Skip to navigation Skip to main content Skip to footer

Bridging the Gap Between OT and IT Security

17 October 2023

By NCC Group

Most cyber security professionals know that ransomware is hardly anything new. But whereas IT security has become more robust and is garnering greater focus and investment, cybercriminals have set their sights on a new target: Operational Technology, or OT.

By taking aim at the systems and infrastructure that keep manufacturers, energy, transportation, and public services up and running, threat actors can quickly wreak havoc and inflict significant economic, social and reputational damage.

In fact, perhaps partly because IT security has improved, attacks on OT are on the rise. Of the more than 250 ransomware attacks detected in just Q2 2023 alone, nearly half impacted industrial organizations and infrastructure, in North America there was nearly a 27% increase over the previous quarter.

Unsurprisingly, manufacturing bore the brunt of the assault with some 70% of attacks reported, predominantly aimed at equipment and electronics manufacturers. As companies like Colonial Pipeline and others have learned the hard way, the impacts can be severe. Beyond production interruptions, OT attacks can impact public safety, destabilize critical utility and transportation infrastructure, and potentially cause significant environmental hazards.

Ironically, despite all the emphasis on IT security to maintain data privacy, the reality is a hacked credit card or stolen PII has never caused physical harm. But a ransomware attack on a power plant, water treatment facility, pipeline operation, or even a dairy production facility could spell disaster and put lives at risk.

Considering the critical nature of OT infrastructure, it might be surprising to learn that there’s such a high risk. But when you consider the state of most OT installations, it’s hardly shocking.

What makes OT so vulnerable?

Organizational culture.

The biggest issue in most organizations isn’t the machines. It’s the humans in charge of them.

Between both original equipment manufacturers (OEMs) and the organizations that rely on them, we are observing OT security being overlooked time and time again, and we see a breakdown in communication between IT and OT professionals. Cybercriminals are acutely aware of the cultural barriers and see OT as an easy access point. Once they are in, they can often quickly access the entire IT stack.

 

Legacy technology.

Most industrial infrastructures are running outdated software. We have often encountered 1990s versions of Windows running critical systems without a single patch since installation. Many OT OEMs are slow to patch, so the tech quickly goes dormant, and vulnerabilities linger for years. Not to mention, taking systems offline for upgrades has a direct impact on productivity, and there’s always the risk something could go wrong. So, the prevailing wisdom has been, “if it isn’t broke, don’t fix it.”

 

Network segmentation issues.

Because every industrial environment is unique, each OT installation is a prototype. Connections between systems become bespoke, and that issue, combined with a mix of old and new technology, plus the OEMs’ desire for third-party access for data gathering and preventative maintenance, creates a giant vulnerability landscape across disparate systems. In some cases, there might be a firewall that prevents OT from accessing IT but not vice versa, so an attack on IT can shut down production.

 

Lack of user awareness.

If the CISO is overlooking or cannot manage OT cyber security risks, the front-line users certainly aren’t. Few engineers and equipment operators are trained in cyber security protocols, and most aren’t aware of phishing techniques or the social engineering that cybercriminals rely on for access.

We often see systems with no password, “admin” as the password, or passwords taped to the user interface on sticky notes, and most users think nothing at all about plugging a USB into a machine. They have zero awareness of the security risks that make most IT professionals cringe.

4 ways to stop OT hackers

If any of this sounds familiar, it may be time to take a serious look at your OT security and scope out a plan to improve. The good news is, there are some baseline strategies that can get you started off on the right foot.

 

1) Build an IT/OT working group.

Start by bringing these teams together around the same table and working together to identify vulnerabilities and build solutions. For CISOs, simply making this a priority and facilitating this collaboration can go a long way toward improving OT security posture.

 

2) Upgrade hardware and network design.

Whenever possible, upgrade workstations and interfaces when new patches are issued. Create secure access protocols at every user station and require access controls at every network access point (so that a single log-in doesn’t provide access to the entire network). Add firewalls that work both ways, to protect IT and OT, and install port blockers on every machine.

 

3) Conduct supplier assurance.

Work with your OT equipment vendors to ensure proper protocols are in place with their technology. Remember that with the Industrial Internet of Things (IIOT), everything is connected, so a vendor’s vulnerability becomes your vulnerability.

In one recent case, it wasn’t a manufacturer that was attacked directly— it was one of their systems vendors, which gave the attackers instant access to all of the OEM’s equipment at every customer site. So you might not be the target, but you can easily be collateral damage.

 

4) Train your people.

Simple cyber security training can ensure that employees are aware of the risks, understand how phishing and social engineering work, and how something seemingly innocent—like plugging in a USB port—can put the entire operation at risk. It does not have to be complex; tailor the training to their roles and activities.

NCC Group's OT & CIRT Retainers are making downtime unthinkable

Securing OT is an essential part of managing overall risk for the organization. Unfortunately, it can be much more difficult than most organizations have the resources for. That is where having a Cyber Incident Response Team (CIRT) partner on board can help.

Over the last 20 years, NCC Group has developed deep expertise in OT security and has the capability to bring IT and OT to the table and generate the collaboration you will need to address these complex issues.

We have built relationships with OEMs, and we know their technology, which gives us an advantage in navigating the challenges of disparate, legacy systems and bespoke integrations. Plus, we are vendor agnostic, which means we can work with multiple OEMs with discretion, navigating their proprietary software to devise security solutions without revealing vulnerabilities or intellectual property.

Of course, good security starts with prevention. Conducting a Validated Architecture Design Review (VADR) or Ransomware Readiness Assessment can be a great place to start by establishing a baseline and increasing awareness of your current OT security posture.

In one instance, a petroleum producer conducted this exercise and found a vulnerability in their telemetry that would have shut down an entire oil field and taken 6 months to bring it back online. Finding it and remediating it ahead of time thwarted an unthinkable amount of downtime.

In the modern environment, no organization can afford to keep its head in the sand when it comes to OT security. The time is now to modernize OT infrastructure to safeguard against not only productivity disruptions but financial and reputational damage.

Take action now to strengthen your OT readiness and resilience. 

Download the Industrial Incident Response Retainer eGuide for valuable strategies. Sign up to learn more about NCC Group’s IT/OT & Safety perspectives in our new 3-part webinar series.

NCC Group

NCC Group

NCC Group exists to make the world safer and more secure.

As global experts in cyber security and risk mitigation, NCC Group is trusted by over 14,000 customers worldwide to protect their most critical assets from the ever-changing threat landscape.