Hardware and software applied to monitor and control the physical industrial processes constitute operational technology (OT) systems. OT is applied to manufacturing, to critical infrastructure to automate and optimize operations for many vital industries.
Nevertheless, the ITIL has created the gateway for greater connectivity of these previously separate, extremely isolated OT networks and possibly to the most intense cyber security risk. With digital transformation happening at a quick pace, securing OT is no longer a luxury for any government or enterprise across the world.
This article will provide an overview of the most prevalent OT vulnerabilities, major reported incidents, unique OT security challenges, and best practices to reduce exposure.
The Growing Threat Landscape
Now, cybercriminals and the state-sponsored alike routinely target OT. Some have financial gain. Others are doing espionage or trying to disrupt critical services intentionally. In the last couple of years, adversaries have grown more innovative with the increased scale and sophistication of specific OT malware.
As reported by Dragos in its 2022 ICS/OT Cybersecurity Year in Review, globally, there has been a huge increase in cyber threats and business disruption of critical infrastructure, which is correlated with increasing global tension. Experts say, however, that this probably represents a fraction of what will emerge as the iceberg, most attacks going unreported or unreported.
Since successful OT cyber attacks have potential impacts, they are also an attractive vector for malicious actors. They can at least result in production downtime, equipment damage and data loss. They could endanger lives or cause a catastrophic industrial accident in the worst bulb-driven go cavity fluorescent filter case.
Legacy Vulnerabilities
The increased targeting of OT partly stems from fundamental security issues rooted in legacy systems and architectures. Many OT environments rely on decades-old technology, which predates concerns over cyber risks.
Common problems include:
- Outdated software/hardware. Legacy Windows systems like XP that are no longer supported by vendors, unpatched programmable logic controllers (PLCs), human-machine interfaces (HMIs), and more are often used by OT. They contain well-known flaws that hackers can trivially exploit.
- Insecure by design. OT was never built to be secure. Basic protections such as authentication, encryption or activity logging are not present on components such as PLCs. They are left open at a base level.
- Resource constraints. Taking systems offline for OT would need upgrading. Modern security tools have stricter requirements than previous ones, but many systems are not equipped to support these systems because they have very limited computing resources, are legacy compatible, or are even regulated.
- Lack of monitoring. By and large, OT has very little visibility into assets, network traffic, user activity and other behavior compared to IT. Threats float around unguarded until they are detected.
Attack Vectors
While OT presents a large attack surface, adversaries generally target a handful of common vulnerabilities to gain initial access before escalating privileges. Tactics include:
Supply Chain Attacks
Threat actors increasingly compromise third-party suppliers, integrators and vendors to penetrate end-user OT networks. Notable examples include trojanized SolarWinds software used in the 2020 SUNBURST campaign and a 2022 attack on Triconex safety controllers via third-party support tools.
Supply chain attacks allow adversaries to bypass many endpoint and network defenses. Preventing them requires broad visibility into all vendor relationships, plus robust hardware/software integrity checks.
Phishing/Social Engineering
Despite lower staffing, OT personnel often hold elevated privileges for accessing critical systems. Targeted phishing emails or phone calls tricking engineers into disclosing credentials remain an easy route for attackers to infiltrate networks.
Strong user awareness training and multi-factor authentication help guard against unauthorized access via social engineering. Monitoring tools can also detect unusual account usage patterns.
Remote Access Hacking
The COVID-19 pandemic saw greatly expanded remote access to OT networks to accommodate disrupted operations. However, insecure methods like RDP or unprotected VPNs also offer ideal attack vectors for initial entry and lateral movement.
Organizations should inventory all OT access channels and ensure they adopt modern security controls like MFA, activity logging and zero-trust network segmentation.
Field Device Manipulation
Rogue firmware update, or connecting unauthorized devices, allows adversaries with physical proximity to compromise field instruments, e.g., sensors, etc. In fact, Stuxnet was famous for infecting PLCs at Iranian nuclear centrifuges using infected USB drives.
LCPs can be hard to secure because field electronics are not secure. However, it is possible with things like firmware whitelisting, tamper-evident seals and interface disabling. It is also important to have strict change management processes.
Unique OT Security Challenges
Securing OT against modern threats is complicated by other intrinsic constraints, including:
24/7 Availability Requirements
Near zero downtime tolerance is required for OT systems. But the normal IT security practice of patching often involves restarting equipment. As such, there are difficult trade-offs to make between maximum cyber protection and operational continuity.
This tends to bridge this gap by carefully planned and incremental improvements combined with backup redundancy/failover capabilities. In addition, quick detection and response to threats reduce overall business disruption.
Safety Risks
Incorrect security measures could endanger personnel, trigger dangerous industrial failures or violate safe operating parameters – like disabling alerts before an unsafe pressure buildup.
Organizations need engineers and cybersecurity experts to closely collaborate in applying security controls built for OT’s specialized safety needs, not a one-size-fits-all IT approach.
Weak Identity and Access Management
Many legacy OT components have no native access controls or procedures. Confusing shared credentials, unlabeled equipment and undocumented privilege requirements further obscure who can access what.
Establishing asset management, network zoning, robust access policies and even simple physical access barriers represent major yet vital improvements.
