IT enterprise security is supported by a vast ecosystem of vendors and solutions. As OT networks increasingly become the focus of attackers, why not just extend those IT cybersecurity solutions to the OT side of the house?
If only it were that easy. Here are the critical differences you need to know to begin securing OT assets with the protection they deserve.
IT vs. OT networks and security—what's the difference?
IT and OT environments have equally critical—but different—functions and objectives. All organizations have IT networks and infrastructure. However, industrial companies also depend on OT networks to deliver their products or services. Both environments require strong cybersecurity protection. But the needs and therefore the approaches are not the same.
Traditionally, IT teams focus on the technologies and infrastructure that connect people and business functions. They manage enterprise information systems, applications, and data. These assets need to be responsive and highly flexible—which means systems and applications evolve rapidly. Change is a constant. IT networks use the OSI Stack with a heavy focus on Layer 3. That’s why the vast majority of cybersecurity solutions are designed to protect assets and connections residing at OSI Layers 3-7. When a major data breach or cyber attack makes headlines, the attackers usually were targeting enterprise IT systems in search of a network foothold, data to steal, or persistence for demanding ransom payments.
OT, on the other hand, is focused on controlling physical processes and equipment. OT networks are also called cyber-physical systems because physical and software components are deeply integrated to run industrial operations at maximum efficiency and safety. They’re built on the Purdue Model and/or ISA/IEC 62443-3-3 standards and operate at OSI Layers 0-2. Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) technologies are used for real-time management, monitoring, and automation of industrial operations. Stability and predictability are key to avoiding or minimizing risk of downtime and production impact.
“OT is focused on controlling physical processes and equipment.”
When an OT network is built, it’s designed for equipment to run for 20 to 30 years. Change is costly. High capital costs and the risk of significant downtime are just two reasons for avoiding change. That’s why OT environments often include legacy systems that have not been updated or patched—and some that just can’t be adequately secured against today’s cyber threats. In the past, these networks were completely separate from the enterprise IT networks (air gapped) to minimize the risk of IT network problems affecting OT production networks.
Why is OT security suddenly so important?
First, attackers are directly targeting OT networks, not only for ransoms but also simply for disruption. Organizations are experiencing more cyber intrusions with increasingly severe impacts. According to the 2024 State of Operational Technology and Cybersecurity Report, 73% of OT professionals have experienced cybersecurity intrusions that affected OT systems this year—up from 49% in 2023. In 2024, more respondents reported increases in operational outages that affected physical safety (48%), productivity (55%), revenue (52%), and brand awareness (52%). In short, cyber attacks on OT networks continue to escalate with no end in sight.
What do attackers want? Money, primarily in the form of ransom payments. Attacks on critical industrial operations tend to be more profitable for bad actors. From 2019-2023, cyber attacks on OT infrastructure grew at a CAGR of 90%. In Q2 2024 alone, ransomware attacks on industrial targets doubled over Q1, going from 169 incidents to 312—and most paid the ransom.
Politically motivated cyber incidents also are increasing with the goal of disrupting services. In November 2023, Iranian hackers disrupted operations at multiple water utilities across the U.S. to publish an anti-Israel message on their systems. Chinese hackers launched the Volt Typhoon attack on 50 power plants in the US and Russian threats attacked critical infrastructure providers in Denmark. A third motivation for attack is industrial espionage, where the attackers are looking to steal intellectual property such as trade secrets, recipes, and formulas.
“Politically motivated cyber incidents are increasing.”
Second, OT systems tend to be easy targets. Legacy systems without much protection can be breached with less effort than IT enterprise infrastructure with layers of security. With the increasing convergence between OT and IT networks, successful attacks on OT systems can give attackers the access they need for establishing a foothold in the enterprise network.
Even if the OT infrastructure itself is not directly attacked, it can be shut down or manipulated from an attack on the IT network. A ransomware attack that encrypts data on IT servers and services can take dependent OT automation systems out of commission.
They can also steal trade secrets. Hackers can identify and replicate how products are made by copying the digital recipes.
Why are OT systems so vulnerable?
There are a number of reasons why OT environments are so vulnerable:
- Old technology: OT systems are designed to function with minimal attention for years or decades. Many systems were built before IT networking became essential and certainly before cyber threat actors became the ultra-sophisticated scourge they are today. Until recently, air-gapped systems weren’t considered high risk. As a result, according to Microsoft, 71% of systems have outdated or unsupported operating systems; 66% have no automatic updates; and 64% have unencrypted passwords.
- Lack of network segmentation: Most OT networks were designed with flat architectures for the sake of management simplicity. With a good chance of breaching a vulnerable system (because they aren’t patched), a flat architecture makes it simple for an attacker to move laterally and gain unfettered access to the entire OT network, as well as an opening into the IT network. In contrast, IT networks are increasingly segmented to complicate the attack surface for an attacker and limit the amount of damage a successful breach can do.
