Beyond the Factory: Why Operational Technology Risk is Everywhere

When a report revealed 56 new vulnerabilities in 10 operational technology (OT) vendors’ products last year, experts hailed it as a wake-up call for the industry. The study highlighted an endemic problem with OT equipment: a need for more basic security-by-design best practices. The fact that three-quarters of those products assessed to contain vulnerabilities had valid security certifications should cause further nervousness among IT/OT managers.

The bottom line is that the issues highlighted in the report run so deep they’re unlikely to be resolved industry-wide anytime soon. That puts the onus on enterprise security programmes to ensure OT risk is managed with the same attention to detail as IT.

The What And Why Of OT

Whereas IT systems manage information and applications, OT covers the hardware and software used to monitor and control the physical world. It could be anything from an ATM to an industrial control system (ICS), a factory robot to a programmable logic controller (PLC). The technology can be found most obviously on the factory floor. But it spans a huge range of industries beyond manufacturing, including healthcare, oil & gas, utilities, and transportation.

Historically, OT systems were not internet-connected, and devices tended to be purpose-built, running specialised software. That meant security was treated as an afterthought. However, most equipment has connectivity today, meaning remote attackers can probe it for vulnerabilities. At the same time, it often runs Windows or other commercial software. That makes it an attractive target.

Because OT controls physical processes, security breaches could enable attackers to sabotage or disrupt critical operations. Vulnerable endpoints may even be used as a stepping stone into IT networks for sensitive data theft. One 2022 report claims 83% of organisations suffered an OT breach in the previous 36 months. According to figures cited by McKinsey, the cost per incident of severe attacks can be as much as $140m. It’s not just financial risk organisations must consider. OT is also regulated by the NIS 2 Directive and its UK equivalent.

What Are The Risks?

The specialised nature of OT means that systems are exposed to certain cyber risks that may not apply to IT environments. They include:

• Use of legacy, insecure communications protocols
• Vendors that don’t pay enough heed to vulnerability management
• Hardware lifecycles of 10+ years, meaning admins are forced to run outdated OSes/software
• Patching challenges, as equipment often can’t be taken offline to test updates (even if they are available)
• Equipment that’s too old to deploy modern security solutions to
• Security certifications which don’t recognise severe defects, giving admins a false sense of security
• Security-by-design issues that aren’t reported/assigned CVEs, meaning they fly under the radar
• Siloed IT/OT teams, which can create gaps in visibility, protection and detection
• Insecure passwords and misconfigurations (although this is also common in IT environments)

From a technical perspective, the Forescout report cited earlier highlights several categories of vulnerability in many OT products:

• Insecure engineering protocols
• Weak cryptography or broken authentication schemes
• Insecure firmware updates
• Remote code execution (RCE) via native functionality

How To Mitigate Risk From OT Systems

As per IT security, defence in depth is the best way to mitigate OT cyber risk. According to Carlos Buenano, Principal Solutions Architect for Operational Technology (OT) at Armis, it starts with visibility of OT assets and then prompt patching.

“Since it is very common for OT environments to have vulnerable assets, organisations need to create a comprehensive asset inventory of their network and have additional intelligence on what those assets are and what they are actually doing,” he tells ISMS.online. “Contextual data enables teams to define what risk each device poses to the OT environment and assess their business impact so that they can prioritise remediation of critical and/or weaponised vulnerabilities to reduce the attack surface quickly.”

Here’s a quick checklist for organisations:

Asset discovery/management: You can’t protect what you can’t see. So, understand the full extent of OT in the enterprise.

Prompt patching and continuous scanning: OT assets should be continuously scanned for vulnerabilities once discovered. And a risk-based patching programme will ensure CVEs are prioritised effectively. Consider building a non-critical testing environment for patches. And if certain assets can’t be patched, consider alternatives, like virtual patching, network segmentation, SIEM and integrity monitoring.

Identity and access management: Deploy role-based access controls, follow the principle of least privilege and support multi-factor authentication (MFA).

Segmentation: Separate corporate from OT networks, and segment OT networks, to contain the spread of malware.

Threat prevention: Deploy controls such as intrusion detection (IDS), AV software and file integrity-checking tools to prevent and detect malware.

Encryption and backup: Protect OT data at rest and in transit and have backups to mitigate the impact of ransomware.

Breaking Down IT-OT Silos

As OT and IT systems converge in many organisations, threats once confined to IT, such as remote compromise, become more commonplace for industrial systems. Therefore, preventing, detecting and responding to such threats will require more interaction between IT and OT teams. OT teams can learn much from the experience IT has built up over the years regarding security controls, and both have a vested interest in business continuity.

“By working together, IT and OT teams can identify and mitigate cybersecurity risks that affect both IT and OT environments, thus protecting the organisation from cyber-attack,” Trend Micro UK & Ireland technical director, Bharat Mistry, tells ISMS.online. “Additionally, collaboration between the teams will improve the efficiency of security operations teams and ultimately help to reduce costs.”

From a compliance perspective, this may require the organisation to go beyond the limits of ISO 27001 and seek out complementary certifications in the OT space.

“We see frameworks like ISO 27001 used in enterprise IT and bespoke or tailored frameworks like IEC 62443 for OT,” Mistry explains. “On paper, there is some overlap between these, but in reality, these frameworks are start points and are often customised to suit the organisation’s environment.”

Ultimately, it’s in everyone’s best interests to work together, says Armis’s Buenano.

“From an organisational perspective, having a risk-based approach to vulnerability management must go hand in hand with OT and IT departments working together to help coordinate mitigation efforts,” he concludes. “Cross-departmental projects will help streamline process and resource management and achieve greater compliance and data security.”