The SANS Institute has released its SANS 2024 ICS/OT cybersecurity survey, highlighting notable advancements and persistent challenges in safeguarding critical infrastructure. The SANS Institute 2024 survey identified improved detection capabilities, significant gaps in preparation and workforce, growing adoption of cloud solutions, and limited AI (artificial intelligence) adoption.
The report underscored advancements in cybersecurity for ICS (industrial control systems) and OT (operational technology) while stressing the urgent need to enhance response capabilities. It warns that although some organizations have made progress, many still leave critical systems vulnerable, highlighting a significant gap between those who are well-protected and those who are not in ICS/OT security.
Presented by SANS certified instructor and survey author Jason D. Christopher, the SANS Institute 2024 survey revealed that organizations using ICS/OT cybersecurity standards and threat intelligence to guide their program are lightyears ahead of their peers in terms of maturity and capabilities. Such organizations are quicker to detect cyber events, are more likely to have mapped all external connections to the industrial environment, and typically have ICS/OT-specific security operation centers (SOCs).
In comparison, organizations without such guiding principles tend to lack central governance for industrial cyber risk management and lack basic capabilities, like a dedicated incident response plan.
“There’s a growing recognition of the importance of ICS/OT security, and the good news is that the industry is maturing,” Christopher detailed in a media statement. “We’re seeing more time, resources, and strategy being allocated to protect these systems. However, the gaps we’re identifying, particularly around ICS/OT-specific security operations and visibility into industrial environments, highlight that we still have a lot of work to do.”
The SANS Institute 2024 survey also examines historical trends over the past five years with some hopeful trends outlining improved security for industrial facilities. For example, in 2019 a majority of respondents that suffered an ICS/OT cybersecurity incident took, on average, 2-7 days to detect a compromise. Five years later, over half of respondents reported the same capability took less than 24 hours marked improvement for critical infrastructure asset owners and operators. Similarly, basic security protections like endpoint protection and multi-factor authentication for remote access saw drastic increases in their deployments since 2019.
The SANS Institute 2024 also identified improved detection capabilities, In 2019, OT-specific monitoring was used by only 33 percent of respondents seeing a significant jump to 52 percent in 2024-highlighting the importance of visibility for these critical networks. It also revealed significant gaps in preparation and workforce. Only a small percentage (34 percent) of respondents prepare for cyber incidents using various environments with ICS/OT-specific tools.
Combined with the majority (51 percent) of respondents protecting these systems without a relevant certification, The report notes cause for concern when examining how prepared security teams are to recover from an industrial cyber incident.
The SANS 2024 State of ICS/OT Cybersecurity survey also found growing adoption of cloud solutions. Despite concerns, cloud-based ICS/OT solutions saw an over 15 percent increase in adoption, especially in non-regulated environments. Lastly, it disclosed limited AI adoption, as AI remains largely experimental, with few organizations applying it to ICS/OT due to a lack of use cases and safety/reliability concerns.
“The gap between security leaders and the rest of the industry is growing,” Christopher continued. “We see some organizations doing incredible work, leveraging both industry standards and ICS-specific threat intelligence to improve security posture. Still, many others are just beginning to grasp the complexity of securing these critical environments and this disparity poses a major risk as interconnectedness increases.”
The SANS Institute 2024 comes at a time when the U.S. Department of Homeland Security (DHS) highlighted in its 2025 Homeland Threat Assessment (HTA) that domestic and foreign adversaries are almost certain to continue posing threats to the integrity of the nation’s critical infrastructure over the next year.
The SANS Institute is hosting the SANS 2024 ICS/OT Cybersecurity Survey Webcast on Oct. 9, 2024, at 10:30 AM EDT, where it will explore these findings and provide additional details. The webcast will feature survey author Jason Christopher, who will discuss trends with survey sponsors and industry leaders Vincent Stoffer, Richard M. Springer, Eric Knapp, Joe O’Donnell, and Randy Benn. These industry experts will provide actionable recommendations and analysis on enhancing ICS/OT security strategies. Registrants will also receive a complimentary copy of the survey whitepaper.