The state of OT security: a rapidly evolving landscape
Operational technology powers some of the most critical equipment on the planet. Yet the cybersecurity that protects this technology is, for the most part, only about a decade old.
Operational technology (OT) refers to the technology used to monitor and control industrial processes. While known for its use in manufacturing and industrial settings, OT is also utilized in healthcare, critical infrastructure, construction, building management and more. The technology is also frequently looped in with IoT and industrial control systems (ICS), which is considered a subcategory of the OT industry.
Honeywell vice president and general manager of cybersecurity Jeff Zindel told TechTarget Editorial that a decade ago, there was “very little awareness” of OT as a unique, critical branch of cybersecurity. There was a prevailing belief that industrial spaces didn’t need cybersecurity because they were air gapped.
That’s not to say industrial security protections never existed before 2012. But a formal subcategory of security dedicated to OT is a recent phenomenon. To illustrate, many major players in the space, such as Armis, Claroty, Dragos and Nozomi Networks, were founded in the last 10 years (2015, 2015, 2016 and 2013 respectively).
Despite its youth, OT security awareness is rapidly growing. The increased connectedness of industrial technology to IT environments as well as highly public cyberattacks, like the Colonial Pipeline ransomware attack and the Oldsmar, Fla. water treatment plant breach, have led to significantly increased attention being paid to the space.
In 2022, ICS/OT security is defined by major consequences and a landscape that is slowly but surely maturing.
Because OT security powers critical infrastructure in industries like electricity, oil, water and more, there are persistent concerns about the potential for cyber attacks that carry real world, kinetic consequences — including injury or loss of life.
The most severe hypothetical versions of these attacks are unlikely for several reasons, namely industrial fail safes, the risk of geopolitical escalation, and the immense value OT settings have for both cyberespionage and ransomware.
Cyberattacks on OT and critical infrastructure can still be quite damaging even if they fall short of a worst-case scenario. Russia began launching destructive critical infrastructure attacks against Ukraine after the former’s invasion of the latter earlier this year. It isn’t the first time; Russia conducted similar attacks against Ukraine in 2015.
In a less extreme example, ransomware attacks — one of the most common against OT — can be particularly disruptive for organizations utilizing industrial technologies because attackers could hold a production line hostage in addition to sensitive data.
According to a July 2022 report from Barracuda Networks about industrial security, 94% of organizations reported experiencing a security incident in the previous 12 months. Among these organizations, over 60% said their most significant security incident resulted in downtime of two days or longer.
According to a similar report released by Trend Micro in June, “nine out of 10 organizations have had their production or energy supply impacted by cyberattacks in the last 12 months.” In a 2021 report from Claroty about the state of ICS/OT security, 80% of respondent organizations had experienced a cyberattack, with 47% reporting an impact on their ICS/OT environments.
It is perhaps because of these damaging attacks that decisionmakers and boardrooms are taking notice of OT security.
Honeywell CTO and Vice President of R&D Jason Urso said he has seen a dramatic transformation over the past 20 years in how industrially focused organizations approach cybersecurity
“With proprietary systems, people didn’t really think about cybersecurity a whole lot — even though they probably should have,” Urso said. “And as the industry has moved to more open system technology, with most control systems running on Windows PCs and Cisco switches, there is far more connectivity now. The opportunity for cyber issues is much greater than it has been in the past. And I think the attention on the industrial industry is much higher.”
A maturing landscape
Security professionals who spoke with TechTarget Editorial generally agreed that OT security is improving overall. But they also generally agreed that an industry-wide lag exists in organizations utilizing operational technology compared to organizations that operate purely in IT.
In addition to the OT security industry being far younger than IT cybersecurity, the machinery and equipment found in OT settings is built to last decades, not years. This — combined with the critical, nonstop processes this equipment often supports — means securing an environment or even patching vulnerabilities can prove extremely complicated.