- Insufficient patching: Although a majority of vulnerabilities can be patched, it’s difficult to patch systems without taking them out of production. They either can’t be taken offline or there is a high risk of untested patches affecting system interdependencies or downstream production. Many organizations never patch OT systems, and even if they are patched once a year, there is a significant amount of time between when a patch is issued and when it might be applied where the system is vulnerable.
- Inherent ICS vulnerabilities: As industries become more aware of OT cyber threats, they begin to look for exploitable system vulnerabilities. Without good centralized visibility into OT systems vulnerabilities can be hard to find. The OT vendor and Opscura partner, Claroty, reports the number of reported vulnerabilities in ICS environments is doubling every year. In addition, some infrastructure components lack sufficient bandwidth or onboard computing resources to support a security agent being added.
- They’re orphans: With an industry shortage of security professionals and escalating costs to retain them, many organizations lack a budget for dedicated OT/ICS security teams. Enterprise IT security teams tend to have their hands full already and lack training in OT networks and systems. CISOs have traditionally been focused on enterprise IT issues. Even in organizations that have IT and OT teams, they historically have not been aligned.
- Out of sight, out of mind: Many OT networks and assets operate in remote locations. Without dedicated security staff overseeing them, it’s easy for them to effectively become orphans or “someone else’s problem” from the enterprise IT perspective. And they might, in fact, be part of another organization’s operations (think cousins instead of orphans), though linked to yours. Interoperability with supply-chain and other OT networks opens numerous security gaps. Security teams tend to forget about Layer 2 data that directs traffic over networks, APIs and the data traffic they facilitate, M2M interfaces, and app-to-app connections. All of these areas can be easily exploited by attackers to insert malicious data or exfiltrate.
- Remote access connections: Increasingly, operational environments have remote access connections to third-party service providers, internet providers, or in-house managers. Many of these links are not secured or the security controls are weak. Open connections make them easy prey for bad actors.
- Poor or absent credential management: Most OT systems and devices lack strong authentication. Weak access control policies, use of manufacturers’ default passwords, and poor password management make it easy for cyber attackers to guess or brute force access.
“Many remote access connections for OT networks are not well secured or the security controls are weak.”
What should an OT organization do now?
The first step OT organizations should take is to identify your most critical OT vulnerabilities. Inventory the systems in your network and identify the “crown jewel” vulnerabilities. Once the highest-level problems are identified, remedy those key vulnerabilities, implement segmentation, and then deploy encryption and firewall protections.
However, there’s no one-size-fits-all prescription. Each organization needs flexibility in implementing zero trust protection, updating patching where possible, encrypting critical data in motion, and protecting assets that cannot be brought up to today’s cyber standards.
“Organizations need to protect their OT environment even though—and especially because—they still have known vulnerabilities.”
Critical infrastructure and industrial customers are choosing Opscura to solve their OT security challenges across anywhere from two to 500+ sites. For the first time, they can identify vulnerabilities and secure OT assets in just days, without production risk or disruption. The Opscura OT/ICS Security Protection Platform delivers:
- Leading-edge security for OT assets: Opscura provides immediate, automatic zero trust access to OT assets through network segmentation at OSI Layer 2 with complete transparency to OT and IT systems. Now organizations can authenticate access by zone with highly specific granularity. Patented data stream encryption technology secures OT network data traveling over the network with < 1ms latency. Opscura’s patented network device security system and methodology also enable network appliances to self heal. For the first time, organizations have a unified, consistent way to secure every base.
- Asset cloaking: Bad actors can’t attack what they can’t see. For systems that can’t be patched or updated, Opscura cloaks traffic from observation to thwart attacker discovery and reconnaissance. Organizations can still protect their environment even though there are still vulnerabilities.
- Rapid deployment without disruption: Deployment takes just hours—instead of weeks—without requiring IT networking experts. Protection is immediate and automatic with no downtime or impact on shop floors or processes.
- Cost savings: The Opscura OT/ICS Security Protection Platform eliminates the financial obstacles that traditionally have prevented OT networks from being secured. Organizations don’t have to redesign their networks, re-do their IP addressing, buy new firewalls or switches, or spend months or years consulting experts. The cost of downtime is the largest obstacle. For example, as part of the total cost of the project, one Opscura customer with 300 locations identified 3-5 days of downtime per location to completely re-work and secure their infrastructure. They estimated this cost, in lost production, at $1.25 billion. They clearly needed a Plan B.
- Compatibility with partners: Opscura works well with any other automation OEM solutions, such as Claroty, Nozomi, Dragos, Tenable, and others. It connects with SIEMs and SOC tools to maximize the organization’s investments and boost overall security.
What are you waiting for?
There’s no need to wait any longer. Contact us today to book a meeting.