Critical Infrastructure Security, OT Security

Why OT environments are vulnerable – and what to do about it

Share
Email security

Today’s columnist, Callie Guenther of Critical Start, explains why OT security is national security. (Adobe Stock)

COMMENTARY: Operational technology (OT) environments, integral to critical infrastructure sectors such as energy, manufacturing, and water treatment, are increasingly susceptible to cyber threats.

Historically isolated through air-gapped systems and proprietary protocols, OT networks now face similar risks to information technology (IT) environments because of modernization and integration with broader infrastructures. Recent cyberattacks demonstrate how adversaries exploit OT vulnerabilities to disrupt industries and endanger public safety.

The evolving OT threat landscape

OT systems were traditionally designed with a focus on operational continuity, often neglecting cybersecurity considerations. The integration of Industrial Internet of Things (IIoT) devices and IT systems has expanded the attack surface, exposing OT environments to a growing number of vulnerabilities. Critical weaknesses in these environments, often caused by legacy equipment, poor segmentation, and insufficient monitoring, are being exploited with increasing frequency.

Attacks in 2024 on water and wastewater systems

In early 2024, U.S. water and wastewater systems became the target of cyberattacks focused on internet-exposed operational technology (OT) devices. One notable incident, attributed to pro-Russian hacktivists, involved the exploitation of outdated OT equipment to manipulate process controls, resulting in significant operational disruptions.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The attack vector relied on remotely accessible systems that lacked essential security measures, such as multi-factor authentication or secure configurations. Additionally, these systems were not properly segmented from broader networks, which let adversaries move laterally once they gained access. The impact of the attack was felt in the water treatment processes, underscoring the critical vulnerability of infrastructure to cyber threats.

Security weaknesses included:

  • Lack of network segmentation: Poor isolation between IT and OT systems let attackers pivot within environments.
  • Legacy systems: Many devices were outdated and lacked support for critical security patches.
  • Insufficient monitoring: Minimal visibility into network activity allowed the breach to persist unnoticed for an extended period.

This attack exemplifies the dangers posed by leaving internet-facing OT devices unprotected, especially in critical infrastructure sectors that often operate with constrained resources and outdated technologies.

Manufacturing sector ransomware surge in 2024

The manufacturing industry has emerged as a primary target for ransomware operators, with a significant increase in attacks causing physical consequences in 2024. In several cases, attackers deployed ransomware to encrypt critical systems, effectively halting production and, in some instances, damaging equipment.

The attack vector involved exploiting unpatched systems and weak access controls to infiltrate networks, spreading ransomware across both IT and OT components. Remote desktop protocols (RDP) with default credentials were often the entry points. The impact of these disruptions was severe, causing financial losses and equipment damage, which highlighted the significant financial and operational risks associated with inadequate OT security.

Security weaknesses included:

  • Inadequate patch management: Failure to address known vulnerabilities left systems exposed.
  • Weak access controls: Poor password hygiene and a lack of multi-factor authentication facilitated unauthorized access.
  • Limited incident response preparedness: Companies often lacked comprehensive response plans, delaying recovery efforts and exacerbating downtime costs.

The manufacturing sector’s reliance on legacy systems and lack of consistent security policies make it particularly susceptible to financially-motivated threat groups that can disrupt operations with relatively low effort.

Factors contributing to OT vulnerabilities

Several systemic issues make OT environments particularly appealing to cyber adversaries:

  • Legacy systems: OT environments rely on outdated equipment, some of which was designed decades ago, with minimal or no security features. Teams often can’t upgrade these devices because of operational constraints, leaving them vulnerable to well-documented exploits.
  • Convergence of IT and OT networks: The increasing integration of IT systems with OT devices, driven by efficiency and data-sharing needs, has expanded the attack surface. Without proper segmentation, a compromise in IT can serve as a stepping stone to critical OT systems.
  • Insufficient cybersecurity training: Many OT environments are operated by engineers with little cybersecurity training, leading to risky practices such as shared passwords, default configurations, and inadequate monitoring.
  • Vendor dependencies: Third-party vendors are often required for system maintenance, yet they may lack strict security protocols, introducing vulnerabilities into the supply chain.

Why tradition patching alone doesn’t work

Unlike IT environments, where regular patching remains a cornerstone of cybersecurity, traditional patching often doesn’t work for OT systems. Downtime required to apply patches can disrupt critical operations, such as energy production or manufacturing processes, leading to significant financial losses or safety concerns. Additionally, it’s not possible to patch legacy systems because updates are no longer provided by vendors or may disrupt system functionality.

Instead, organizations often turn to configuration changes and compensating controls to secure their OT environments. These may include:

  • Disable unnecessary services or ports to minimize exposure.
  • Implement strict network segmentation to limit access.
  • Harden devices by enforcing access control measures and removing default credentials.
  • Deploy intrusion detection systems (IDS) or monitoring tools to detect anomalies in OT traffic.

Five ways to mitigate attacks on OT

The frequency and sophistication of attacks targeting OT environments highlight the need for comprehensive defensive strategies that account for both technical and operational constraints. Organizations must focus on:

  • Network segmentation: Robust isolation of OT networks from IT systems can limit an attacker’s ability to move laterally.
  • Enhanced patch management: When feasible, apply patches strategically during planned maintenance windows, augmented by configuration hardening to address gaps.
  • Threat intelligence integration: Leverage frameworks like MITRE ATT&CK for ICS to identify and mitigate tactics, techniques, and procedures (TTPs) used by adversaries. For example, T0883 (Execution via Exploited Vulnerability) frequently gets used to gain initial access.
  • Zero-trust architectures: Implementing strict identity and access management practices, including multi-factor authentication and least-privilege policies.
  • Incident response plans: Develop tailored response and recovery protocols that consider the operational impact of OT outages.

Cyber defense for OT environments cannot succeed in isolation. Governments, private industries, and the cybersecurity community must collaborate to create robust defenses for critical infrastructure. Programs like the Cybersecurity and Infrastructure Security Agency (CISA)’s ICS-CERT offer a blueprint for threat intelligence sharing, vulnerability disclosure, and training resources tailored to OT environments.

OT environments have become high-value targets for cyber adversaries, and the vulnerabilities within these systems are no longer theoretical. As attacks grow more frequent and impactful, defenders must prioritize securing OT environments by addressing their unique challenges and operational constraints.

Through strategic investments in cybersecurity, cross-sector collaboration, and the adoption of proactive measures, organizations can build resilience against adversaries seeking to exploit the lifelines of modern society. Don’t think of protecting OT as just a technological challenge: it’s national defense.

Callie Guenther, senior manager, cyber threat research, Critical Start

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Callie Guenther

Callie Guenther, senior manager of threat research at Critical Start, has been tasked with both directorial and engineering responsibilities, guiding diverse functions, including data engineering, cyber threat intelligence, threat research, malware analysis, and reverse engineering, as well as detection development programs. Prior to Critical Start, Callie worked as a cyber security intelligence analyst and served as an information systems technician with the U.S. Navy, giving her a well-rounded understanding of the cyber threat landscape and the administration of secure networks.

LinkedIn: https://www.linkedin.com/in/callieguenther/

X: https://twitter.com/callieguenther_

Related

Additional MOVEit hack data from major firms exposed

Most of the exposed employee records belonged to Bank of America, followed by U.S. multinational conglomerate Koch, Finnish multinational telecommunications firm Nokia, and global real estate and investment management services provider JLL, a report from Atlas Privacy showed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds