As companies continue to integrate their operational technology (OT) and IT environments, they’re coming to grips with the fact that this move opens them up to new avenues for cyber threats.
The solution is multi-faceted, but one aspect is clear: combining OT and IT requires extending offensive security measures, such as penetration testing, to the OT environment.
This issue is coming to a head because OT environments represent the best of both worlds for bad actors: an attractive target built on vulnerable infrastructure.
From a security perspective, OT shares many similarities with Internet of Things (IoT) technology. Each relies on connected devices and systems, often blending physical and digital realms. Both involve critical infrastructure where downtime or breaches can have significant consequences, and they frequently use legacy systems or lightweight devices with limited security features, making them susceptible to cyber threats. So, the points made around security and mitigating controls for OT also apply to IoT devices.
OT Targets are Attractive – and Vulnerable
Integrating IT and OT networks and breaking the Purdue Model framework for industrial control systems (ICS) reduces the isolation of OT/ICS networks. This scenario has a great deal of risk attached to it precisely because there are few robust solutions for OT network intrusion detection and response (IDR).
OT networks can be fragile. Many often use legacy systems lacking modern security features, making them vulnerable to cyberattacks.
Updates are rare due to the risk of disrupting critical, real-time processes, and their design prioritizes reliability over cybersecurity. This combination of outdated technology and high operational sensitivity creates a delicate ecosystem prone to risks from both internal failures and external threats. For instance, active scanning could knock over a programmable logic controller (PLC) and potentially threaten the safety of those working around industrial equipment.
At the same time, OT targets are attractive because they operate in manufacturing, oil and gas, or food and drug administration sectors, which tend to be larger, well-funded organizations, making them prime targets for ransomware. These companies are vulnerable because, in many cases, the creators of these OT environments did not design them to connect to the Internet. So often, they have the kind of vulnerabilities that were long ago patched in their IT counterparts.
Yet, the drive toward digital transformation and increased efficiency has caused companies to increasingly integrate OT and IT systems. It’s a strategy that delivers real benefits, including the ability to gather real-time data from their operations (e.g., factory floor) and use it for data analytics, predictive maintenance, and other business intelligence purposes.
But it also comes with real threats. In a recent global survey of some 2,000 companies by Palo Alto Networks, three-quarters of respondents said they detected malicious cyber threats in their OT environment, and nearly a quarter (24%) said they shut down OT operations. For example, shutting down a manufacturing line is obviously costly and not something any company does without good reason. The question then is, what to do to prevent such an action?
Traditionally, one may be inclined to point the blame at the IT environment, where the majority of cyber threats originate. However, 28% of survey respondents reported seeing attacks originate in the OT environment.
Mitigating Cyberattacks on OT Infrastructure
This behavior is nothing new. In fact, for quite some time the Trustwave SpiderLabs research team has been tracking bad actors who target OT environments. But it’s an avenue that doesn’t get a lot of attention.
“The relative obscurity and isolation of OT systems is not an assurance anymore that these systems are safe from attack,” according to Trustwave’s 2023 Manufacturing Threat Landscape report. “Many OT systems lack robust security measures which can potentially lead to access to infrastructure and sensitive data.”
Mitigating phishing and business email compromise attacks, implementing complex password requirements, and enabling multi-factor authentication (MFA) are all effective methods when pivoting from IT to OT, but not necessarily effective in an OT context.
Instead, you should consider other methods to thwart attackers and prevent lasting damage in the OT environment, including network segmentation, patching, and effective deployment and configuration of passive monitoring and asset management.
Offensive Security for OT Environments
Various offensive security measures are common in the IT and OT sides of the house, including vulnerability scanning and penetration testing to identify and address vulnerabilities.
Vulnerability scans are helpful to identify common targets that need patching and a seasoned penetration testing professional understands the tricks and techniques used by bad actors to infiltrate OT systems and will be able to help you identify holes in your environment that intruders could exploit.
Together, vulnerability scans and pen tests represent the kind of offensive security measures companies have long used to protect the IT side of the house. Clearly, it’s time to apply them to your OT infrastructure as well.
To learn more about where you stand in terms of protecting your OT infrastructure, check out Trustwave’s OT Security Maturity Diagnostic. Our experts will help you gain insights into the current state of your OT infrastructure – including people, processes, and technology – and help align your cybersecurity program with best practices and established standards. Feel free to contact us to discuss your needs in detail.
