OT security becoming a mainstream concern

To better leverage the power of data and digital services, enterprises are increasingly converging operational technology (OT) and IT networks in pursuit of efficiencies and business value.

But connecting previously isolated OT systems to IT networks exposes them to a wider range of cyber threats, including denial of service disruptions and ransomware attacks, and OT systems, often outdated and originally designed to operate in air-gapped environments, can introduce new vulnerabilities to corporate networks.

As such, the growing integration of OT into IT networks is making the security of operational technology systems a rising concern for mainstream CISOs — not just those who work in petrochemicals, utilities, or other traditionally industrial domains. That’s because a growing variety of locations, from data centers to office buildings, are becoming more reliant on OT systems for everything from HVAC (heating, ventilation, and air conditioning) controls to building access, among other uses of OT.

Arne Helgesen, a cybersecurity expert at industrial facilities SaaS provider Sharecat, tells CSO that OT security threats have become a mainstream concern.

“Legacy OT systems were designed before cybersecurity existed and now they’re exposed to modern IT threats,” according to Helgesen. “It’s not just about keeping the petrochemical plants or power stations safe anymore — any business using OT, like HVAC or access control systems, is at risk.”

Helgesen continues: “Once you connect these systems to IT networks, you open up the door to attackers who can exploit weak OT devices to move laterally across environments, potentially causing serious damage.”

Rising threat

In May, Microsoft warned of attacks focusing on internet-exposed, poorly secured OT devices — a theme that the company expanded on in its recently published Digital Defence Report.

“Threat actors are now exploiting OT devices to do everything from accessing critical and operational networks, to enabling lateral movement, establishing a foothold in a supply chain, or disrupting the target’s OT operations,” warns Microsoft, whose data centers — like those of many enterprises — rely heavily on OT equipment, such as sensors and actuators, to manage power and cooling systems.

According to a recent study by Palo Alto Networks, 76% of organizations reported cyberattacks against their OT environments in the past twelve months. Three in four (72%) attacks targeting OT systems started in IT environments.

Malware, ransomware, and insider attacks were the three most feared attack type, according to Palo Alto’s report. Ransomware syndicates such as DarkSide (blamed for the notorious Colonial Pipeline attack in 2021), BlackCat, and Ryuk have successfully breached the IT-OT gap to target OT environments.

A separate report on operational technology and cybersecurity from security vendor Fortinet also reports an increased frequency of attacks. It found that nearly 30% of organizations reported six or more intrusions in the previous year, up from just 11% in 2023.

Patching headaches

National security agencies recently urged the IT community to prioritize OT security, a far from straightforward task.

Many OT systems run on legacy platforms that lack modern security features, such as encryption and authentication, and are not regularly updated or patched, making them more vulnerable when connected to IT networks.

Michael Skelton, VP of operations at bug bounty platform Bugcrowd, a YouTuber and former hacker, tells CSO: “[OT systems] often lack key security features like modern authentication, and detailed access control, leaving them exposed to attacks that exploit these gaps. Additionally, these systems typically prioritize safety and availability over security, making it difficult to apply traditional IT defenses.”

OT environments are often mission-critical — and set up without any allowance for downtime. This makes patching OT systems challenging since rebooting systems after a periodic update isn’t an option.

Patching ICS/OT systems can be highly complex and requires detailed planning and assessments, including differentiating between offline/emergency and live systems as well as testing and validating patches.

Older, unsupported systems may have known vulnerabilities that can be exploited but for which no patch is available. This is a significant problem because industrial control systems typically have a lifetime of up to 20 years, ample time for vendors to discontinue product lines or go out of business.

For legacy systems that cannot be patched, compensating controls such as stricter access control, additional monitoring, or network segmentation should be implemented. Network segmentation, including micro-segmentation, effectively isolates an aging or otherwise vulnerable system while allowing it to remain functional.

Culture clashes

Lack of cross-domain expertise and culture clashes between OT and IT support teams can also be a problem.

Bharat Mistry, field CTO at Trend Micro, tells CSO: “IT security teams often lack understanding of the unique protocols and requirements of OT systems, while OT personnel may not be well-equipped to deal with sophisticated IT security threats, leading to security gaps.”

A recent SANS Institute survey showed that almost 50% of the attack vectors on OT assets are ultimately attributable to IT network breaches.

IoT devices in OT networks can also introduce additional vulnerabilities.

OT risk mitigation

CISOs should focus on implementing isolation strategies such as network segmentation; tailored patch management, including any dependencies these systems rely on; and comprehensive visibility across both OT and IT infrastructures to detect and mitigate cross-domain risks.

“Automated asset discovery tools can map out devices, communication flows, and vulnerabilities across both IT and OT environments, giving CISOs the insights needed to understand their risk exposure,” says Akhil Mittal, senior security consulting manager at Black Duck.

Industry standards and frameworks also offer CISOs best practice guidelines for OT security.

For example, the Purdue Enterprise Reference Architecture (PERA) model outlines how to manage segmentation between the enterprise and industrial segments of networks in industrial sectors.

Infrastructure should also move toward Zero Trust models where each connection needs to be authenticated and authorized.

“Asset and device inventory play a critical role in supporting Zero Trust and proper segmentation in ICS/OT,” according to Antonio Maini, a detection researcher at threat intel firm ReliaQuest. “This requires mapping all forms of network connectivity between devices, users, applications, and data stores. It should identify local LAN, WAN, and remote access, as well as identify the protocols being used.”

Maini adds: “Workflows and interdependencies should also be documented.”

In addition to security standards for key communication protocols, the international standard IEC 62351 provides guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented.

“For the countless legacy systems still in use, the standard provides practical advice on managing transitions to security-based designs, including countermeasures in all system retrofits and upgrades,” says Gilles Thonet, deputy secretary-general of the IEC (International Electrotechnical Commission).