Opinion: Guardians of the industrial realm: Cybersecurity challenges in operational technology in 2024
By Julien Legrand, CISSP, GICSP, ISA/IEC 62443 Cybersecurity expert
Mar. 28, 2024 6:13PM GMT+9
Today, numerous organizations are rapidly merging operational technology (OT) and information technology (IT) networks. This integration is aimed at leveraging the data collected by physical machinery and devices within the Industrial Internet of Things (IIoT). By harnessing this information, organizations can pinpoint issues more effectively and boost their overall efficiency.
In addition, the dismantling of silos between IT and OT departments lessens the need for physical space and hardware. This convergence of IT and OT also leads to faster deployment times, cost reductions, and improved operational efficiency.
However, this merging of OT and IT networks significantly increases the need for cybersecurity. The constantly evolving and increasingly sophisticated cyber threats can now penetrate previously isolated OT environments. This vulnerability prevents many companies from fully benefiting from the integration of OT and IT networks. Below is an overview of the current threat landscape in 2024 and the potential risks organizations should be prepared for.
Top cybersecurity challenges facing OT organizations
The ransomware crisis
The Fortinet 2023 State of Operational Technology and Cybersecurity Report [1] disclosed that 75% of OT organizations have reported experiencing multiple security breaches. Among these, malware (56%) and phishing (49%) were the most commonly reported incidents. Additionally, nearly one-third of those surveyed admitted to being victims of a ransomware attack.
Additionally, TXOne Networks, in The Crisis of Convergence: OT/ICS Cybersecurity 2023 report [2], conducted a survey involving 405 prominent OT and IT cybersecurity leaders. ICS, or industrial control systems, is a term widely used along with OT due to their similarity of subjects. The findings highlighted ransomware as a significant threat within OT/ICS environments, with 47% of the organizations reporting incidents of cyberattacks involving ransomware in 2023.
Furthermore, the Dragos’ 2023 OT Cybersecurity Year in Review Report [3] observed that ransomware continued to be the predominant threat in the industrial sector, experiencing a 50% increase in activity. Significantly, the manufacturing sector was the primary target for ransomware attacks, accounting for 71% of all documented incidents. The report also highlighted the geographical impact, with North America being the most affected region, suffering 44% of the attacks, and Europe following closely with 32%.
Lack of sufficient security controls
Data compiled by the cybersecurity firm Dragos [4] identifies the most significant challenge for industrial organizations as the lack of sufficient security controls, which account for 28% of their service engagements. This shortfall is often due to problems such as poor network segmentation and misconfigured firewalls. Notably, improper network segmentation stands out as a critical concern, with nearly 70% of OT-related incidents able to be traced back to vulnerabilities within the IT environment.
Another significant issue is the absence of separate IT and OT user management, which affects 17% of organizations that have interconnected IT and OT systems. This lack of differentiation facilitates tactics such as lateral movement and privilege escalation. Additionally, Dragos pointed out the risk of external threats, particularly the exploitation of external services and public-facing systems.
A continuously expanding attack surface
TXOne [5] highlighted that the convergence of IT and OT significantly alters the landscape of the entire organizational ecosystem, necessitating a robust defense mechanism to secure the enlarged attack surface. The heightened interconnectivity between IoT/OT networks and critical infrastructure, coupled with inadequate security measures for device security and OT networks, exacerbates these risks.
Legacy systems introducing cybersecurity complexities
Legacy systems within OT networks add significant complexity to the securing of industrial systems. A staggering 97% of companies worldwide [6] have reported IT security incidents impacting their OT environments. Furthermore, 59% are vulnerable to OT cyber threats, and 46% have already encountered breaches in OT security. Additionally, 59% of organizations face persistent challenges due to the complexity of cybersecurity.
Cybersecurity solutions sprawl
Fortinet [7] observes that the widespread adoption of a variety of cybersecurity point products, leading to solution sprawl, poses a considerable challenge in applying and enforcing uniform policies across IT/OT environments. The diversity of tools in the cybersecurity toolkit often results in disjointed communication and a lack of cohesion among security components. This fragmented strategy impedes the establishment of standardized policies and raises the risk of missing potential vulnerabilities. To counteract this complexity, organizations are encouraged to adopt integrated platforms and solutions that streamline security measures.
Best practices for securing operational technology
Implementing an OT and vendor security platform
Develop a comprehensive vendor and OT cybersecurity platform strategy, as outlined in the Fortinet report, aimed at reducing complexity and accelerating outcomes. Begin to build this platform gradually by partnering with vendors who prioritize the design of their products for integration and automation.
Adopt resilient governance strategies
A robust cybersecurity approach includes detailed governance strategies that enable the effective identification, protection, detection, response, and recovery from OT security incidents. Although 77% of organizations have achieved maturity level 3 [8] in OT/ICS cybersecurity, it’s crucial to pursue improvements beyond mere compliance.
