Top 10: OT Security Threats

In 2024, ransomware groups collected US$22m from UnitedHealth after crippling Change Healthcare. Chinese state hackers infiltrated nine major US telecommunications companies through Salt Typhoon operations. The Oldsmar water treatment plant operator nearly poisoned a city's water supply with a mouse click.

These incidents share a common thread: attackers now target physical processes, not just data. Industrial control systems that ran in isolation for decades face threats that can halt assembly lines, manipulate chemical processes, and disrupt power grids. The traditional air gap has vanished. Manufacturing facilities report 70% of cyber incidents now involve IoT devices, while only 12% of organisations maintain adequate OT network monitoring.

This week Cyber Magazine highlights the top 10 OT security threats, in association with Abnormal Security.

10. Pervasive lack of network visibility and monitoring

Key Companies: Claroty, Nozomi Networks, Dragos, Tenable, Cisco
Budget Impact: 60% of companies rate their cybersecurity budget as inadequate or uncertain, creating structural underfunding for OT security visibility tools

Organisations cannot protect assets they cannot see. Over half of industrial companies lack complete Software Bills of Materials (SBOM), making vulnerability management impossible. Only 12% of organisations report extensive monitoring capabilities within their ICS/OT networks, while just 31% have Security Operations Centers with OT-specific expertise. 

The problem begins with incomplete asset inventories. Shadow OT devices exist on networks without formal tracking, often deployed by engineering teams without security oversight. Without baseline understanding of normal network behavior, detecting sophisticated attacks becomes impossible. Organisations attempt vulnerability management, network segmentation and intrusion detection without foundational visibility into their own infrastructure.

9. Cloud integration and misconfiguration risks

Key Companies: Microsoft Azure, Google Cloud, Palo Alto Networks, CrowdStrike, Siemens
Compliance Requirements: The Purdue Model framework, designed for on-premise environments, proves insufficient for hybrid multi-cloud architectures

Cloud migration promises efficiency but introduces new exposure risks. According to Gartner, 99% of cloud security failures through 2025 will result from human error in configuration. A Fortune 500 manufacturer accidentally exposed multiple SCADA system endpoints to the internet via misconfigured third-party remote access solutions hosted in the cloud, creating direct paths for attackers to disrupt production.

The shared responsibility model creates accountability gaps between cloud providers, OT vendors, and asset owners. The cloud provider secures infrastructure, customers configure applications correctly, and OT vendors manage SCADA-as-a-Service applications. This diffusion of responsibility leads to dangerous misconfigurations where each party assumes another handles critical security functions.

8. Insecure remote access

Key Companies: Xage Security, Waterfall Security, Palo Alto Networks, Cisco, Fortinet
Technical Standard: Zero Trust Network Access (ZTNA) adoption addresses least-privilege access requirements while maintaining operational efficiency

Remote access enables vendor maintenance and expert troubleshooting but frequently provides the most insecure network pathways. The Change Healthcare breach, which crippled US healthcare services in 2024, originated from attackers exploiting a remote access portal lacking multi-factor authentication. While 75% of organisations report using MFA for OT network remote access, 25% remain exposed.

The operational usability versus security conflict creates dangerous workarounds. OT operators need rapid access to dozens of machines from single Human-Machine Interfaces. Standard IT security requiring complex MFA for every interaction becomes operationally unworkable, leading OT teams to create insecure bypasses using shared accounts with simple passwords.

7. Vulnerabilities in Industrial IoT and edge devices

Key Companies: Nozomi Networks, Claroty, Armis, Microsoft, Honeywell
Regulatory Development: The EU’s Cyber Resilience Act will mandate baseline security standards for all connected products

Industrial Internet of Things devices expand attack surfaces exponentially. Over 70% of manufacturers report cyber incidents linked to IoT devices, which often ship with default passwords, run on unpatchable firmware, and lack basic security controls. The homogeneity of underlying hardware components means single vulnerabilities can be exploited across multiple vendor products.

Georgia Tech researchers demonstrated how web-based management interfaces on modern PLCs could be compromised through malicious advertisements on trusted engineering forums. Attackers could install malware on PLCs via web browser interfaces, gaining full process control without bypassing traditional network firewalls. The scale of IoT deployments makes manual security oversight logistically impossible.

6. IT/OT convergence as attack pathway

Key Companies: Cisco, Fortinet, Palo Alto Networks, Siemens, Verve Industrial
Architecture Framework: Industrial Demilitarised Zones (IDMZ) provide secure buffers between IT and OT networks with strict traffic controls

Digital transformation has dissolved the air gap between business networks and plant floors. The SANS Institute identifies lateral movement from compromised enterprise IT networks as the most common attack vector into industrial control systems. This convergence creates new pathways while exposing deep cultural divisions between IT and OT teams.

IT departments prioritise data confidentiality with tolerance for temporary disruptions during security updates. OT departments prioritise continuous availability where unplanned downtime costs millions and creates safety risks. This fundamental conflict in priorities leads to security gaps at the IT/OT boundary, where teams create insecure workarounds to bypass controls they perceive as disruptive.

