OT security is increasingly on the agenda of companies and governments, and rightly so. The advancing digitization in the sector is expanding the attack surface, creating potential risks for businesses and society. Additionally, regulatory pressure from the new Cybersecurity Act and NIS2 legislation has driven the need for more attention to OT security. While this is a positive development, a broader perspective on security is needed to make OT measures truly effective; otherwise, efforts may be in vain.
For a long time, OT security received relatively little attention. Factories and other industrial environments, such as utilities for grid management, water, energy supply, and nuclear installations, only had limited digital applications. However, this has drastically changed over the past decade with the rise of "smart industry." Implementing OT security successfully requires a specific approach, as the dynamics in OT security differ significantly from IT security. For instance, operational technology often has to last for decades, meaning the security of such devices quickly becomes outdated in today's fast-changing landscape.
Another major difference in OT is that availability is paramount. Systems must operate 24/7. A pump or sensor's operating system, for example, must run for 30 years without downtime. Security updates can't always be applied, not only because downtime isn’t an option but also due to the risk of serious disruptions during updates. Moreover, updates are not a cure-all in OT environments. As seen during the Pwn2Own hacking competition for OT systems, it’s often relatively easy to find new vulnerabilities, even in state-of-the-art equipment. Legacy systems were never designed with attackers in mind, but surprisingly, neither were newer OT systems.
In IT environments, the focus is on safeguarding data and its integrity. Updates are common and typically installed overnight to avoid disrupting users, with backup systems often in place to take over in case of downtime. While digital twins, which simulate production scenarios, are becoming more common in the industry, there is little room for experimentation or security testing.
When examining how organizations approach OT security, the strategy is often the same. A “moat and castle wall” approach is adopted, keeping everyone out of the OT network. At the same time, remote access is needed for monitoring production and for maintenance, often handled by third-party specialists. This creates additional risks, as these external organizations are attractive targets for attackers. Managing the various points of entry becomes increasingly difficult, making it harder to secure them effectively and raising the risk of intrusion.
The OT network is often not publicly accessible but is connected to the company’s IT domain. This is the core challenge of effective OT security, highlighting the need for integrated protection. By implementing rigorous detection within the IT domain, you can prevent attackers from even reaching the OT network, and vice versa. The Colonial Pipeline ransomware attack a few years ago painfully demonstrated the interdependence of IT and OT. The pipeline was shut down not because the OT system was directly compromised, but because the hacked billing system prevented the company from operating effectively. Targeting a part of the IT system can be enough to disrupt OT operations.
In addition to detection within the IT network, all access points to the OT network must be mapped and monitored. This requires closer cooperation between IT and OT disciplines. Rather than addressing security in silos, a more integrated strategy where OT and IT work together is essential.
While this might seem straightforward, a recent Cisco study shows that 41% of companies in EMEA still have OT and IT teams operating independently. These teams also tend to have different backgrounds, with OT teams often evolving from technical services with more mechanical engineering expertise. Nearly 40% of organizations, however, believe that better collaboration between OT and IT could improve security. Integration is inevitable, and OT and IT security will increasingly be seen as a unified whole. Only then can governments and companies effectively respond to growing threats that could disrupt vital processes.