Organizational cybersecurity maturity is assessed using the NIST Cybersecurity Framework 2.0, which comprises six core functions: Governance, Identification, Protection, Detection, Response, and Recovery. Each function is evaluated based on specific tasks associated with it. The scores from these assessments are averaged to determine the organization’s overall maturity level, which ranges from 0 to 5.
- Level 1 (Baseline): Limited implementation with a focus on governance and identification (scores of 2 and above required).
- Level 2 (Managed): Progresses to protective measures, needing scores of 3 and above for governance and identification and 2 and above for protection.
- Level 3 (Responsive): Requires robust practices across all functions, with scores of 3 and above for governance, identification, and protection and 2 and above for detection, response, and recovery functions.
- Level 4 (Adaptive): This level indicates sophisticated defence strategies, requiring scores of 4 and above for governance, identification, and protection and 3 and above for detection, response, and recovery functions.
- Level 5 (Optimized): Represents the pinnacle of cybersecurity, with all functions achieving scores of 4 and above.
The statistic that 68% of organizations are consistently increasing their OT/ICS budgets highlights the critical need for these entities to strengthen their OT security posture.
Embracing a zero-trust security architecture
Adopting a zero-trust access framework is crucial for strengthening cybersecurity defences. This strategy starts with two fundamental steps: a comprehensive asset inventory and the implementation of segmentation. Thoroughly cataloguing and categorizing assets allows organizations to fully grasp their digital ecosystem, enabling better control and protection. Additionally, segmentation is key in ensuring that access rights are accurately assigned, which helps prevent cyber adversaries from moving laterally within the network.
Address issues in patching vulnerabilities
Dragos has pointed out the complexities involved in mitigating all vulnerabilities within OT environments, highlighting that comprehensive patching does not guarantee enhanced security. This challenge is compounded by the risks associated with unsuccessful patches, leading to operational downtime, coupled with the innate vulnerabilities present in many OT devices, which often cannot be remedied simply through patching. Therefore, the focus should shift towards improving the overall hygiene of industrial processes, rather than solely on the act of patching.
Conclusion
In 2023, critical infrastructure and manufacturing sectors worldwide faced unprecedented cybersecurity challenges within their OT/ICS environments. The threat of ransomware, empowered by Ransomware-as-a-Service (RaaS) models, poses significant risks, which include demands for extortion, operational disruptions, reputational damage, and potential physical consequences. Further complicating these challenges are the lack of security measures in OT/ICS environments, vulnerabilities within the supply chain, and the presence of complex, outdated systems.
Facing the constantly evolving landscape of cyber threats requires organizations to strengthen their OT/ICS cybersecurity strategies, moving beyond simple compliance to achieve higher levels of cybersecurity maturity. This entails enhancing governance structures, improving the skills and capabilities of teams and technologies, incorporating advanced threat detection and response mechanisms into their cybersecurity frameworks, and focusing on the management of supply chain risks.
The Purdue Model of ICS highlights a critical challenge in cybersecurity. While threats at the IT-centric tiers (Levels 4 and 5) might be more straightforward to identify and mitigate, those targeting the deeper, more operationally focused layers of OT/ICS (below Level 3) tend to be not only more complex but also potentially more damaging. Malicious activities at these levels can lead to severe consequences, including operational downtime, data breaches, as well as safety incidents. To address these challenges effectively, organizations need to implement real-time tools designed for monitoring, analyzing, and assessing cybersecurity risks within such OT environments.
In an era of rapid digital transformation, it is crucial for businesses and government entities to work together to address the evolving challenges. Such collaboration aims to ensure that operations remain available, reliable, and secure.
Reference:
[1] https://www.fortinet.com/content/dam/fortinet/assets/reports/report-state-ot-cybersecurity.pdf
[2] https://www.txone.com/security-reports/ot-ics-cybersecurity-2023/
[3] https://www.dragos.com/ot-cybersecurity-year-in-review/
[4] https://www.dragos.com/ot-cybersecurity-year-in-review/
[5] https://www.txone.com/security-reports/ot-ics-cybersecurity-2023/
[6] https://www.txone.com/security-reports/ot-ics-cybersecurity-2023/
[7] https://www.fortinet.com/content/dam/fortinet/assets/reports/report-state-ot-cybersecurity.pdf
[8] https://www.txone.com/security-reports/ot-ics-cybersecurity-2023/
[9] https://www.dragos.com/ot-cybersecurity-year-in-review/
legrandjulien@proton.me Follow the author
READ MORE: Opinion: OT security landscape in 2023
About the author
Covering the Asia region, Julien Legrand is the Head of Cyber Solutions at Thales and a highly experienced industrial cybersecurity professional passionate about staying at the forefront of technology and cybersecurity. With over twelve years of experience in the field, he has a proven track record of designing, implementing, and continuously improving security controls across various industries, including but not limited to aviation, energy, manufacturing, and transportation, and has a deep understanding of these industries’ cybersecurity challenges. In addition, Julien is a regular speaker at external conferences and a technology writer for international newspapers. He holds a double bachelor’s degree (BEng) in industrial systems and automation, a master's degree (MSc) in computer science and cybersecurity and a Master of Business Administration (MBA).