5. Exploitation of legacy systems

Key Companies: Siemens, Honeywell, Tenable, Fortinet, CounterCraft
Mitigation Strategy: Compensating controls including network segmentation, virtual patching, and deception technology provide protection without touching vulnerable assets

Industrial control systems operate for decades, creating permanent pools of vulnerable targets. Many critical processes run on Windows XP systems with unpatchable operating systems and lack basic security controls. The operational requirement for continuous availability makes patching a major risk undertaking, leading to a “if it isn’t broken, don’t fix it” mentality.

The patching dilemma reflects fundamental IT/OT cultural differences. IT environments routinely apply weekly security patches with automated processes. OT environments require production shutdowns to patch programmable logic controllers or SCADA servers, making patches operationally and financially unacceptable. This creates expanding inventories of known, documented vulnerabilities that attackers actively exploit.

4. Insider threats and human error

Key Companies: Abnormal Security, Proofpoint, Mimecast, CrowdStrike, Darktrace
Strategic Shift: Technology deployment moves from attempting to perfect human behaviour to assuming human fallibility and building technological safety nets

Human factors remain critical vulnerabilities whether through malicious intent or accidental mistakes. Verizon's 2024 Data Breach Investigations Report found 68% of breaches involve non-malicious human elements. The 2021 Oldsmar water treatment plant incident demonstrated how operator error could have created public health crises when sodium hydroxide levels were accidentally changed to dangerous concentrations.

Social engineering and phishing remain primary methods for external attackers to gain initial network access. Attackers craft convincing emails to steal credentials, then pivot from IT environments into OT networks. The persistence of human error as an attack vector despite decades of security awareness training suggests education alone provides insufficient protection.

3. Supply chain compromise

Key Companies: Fortinet, Cisco, Palo Alto Networks, Nozomi Networks, Waterfall Security
Security Model: Zero Trust architecture adoption counters supply chain threats through micro-segmentation and continuous verification principles

Organisations face security risks from trusted vendor relationships. Supply chain attacks exploit inherent trust in software updates, hardware components and service providers. The December 2024 US Treasury breach resulted from attackers exploiting vulnerabilities in BeyondTrust remote support software rather than direct Treasury system compromise.

The SolarWinds attack demonstrated how 18,000 organisations could be compromised through single vendor infiltration. OT environments face particular exposure due to heavy dependence on specialised vendors for industrial control systems and SCADA platforms. The attack vectors include hijacked software updates, direct vendor system breaches, and exploitation of software dependencies in open-source components

2. Nation-state espionage and disruption

Key Companies: Dragos, Mandiant (Google), Microsoft, CrowdStrike, Palo Alto Networks
Intelligence Assessment: US agencies warn that Chinese infrastructure access is prepositioned for activation during geopolitical crises

State-sponsored actors embed themselves in critical infrastructure networks for long-term persistence and future disruption capabilities. China’s Volt Typhoon and Salt Typhoon campaigns achieved undetected access to US communications, energy, transportation and water systems. The Salt Typhoon operation breached nine major US telecommunications companies, extracting phone records and location data.

These advanced persistent threats use “living off the land” techniques, leveraging legitimate system administration tools like PowerShell and Windows Management Instrumentation to blend malicious activity with normal administrative traffic. Russian groups like Sandworm targeted Ukrainian energy infrastructure, while Iranian Cyber Av3ngers successfully manipulated US water facility control systems.

The pervasive use of legitimate tools renders traditional signiature-based security ineffective. Antivirus software and legacy intrusion detection systems cannot identify malicious use of trusted applications. This forces security paradigm shifts toward behavioral analytics, comprehensive visibility, and rapid threat hunting capabilities.

1. Ransomware with physical consequences

Key Companies: Dragos, Claroty, Nozomi Networks, Palo Alto Networks, Fortinet
Economic Impact: Waterfall Security reports 80% of cyberattacks with physical consequences are attributable to ransomware operations

Ransomware groups target operational disruption over data encryption, recognising that production downtime creates greater leverage than traditional extortion. Manufacturing sector attacks increased 87% year-over-year, with 75% causing operational disruption and 25% resulting in complete OT site shutdowns. Average ransom payments escalated from $199,000 in 2023 to $1.5 million in 2024.

Groups like RansomHub and LockBit 3.0 exploit manufacturing’s low tolerance for downtime and higher willingness to pay ransoms. The operational intolerance for disruption in utilities and manufacturing creates immense financial pressure, making ransom payment often a necessary business decision. UnitedHealth reportedly paid US$22m following the Change Healthcare attack.

This success creates a compounding threat cycle. Increased revenue from high-leverage attacks funds development of sophisticated malware, including AI-driven variants for convincing phishing and advanced endpoint detection evasion tools. Enhanced effectiveness attracts more skilled affiliates to Ransomware-as-a-Service platforms, accelerating threat evolution beyond linear growth patterns.