Unseen Vulnerabilities: The Critical Need for OT Security
- Author: Patrick Voight - Senior Information Security Consultant
Operational Technology (OT) security is often overlooked. Yet, OT security is crucial to any organization’s overall cybersecurity posture.
Many organizations employing OT assume they are protected—and why not? Only in Mission Impossible movies are HVAC systems hacked, right? However, these hidden vulnerabilities exist and can lead to catastrophic consequences when exploited.
And that exploitation is increasing. Over 500 OT sites worldwide were compromised in 2023, and in some cases, they caused $10-$100 million in damages.
With nearly 70% of industrial firms experiencing an OT cyberattack last year, businesses can’t afford to overlook OT security any longer.
What Is OT Security?
Operational Technology is the hardware and software that detects or causes changes by directly monitoring and controlling physical devices, processes, and events.
OT systems, including manufacturing, utilities, and critical infrastructure, are integral to industrial operations. OT is different than traditional information technology (IT) because it focuses on physical processes and equipment, while IT focuses on the storage and transmission of data.
Operation technology has high availability requirements—and there’s a common opinion that it is better for a system to run continuously than entirely secure (we have thoughts on this...stay tuned).
OT security centers on protecting these systems from cyber threats. This involves locking down the integrity, availability, and confidentiality of OT environments to prevent disruptions.
OT Security professionals need to have a deep understanding of OT-specific protocols and be able to work with the many legacy systems typically found in OT environments.
Is OT Security Really THAT Important?
Yes.
Initially, OT systems were air-gapped, specialized, and isolated, making them less attractive attack targets. However, as these systems started integrating with IT systems—aka the Internet of Things (IoT) and the Industrial Internet of Things (IIoT)—the approach shifted towards greater network connectivity. Data now needs to flow freely between OT systems and cloud applications.
Because of this increased connectivity, recent years have seen a significant increase in OT attacks.
For instance, the infamous Target breach was caused by a compromised HVAC vendor (and you thought only Ethan Hunt would try that), and the 2021 ransomware attack on the world’s largest meat company that rendered numerous facilities inoperable—and caused global beef and pork prices to rise significantly.
These incidents illustrate how attackers exploit vulnerabilities in OT systems—in Target’s case, the system of a third-party vendor—leading to substantial financial and operational damage.
OT Security Challenges
For years, OT systems enjoyed relative “security thanks to obscurity.” Hackers focused on more widely used IT systems, leaving most operational technology untouched. But with commercial IT components becoming more prevalent in OT and the continued connectivity between OT and IT, that obscurity has disappeared.
Similarly, hackers no longer need specialized knowledge of these OT systems. Thanks to AI, malicious code can be generated instantly before it is injected, making it much simpler to exploit these OT structures.
Because the lifecycles of OT systems are typically much longer (15-30 years or more) than IT (3-5 years), updates and patches are infrequent and often ignored as businesses prioritize 24x7x365 availability. These statistics from Microsoft Defender paint the picture well:
- 25% of OT devices on customer networks use unsupported operating systems.
- 46% of OT devices with CVEs (Common Vulnerabilities and Exposures) cannot be patched because firmware is no longer supported.
- 32% of OT devices with CVEs could be patched, but customers have not done so.
Other challenges to securing OT environments include:
- Complexity: OT systems are often geographically dispersed and mix legacy and modern devices with specialized components.
- Limited Visibility: Since so many OT assets have been in use for years or even decades, IT security tools cannot fully manage them. Additionally, many organizations don’t have a complete, updated inventory of all OT systems, making it nearly impossible to assess risks or misconfigurations.
- Lack of Collaboration: If you’re like most organizations, the CISO and IT teams are responsible for cybersecurity but often have little expertise in operational and process control technologies. Frequently, OT teams are tempted to isolate their networks with a “keep out” mentality, opening the door (ironic, isn’t it?) for attackers to quickly move laterally without being noticed once they’ve gained entry into OT systems.
Gaining complete visibility and understanding into operational technology can be difficult and confusing. It is helpful to work with a partner who has experience and insight into many different types of OT and has worked within many industries securing OT systems. Often, a technology partner will work directly with OT system manufacturers to take the necessary steps to secure your production environment.
Best Practices to Secure Operational Technology
Even if you have never considered the importance of securing your OT systems before, by now, you should have a feel for why it is so crucial. We’ve come up with some best practices that will help you mitigate risks and enhance the security in your OT environment:
- Network Mapping and Connectivity Analysis: Understand and map all your OT assets and connections to identify potential vulnerabilities and appropriately secure components.
- Risk-Based Assessment: Implement a risk-based defense-in-depth approach to assessing your OT systems and strengthening your cybersecurity governance.
- Controlling Identity and Access Management (IAM): Implement strong IAM practices with multi-factor authentication and limited privileges to control access to OT systems.
- Regular Software Updates and Patch Management: Keep OT systems up to date by establishing a patch management process that ensures regular updates and compatibility testing. Yes, this is not easy, especially for systems that need to operate continuously, but it is absolutely necessary.
- Consider Reducing the Attack Surface: As convenient as having everything connected is, eliminating unnecessary internet connections reduces the opportunities for bad actors to attack. Closing unneeded ports, eliminating remote access when possible, and restricting access behind a firewall or VPN are all options to be considered.
Increasing Operational Technology Security
It’s challenging to have a complete handle on IT and OT security. Whether you’re a CISO, IT manager, or even someone in charge of the OT industrial equipment in your organization, you can’t be expected to know all the ins and outs of how IT and OT work separately and together.
HBS offers a holistic understanding of all things technology, not just IT. Our expertise spans the broader tech puzzle, including OT systems. We’ve worked closely with OT manufacturers to understand their machines and how to secure them best. We take pride in offering comprehensive security solutions tailored to your specific goals and needs.
Our experience and expertise allow us to secure your OT systems effectively. Don’t leave your OT security to chance—partner with HBS to safeguard your operations.
Contact HBS now to learn how we can help you secure your operational technology and protect your business from cyber threats.