Joe Marshall, a security researcher for Cisco Talos’ intelligence group, said OT security was improving overall. But the extent of this improvement depended on the industry. Electricity, he said, has seen major improvements, while oil and gas typically has a weaker security vocabulary and a wider range of security postures. Manufacturing was hit or miss. The most mature organizations, he said, “have got strong security fundamentals like segmentation and baseline monitoring.”
Paul Griswold, Honeywell’s chief product officer of connected cybersecurity, similarly said the posture for OT-centric organizations can vary greatly. By his estimate, 15% of organizations are “very advanced” in their security journey. These organizations have implemented the latest OT technologies, have good security programs in place and see close collaboration between the CISO and OT sides of their organization.
The other 85%, he said, are in other stages of their journey.
“I think everyone is at least aware of the problem that OT cybersecurity needs to be more modernized,” Griswold said. “In some cases, you may have a bunch of municipalities that are not super well-funded. They’re not big corporations that have a CISO, security staff and things like that. There may be a bit of an awareness issue there as well, just because they don’t have the staff to fully analyze it. But on the other end of the spectrum, sometimes things slow down because of mistrust between the CISO and the people running the OT systems.”
Nozomi Networks CEO Edgard Capdevielle told TechTarget Editorial last month that another issue large organizations frequently run into is that security personnel don’t have the “budget muscle” to make consistent OT security improvements. This is often due to other forces and financial factors within that organization.
But on the whole, security postures are improving, and the OT security space is maturing. This is in part due to an increasing number of high profile cyberattacks raising awareness. But other awareness campaigns are taking root at the public and private sector level.
The research nonprofit MITRE Corporation now has a dedicated knowledge base for ICS attack techniques. There has also been a push in recent years from the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) to improve hardening at the organizational level.
In September, for example, CISA and the National Security Agency (NSA) published a joint security alert titled, “Control System Defense: Know the Opponent” dedicated primarily to how threat actors attack ICS/OT systems. It includes common intrusion tactics, how threat actors gain intelligence on target systems, and mitigations. CISA regularly publishes guidance and best practices, and they also host the Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing between the private and public sectors.
Capdevielle praised CISA’s role in OT security.
“CISA has been fantastic,” he said. “And I’m not somebody that naturally praises government entities. In addressing the OT security challenge, Nozomi was a founding member of the OT Cyber Coalition, a coalition of various industry participants that got together to make sure that if the government was going to start passing down guidelines that they were going to be guidelines that made sense. CISA not only embraced the coalition, but they created their own [Joint Cyber Defense Ckollaborative] and made most of the members of the coalition founding members.”
As OT security moves into the future, one emerging trend is a convergence between the IT and OT sides of an organization.
IT and OT convergence
Although IT and OT are seen as distinct spaces, the increased connectedness of OT-centric environments means increased overlap between the two sides’ security needs. For example, network segmentation, zero trust principles and critical patch prioritization are considered core best practices in both IT and OT, even if the implementation differs.
The overlap is beginning to result in intra-organizational discussions between OT, IT and security personnel. This has also, in some cases, resulted in previously distinct IT and OT security staff reorganizing under one all-encompassing group. Honeywell’s Zindel told TechTarget Editorial last month that there are numerous benefits to this convergence, including information sharing and increased network visibility.
Chris Dobrec, vice president of product and industry solutions at OT security vendor Armis, said these discussions are a newer phenomenon.
“OT, IT and security folks are starting to sit at the same table at the same time,” he said. “It used to be that they were isolated teams that didn’t really work together well. But now they’re coming together and working well, and the Venn diagram overlap is getting better and better. So when you have folks sitting at the same table thinking about operational and security issues, that helps move the ball forward.”
Even with room for improvement and some continued growing pains in the burgeoning OT security space, Marshall says there’s reason to be hopeful.
“There’s a lot more work to be done,” he said. “But just based on what I’ve seen in a short amount of time, it gives me a lot of hope. There are a lot of smart people working to keep the lights on and the water drinkable. I know a lot of them. They’re fantastic. They’re fighting the good fight, and I think we’re making good progress.”
Alexander Culafi is a writer, journalist and podcaster based in Boston.