Operational technology (OT) security is crucial for safeguarding industrial control systems (ICS) and other critical infrastructure from cyberattacks. These systems manage and monitor physical processes, making them susceptible to disruptions that could have severe consequences.
OT systems face a range of security vulnerabilities, including malware infiltration, human error, lack of visibility, outdated software, and insecure remote access. Malware can enter systems through phishing emails, infected removable media, or unpatched software vulnerabilities. Human error, such as clicking on malicious links or opening infected attachments, can also provide attackers with access to OT systems. Lack of visibility, outdated software, and insecure remote access are all other leading causes of OT security vulnerabilities.
Common vulnerabilities in OT security
In 2023, ransomware activity remained high, with threat actors claiming hundreds of new victims and attacks increasing by more than 95% compared to the year before. Paul Evans, Principal Sales Engineer of Northern Europe at Nozomi Networks says: “The most impactful ransomware event was orchestrated by the Cl0p ransomware gang, which continues to exploit the CVE-2023-34362 vulnerability in MOVEit Transfer software, with the first known exploits deployed at the end of May.
“According to recent research into OT network domains, Denial-of-Service (DoS), malware activity leads in frequency as one of the most prevalent attacks against OT systems. This is followed by the Remote Access Trojan (RAT) category commonly used by attackers to establish control over compromised machines as it provides flexibility in the next stages of an attack.”
OT cyberattacks predominantly come in two forms: tailored attacks and opportunistic attacks. Tailored attacks are meticulously crafted for specific targets, aiming to establish long-term, undetected access for purposes of physical disruption or destruction. Opportunistic attacks, on the other hand, exploit common vulnerabilities and utilise established tactics, techniques, and procedures (TTPs) to gain access to OT systems.
“The number of threats and actors targeting OT has increased,” explains Evans. “Nation-state actors, cybercriminals who understand the economic value represented by each sector, and hacktivists seeking to publicly advance their objectives or broad agendas.”
The biggest challenges surrounding OT security
Internet connectivity has revolutionised the way organisations operate, enabling seamless communication, collaboration, and access to information. However, it has also introduced a new realm of vulnerabilities that pose significant cybersecurity threats.
Simon Hodgkinson, the former Chief Information Security Officer (CISO) at BP and current Strategic Adviser at Semperis, says: “Operational technology security is becoming increasingly important. Yet, one obstacle for security practitioners is to bridge the cultural chasm with OT engineers where cyber security is often seen as just one risk among many, that might well be sector-specific, such as safety, environmental and performance risks.
“IT cybersecurity professionals focus on IT security first. They want to protect information from theft, prevent unauthorised access to IT systems, and stop phishing attacks on their users. OT engineers however are less concerned with these things. Instead, their focus is on controllers and sensors that affect physical processes and systems. As such, they're preoccupied with operational uptime, physical security and safety.”
Jayne Goble, Director at KPMG UK explains: “There are two major obstacles: visibility and outdated equipment. Because they are too old, certain equipment won't have the required patches available. Equipment replacements in the IT industry are frequent and simple. It is not the same in the OT world, as some equipment will only work on an old operating system, and in many cases, continuing to use it is the only option when it comes to crucial operations.
“The merging of OT and IT means that organisations must link together the two environments’ people, systems, and processes to generate an intelligent, more secure network with increased visibility to monitor and control both environments. However, I frequently witness a lack of cooperation between both teams, which also results in careless, disorganised security procedures.”
Detecting and responding to OT security incidents
Cybersecurity controls in OT environments pose unique challenges compared to those implemented in traditional enterprise IT infrastructure. According to Evans, there are a few key steps that organisations should take in order to help the incident response team detect a threat and move quickly and effectively in response to it.
“First, create a comprehensive inventory of all assets within the environment using a continuous monitoring tool,” he explains. “Second, deploy continuous monitoring for industrial networks to capture real-time data on traffic patterns and anomalies. Third, conduct regular vulnerability assessments to identify vulnerabilities in hardware, software, and configurations. Fourth, OT networks should be segmented from corporate networks, and remote access should be limited and or compensated by additional security measures like multifactor authentication and zero trust strategies.”
Looking at the big picture, Goble believes that OT should take a leaf out of IT’s book and import best practices from IT security. This will result in capturing the processes that are normal in the IT environment and harnessing them.
“Wherever possible, merge and consolidate the asset management strategies and cyber solutions currently in use,” she says. “Reducing complexity makes the task easier to handle. Consider what your OT ‘crown jewels’ are. What do cybercriminals view as your most important OT assets, and how are they likely to attempt to access them? While keeping an eye on your long-term plan, don't forget about the present. Protect the resources that are most important to your organisation.”
Collaboration is key to improving OT security
Today, cybersecurity is no longer just a concern for individual companies; it is a shared responsibility that requires collaboration among enterprises. By working together, businesses can share threat intelligence, develop common standards and pool resources to create a more secure environment for everyone.
“Collaboration among enterprises has enormous potential to transform the cybersecurity landscape,” Evans explains. “By sharing information between organisations, particularly those within the same industry about the types of attacks, will lead to enterprises being able to enhance their security.”
Hodgkinson considers that one measure which will bridge the divide is a cross-disciplinary centre of excellence for OT security. “This will bring together OT engineering and cyber teams, to deliver an achievable, pragmatic program of security improvements to reduce cyber risk, whilst maintaining the operation.
“This centre can be internally focused at the beginning, but there is plenty of opportunity for extending it to external stakeholders, including regulators and peers in your sector. Sharing information and best practices in OT security is a powerful step in getting ahead of attackers, and industry-specific ventures such as Information Sharing and Analysis Centers (ISACs) are an excellent place to begin.”