Operational Technology (OT) security covers a full slate of technologies and procedures used to protect the assets, data and people operating physical processes and devices. Most often applied to industrial and manufacturing concerns, it involves the hardware and software that is used to control those physical processes, monitor their operations and detect changes—ranging from an equipment failure to cyberattacks—that could impact operations.

Changes in industrial operations and the cyber threat landscape in recent years have greatly elevated the importance of OT security. Operational technology has steadily been converged with IT operations—being connected to other enterprise systems and the internet—which has exposed vulnerabilities in OT systems while raising the profile of industrial systems as a high-value target for threat actors.

How Operational Technology (OT) Security Has Become a Critical Issue

The National Institute of Standards and Technology defines OT as programmable systems or devices that interact with or manage the physical environment, and which either detect or cause a change in devices, processes and events. Examples of OT include industrial control systems (ICS), building management platforms, fire control systems and physical access control mechanisms. In industrial and manufacturing settings, ICS typically includes a variety of Supervisory Control and Data Acquisition (SCADA), programmable logic controllers (PLCs), distributed control systems (DCS), remote terminal units and more.

With the convergence of OT and IT systems, the cybersecurity of OT has become a critical issue. A Forescout report from July 2022 detailed some of the glaring weaknesses in OT security, identifying 56 vulnerabilities in 26 devices from 10 OT vendors. Those vulnerabilities allow for credential compromise (38% of the devices), firmware manipulation (21%) and remote code execution (14%), among other exploits.

The report concluded that OT devices and protocols are “insecure by design,” despite the fact that 74% of the products tested have some form of security certification—and tended to be sold as secure by design. They are compounding risk management in OT is the lack of a Critical Vulnerabilities and Exposures (CVE) list such as those for IT systems put out by the National Institute of Standards and Technology and The CVE Program.

Operational Technology (OT) Security for Industrial Companies

There is a tremendous need for rigorous OT security and critical infrastructure systems, and that need will increase exponentially in the coming years as the number and severity of attacks on our critical infrastructure systems increases. For example, industrial companies have become frequent targets of ransomware, supply-chain and other attacks. IBM’s 2022 X-Force Threat Intelligence Index reported that manufacturing was the most-targeted industry in 2021, as threat actors sought to “imprison businesses” and “fracture the backbone of global supply chains” through ransomware and other exploits. Unpatched software was the most commonly exploited vulnerability, contributing to 44% of ransomware attacks. And nearly half (47%) of attacks overall involved vulnerabilities that victim organizations either had not or could not patch.

Attacks on critical infrastructure, ranging from fuel pipelines to hospitals, puts lives at risk in addition to causing economic and social damage and potentially threatening national security.

OT security addresses the weaknesses in OT systems, including older systems that have gone unpatched or, in some cases, are so old that they are no longer supported and thus can’t be patched. Many systems, for instance, still run Windows XP. Other vulnerabilities include weak control over credentials (a favorite target of attackers), a lack of network segmentation and protocol isolation, and insecure connections with IT systems, which are often used as an entry point.

Operational Technology (OT) Security Starts with Visibility

OT security can no longer be viewed as separate from the rest of the enterprise. The convergence of IT and OT systems has expanded the size and complexity of the attack surface. Vulnerabilities in IT systems (which have weaknesses of their own) pose a potential threat to critical OT operations and vice versa.

To improve their security postures, organizations need first to gain clear visibility into their systems across all environments, including IT, OT and a quickly growing number of Industrial Internet of Things (IIoT) devices. Visibility also must be granular, covering not just discovering all of the devices and software within their networks, but how they connect to other components of the enterprise.

Secure remote access control also is critical, best achieved by adopting a Zero Trust security strategy, including multi-factor authentication, least-privilege principles and continuous monitoring.

A substantial piece of OT security is gaining control over critical assets and protecting these assets from the specific threats created by distributed workers and remote work environments. A platform that provides complete visibility and secure access to critical assets would include, for example, a policy engine that enforces specific policies across users, asset connections, and group-based management, which sets privileges to groups such as human-machine interface (HMI) technicians or those working with SCADA systems.

Taking Operational Technology (OT) Security to the Enterprise

In today’s industrial and manufacturing environments, OT security requires a comprehensive, enterprise-wide strategy. Like companies in any other sector, industrial organizations also suffer from an IT skills shortage, and operate a cloud-based infrastructure that has grown beyond the ability of in-house staff to control completely. XONA recommends that organizations consider a platform-based approach that can provide a holistic, cost-effective security strategy.

XONA’s Remote Operations Access Manager (ROAM), for example, provides full enterprise visibility into CSGs. XONA’s Critical System Gateway (CSG) protects critical assets via hardened components, protocol isolation and encrypted display. A comprehensive platform can support a dispersed, remote workforce Zero Trust architecture with implementation of MFA and other access controls. And it can provide the scalability for companies to securely grow or adjust to new conditions.

This type of enterprise approach to security also can help companies achieve regulatory compliance, which is vital to organizations in industries ranging from energy to healthcare.

Learn More