Why Focus on Operational Technology (OT) Security

A key feature of OT is the emphasis on reliability and integrity, not confidentiality as in IT. Therefore, OT communication protocols are mostly unencrypted or have only basic authentication and are based on traditional and proven principles, where there is little room left for security. The same applies to operating systems and programs of production units and their control systems. Reliability comes first, but they remain dangerously accessible for potential malicious intent.

Over time, previously isolated OT systems have become less isolated and more connected to the outside world. Initially, these connections were mainly limited to linking to the economic systems of organizations for monitoring and controlling production efficiency. Then, there was a demand for cost savings through remote diagnostics and service access. More recently, IIoT (Industry IoT) components, Industry Cloud solutions, remote access, and monitoring from anywhere have emerged. The isolation of OT has become a thing of the past, and defining the exact perimeter of an OT network is no longer possible.

In contrast to the disappearing isolation of OT, the recovery and security update cycles for production systems are nowhere near the level you are used to in IT. It is common that if a 10-year-old control system is replaced, you get an identical solution to the one from 10 years ago, including an operating system that is now archaic and full of security vulnerabilities. While the OT application itself may be a newer version, availability remains the priority, not security, so the system is far from secure.

Another serious problem is the dramatic change in attack vectors. Until 2021, the main potential attacker was another state (though not directly, but via state-supported hacking groups). This has recently changed significantly, as ransomware has proven to be just as capable, if not more so, of wreaking havoc in OT environments. Today, cybersecurity companies are aware of more than 12 hacking groups dedicated specifically to attacking OT systems, including developing automated tools to penetrate and control OT. For more details, a good source of information is the regular Dragos OT Cybersecurity report.

Relatively recently (in OT terms), legislation and insurance companies have recognized the increased threat to OT. The reasons are understandable. In IT, it’s usually just about money—if systems go down, the company’s economic processes stop, and money is lost. To put it simply, OT controls physical processes, not just database entries and email exchanges. By altering production process parameters, disabling safety processes, or disconnecting control systems, scenarios can unfold that endanger lives, health, or the environment. This is not fearmongering; it is a harsh reality. That is why the NIS2 directive imposes clear requirements for the “protection of industrial control and similar technical assets.” But it’s not just the obligated entities and their assets under NIS2 that face this challenge. For example, insurance companies are now including sections about industrial automation and its security in their corporate insurance questionnaires.

Everyone speaks about NIS2. We do not use it as a main argument, however – looking specifically at NIS2 from an OT perspective, this regulation primarily requires the following.

Conduct risk and impact assessments and implement tools and security measures in the OT/ICT area to:

• Limit physical access
• Restrict permissions
• Segment networks
• Limit remote access and management
• Protect against threats and vulnerabilities
• Backup and restore assets

Imagine you are tasked with insuring your company against risks. Can you answer the following part of the questionnaire clearly?