Operational technology (OT) is a broad term for all forms of computer technology that physically interact with the industrial world. From industrial control systems (ICSes), critical infrastructure and building lighting systems to robots, scientific instruments, medical devices and automated transportation systems, OT is present in every sector and nearly every organization.
OT cybersecurity is often more difficult than traditional IT cybersecurity, with a more complex threat landscape. OT systems face all the same threats IT systems do, such as malware, ransomware, malicious insiders, human error and DDoS attacks. In addition, OT environments face several additional challenges.
5 OT threats and security challenges
Consider the following OT threats and the security challenges they pose:
- Safety. Many OT systems can cause changes in the physical world that could adversely affect human safety. This means it is even more important to safeguard OT systems than IT systems.
- Uptime. Many OT systems need to be operational at all times. Because of their critical roles in ICS settings and critical infrastructure, OT systems might need to maintain constant connectivity, with outages limited to occasional maintenance windows planned months in advance. This seriously delays security control changes, patching and other maintenance activities that are fairly routine for IT systems.
- Lifespans. OT systems are often used for decades, so they’re more likely to become unsupported than IT systems. That means patches and other updates to correct vulnerabilities and add security features won’t be available for older, legacy OT systems, potentially leaving them open to cyberattacks.
- Exposure. Some OT systems lack physical security controls and are deployed in remote, unattended locations where they are susceptible to tampering and unauthorized use. This increases their likelihood of compromise compared to IT systems housed within data centers and other secure facilities.
- Regulations. For OT in highly regulated sectors — for example, certain healthcare devices — the companies using the systems aren’t legally permitted to patch or update them, or to add third-party security tools to them. In these cases, the system vendor could be fully responsible for testing any changes and receiving regulatory approval to implement the changes in their customers’ systems.
How to defend against OT threats
To protect against OT threats and address the cyber challenges inherent in OT, security leaders should consider the following best practices:
Use existing tools. See if existing IT security technologies, such as firewalls and SIEM, already understand the OT networking and application protocols in use.
This is less likely to be the case for legacy OT systems, but newer OT systems often use common OT and IT protocols. If possible, use existing security technology instead of acquiring additional tools, as this is often the most efficient and cost-effective option.
Weigh modern cybersecurity controls. Adopt modern cybersecurity controls to protect OT systems if the following are true:
- Controls are compatible with the systems.
- Controls will not negatively affect human safety or system uptime.
For example, zero-trust architectures and MFA could certainly strengthen an OT system’s security posture. But in some situations, they could also make it harder for authorized personnel to interact with the systems in emergencies. Security leaders need to weigh the benefits and risks on a case-by-case basis.
Strategically mitigate risk. Use long-term risk mitigation and security measures to protect otherwise-vulnerable OT systems from cyberthreats. Many legacy OT systems were not designed for the internet-connected world, for example, so they lack necessary security features. On the other hand, newer OT systems often use commodity components with much larger attack surfaces than legacy OT systems had.
In either case, OT systems might need additional layers of protection. Techniques such as network segmentation can isolate OT systems from others, and firewalls can ensure that only authorized network traffic can enter and exit OT network segments.
Prioritize OT cybersecurity awareness. Regularly train cybersecurity professionals and OT system users and administrators on OT threats and challenges and how to address them. This should help the organization manage security risks, reduce the number of incidents and promote faster and more efficient incident response efforts when they do occur.
Karen Scarfone is the principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.