of critical infrastructure—with a slight twist. New to the 2024 State of ICS/OT Cybersecurity report are observations on how the trends and data have changed over the past five years of previous reports. By expanding beyond the “snapshot in time” we traditionally provide, readers will be able to observe our industry’s growth since 2019—and infer how we may improve going into 2029.
This year’s report is organized based on the SANS Five ICS Cybersecurity Critical Controls, with questions, data, and trend analysis offered to guide an organization on how to apply the controls, which were originally published in October 2022 by Rob Lee and Tim Conway. Don’t want to read about secure remote access? Skip it! Interested in non-ransomware cyber incidents that impacted ICS/OT networks? Jump to that section! With over 30 figures, tables, and graphs—and an underlying dataset of several thousand data points—you can nerd out on just about anything.
But if you’re short on time, here’s the “hot takes” and soundbites to use at your next security meeting (organized within the Five Critical Controls):
Beyond the Five Critical Controls, this year’s report also dives deep into workforce management and governance, with some equally surprising hot takes:
Completely understanding the reaction this next statement may invoke, the data is also clear:
CISOs officially “own” ICS/OT cybersecurity.
For years, and still today, there has been a debate on the owner of ICS/OT cybersecurity programs and the associated risks. The argument against CISOs owning ICS/OT programs is that individual facilities may know their systems better and that the CISO has historically been an IT-centric position with little influence on the culture in OT and operations. In teaching ICS418 with co-author Dean Parsons, the historic SANS response to this debate would be “it depends,” as we’ve all seen successes and failures when ICS/OT reports to either CISOs, CTOs, or VPs of Engineering.
Well, the data does not lie, and we can provide some more definitive insights.
First, per the chart below, it is apparent that since 2019, CISOs are highly favored to be the “leader” for ICS/OT cybersecurity:
All the other categories, as not-so-subtly outlined above, are “noise” to the signal—CISOs are the primary owner time and again.
Meanwhile, this has an overwhelmingly positive influence on ICS/OT cybersecurity programs. The data routinely shows that a CISO-led ICS/OT cybersecurity program has a shared IT-OT budget, which tends to be larger than any specific industrial facility/site can manage on their own.
CISOs also bring order to the chaos. When a CISO is in charge of ICS/OT cybersecurity, 82% of their programs are mapped to standards, compared to 42% if no corporate-wide policies exist (a nearly two-fold difference).
Interestingly, this correlation has larger ramifications. An organization that both maps to security standards and uses ICS/OT-specific threat intelligence to inform their program tend to be quicker at detecting (and responding to) cybersecurity incidents. These organizations are 53% more likely to have documented all external connections to its industrial environments.
At the end of the day, data is on the side to evolving the “Industrial CISO” to truly own and understand the implications of ICS/OT cybersecurity.
Does this mean every industrial CISO will be successful? Certainly not, and there will still be educational and cultural barriers to operating and sustaining these programs.
Like previous years, the 2024 State of ICS/OT Cybersecurity report analyzes the data behind ~40 technology categories used to manage industrial cyber risk. We included the full list in the appendix but dove deep on where the most growth will likely happen to 1) help asset owners/operators in their 3-5 year budget plans, and 2) attempt to forecast trends based on the 2019-2024 growth.
Suffice to say, the future looks cloudy. Technologically, that is, as 26% of respondents are now utilizing cloud technologies for ICS/OT applications—marking a significant (+15%) increase from previous years.
Meanwhile, artificial intelligence (AI) is a hot topic for IT systems but still has a long way to go (rightfully so) until the technology will be leveraged in ICS/OT networks—though plans are already in the works across several organizations that participated in the survey.
After completing a look back from 2019-2024, the logical question should be “how do we prepare for the next five years?” Regardless of the starting point, where should organizations focus their time and effort?
Based on the data, the following three objectives have the highest correlations and indicators of a mature and robust ICS/OT cybersecurity program:
I encourage each of you to read the report in full —especially with the new historic trend information.
If you missed the webcast where we deep-dive into more specifics, be sure to check out the recording here.
Lastly, stay up-to-date and be sure to join us for the 20th anniversary of the SANS ICS Summit in June!
Jason D. Christopher has significantly influenced national cybersecurity policies through his leadership in developing the NERC Critical Infrastructure Protection standards and the U.S. Department of Energy's Cybersecurity Capability Maturity Model.
Read more about Jason Christopher