Difficult Asset Management
Limited inventory visibility also means organizations often don’t know the full scale of vulnerabilities across disconnected legacy systems, remote sites and third-party networks.
Prioritizing OT asset discovery and management is foundational for managing cyber risks. Air gapping systems also limit attack paths.
Weak Threat Monitoring
Legacy OT platforms provide little native visibility, while IT security tools like antivirus/endpoint detection can’t run on them. Their proprietary protocols also disguise malicious patterns.
Specialized ICS/SCADA monitoring solutions, plus intrusion detection systems (IDS) attuned to OT protocols, help overcome these blind spots.
Recent Significant Attacks
Understanding recent major OT cyber incidents further underscores the growing risks across sectors:
Triconex Attack (2022)
Hackers compromised third-party support tools by industrial giant Schneider Electric to deliver malware designed to disable Triconex safety instrument systems used in power plants and oil/gas facilities globally. While Schneider Electric issued patches, the nature of the supply chain meant vast exposure.
Colonial Pipeline (2021)
Attacks are likely related to the Russian-based ransomware gang DarkSide, and they were able to infiltrate Colonial Pipeline’s IT and OT infrastructure due to a single compromised password. This disruption caused fuel shortages across the Eastern US.
SolarWinds Sunburst (2020)
Like dozens of hacks in recent years, major US elections, corporations and government agencies were hit by a devastating organic attack that delivered malicious code using compromised updates to network management software from IT vendor SolarWinds, making it a giant supply chain attack.
TRITON (2017)
The TRITON malware, built by the Russian-linked group TEMP, was considered the first known destructive attack on safety instrument systems. In 2017, Veles caused an operational outage at a critical infrastructure facility in Saudi Arabia. TRITON could have triggered a blast if it had been triggered under unsafe physical conditions.
Ukraine Power Grid Attack (2015)
Before hijacking IT networks using BlackEnergy malware, the state-sponsored Russian hackers cut power to more than 200,000 Ukrainians, manipulated OT systems to open circuit breakers at dozens of distribution substations and flooded customer call centers. Next-level OT targeting was displayed during the multi-phase attack.
Securing OT Environments
With threats rising, operators globally are prioritizing strategic OT security programs built on frameworks like NIST’s SP-800-82 for ICS security. Core initiatives should focus on:
- Comprehensive Asset Inventory. Managing risk is a matter of creating a complete inventory of all OT assets, networks, and data flows. The impact should be used to classify systems in criticality analysis as well.
- Vulnerability Assessments. Regularly conduct penetration testing, red team exercises and vulnerability scans tailored to OT, then prioritize patching by criticality. Continuous automated scanning is ideal.
- Network Segmentation. Divide OT infrastructure into separate security zones with granular access controls and monitoring. This shrinks attack surfaces and limits lateral movement.
- Improved Authentication and Authorization. Replace shared credentials with role-based access control policies tied to individual accounts with strong passwords and multi-factor authentication.
- Enhanced OT Visibility. Collect and correlate security event data across OT and IT environments. Look for unusual access attempts, malware signatures, protocol anomalies and other threats.
- Incident Response Planning. Develop detailed response plans specifying cross-functional teams, communication protocols, and decision authorities, plus technical and legal response procedures to ensure rapid yet controlled threat containment and recovery.
- Employee Training. Educate all personnel – especially engineers/operators – on policies, cyber risks, social engineering red flags and reporting procedures. Stress the special nature of OT.
- Vendor Risk Management. Closely vet suppliers, integrators and partners. Contractually mandate they meet OT cybersecurity standards or support independent audits.
- Insurance Protection. Specialized cyber insurance helps hedge residual risks and fund expert incident response. However, insurers will require organizations to demonstrate solid OT security foundations beforehand.
The OT Cybersecurity Talent Shortage
Robust OT cybersecurity is already difficult to implement on a resource-constrained and legacy technology basis. Unfortunately, the widening cybersecurity skills gap makes finding qualified talent even more difficult.
Now that cyber risk is board-wide, demand for OT security specialists vastly exceeds supply, even as new college programs are starting to appear. In general, non-specialists do not have OT domain expertise to secure operational environments safely.
However, organizations should concentrate on growing their internal OT cyber talent and leech on third-party services such as those offering ICS/SCADA security managed detection and response (MDR) providers. It also helps improve access to threat intelligence support if attacked through building relationships with industry groups like ICS-CERT.
The Future of OT Cybersecurity
With digital transformation accelerating, industrial organizations in smart facilities must prioritize cybersecurity as much as productivity and safety for the next generation of smart facilities. It includes fully integrating (or better yet, fully integrating) OT into enterprise security programs (not as a siloed separate domain).
Although the constraints include securing legacy technology, newer architectures like the Industrial Internet of Things (IIoT) bring architecture with them that has built-in security in the form of encryption, access controls and secure boot capabilities.
A long-term but necessary strategy for managing risks is to transition to these updated OT platforms. Automating and using technologies such as virtualization should be used by operators to implement security controls without impacting production.
No environment can be 100% secure. Nevertheless, by spending resources to evolve OT security continuously, the organization’s attack surface and business risk can be drastically diminished. Threats to industrial systems are borderless in a hyper-connected world of threats, and vigilant prevention and rapid response constitute the last line of defense.
