There’s been a disturbing increase in cyber attacks targeting operations technology (OT) and a surge in OT vulnerabilities uncovered over the last year, causing grave concern across industrial organizations.
With a 50% spike in ransomware attacks since 2022 against industrial organizations alone, manufacturers have felt the pressure building. Although critical infrastructure like water, electric, transportation and energy remain very much in the crosshairs, 70% of ransomware attacks have targeted 638 manufacturing entities, putting their production lines at risk.
We’re operating in environments rife with geopolitical tension and the rise of new technologies (such as AI/ML) are lowering the barriers of entry for cyber criminals leading to a 28% increase in the number of attack groups. Moreover, the number of vulnerabilities in OT and industrial control systems (ICS) have continued to grow exponentially.
It’s a perfect storm, for which most organizations are woefully unprepared. Many still struggle with user access control, let alone detecting threats across their OT environment. Compounding the issue is the fact that many can’t even decide whose job OT security is: IT or Operations?
The divide between the two teams makes it challenging to achieve the collaboration necessary to effectively secure their systems. Facing overwhelming risks, including major penalties for noncompliance with cyber regulations and a fast-evolving landscape, too many organizations are paralyzed—they don’t even know where to start.
The SANS ICS 5 Critical Controls provide a framework for OT cybersecurity fundamentals. However, there's often a disconnect on the factory floor: Operations teams are unsure how to implement them and need IT assistance, but IT doesn’t fully understand the paradigms around productivity, safety, and efficiency.
It’s a delicate balance. These organizations desperately need solutions to protect their systems, without getting in each other's way. They need help bridging that gap to achieve strategic alignment, resilience, and safety without making things more complicated.
Here are 5 critical controls and best practices that can help organizations navigate IT/OT convergence for both cyber and operational resilience:
1. Asset management: Start with the basics
Because of the mounting pressure, too often organizations want to jump immediately to “what should I do?” But first, they need to take a step back and ask, “what do I have?”
Asset inventory is sorely lacking in most industrial environments, and it sounds cliché but it’s true: You can’t protect what you can’t identify. Before implementing any new technology, IT and OT should collaborate to create and maintain an accurate inventory of assets across their entire estate. Working together is essential here. The hands-on experience of OT practitioners is invaluable in identifying everything, and this partnership fosters trust and transparency from the outset, which will become key in maintaining security protocols.
2. Network segmentation: Take an engineering-based approach
The divide between IT and OT often manifests in a side-by-side comparison of their network closets. In many organizations, the IT closet looks like spaghetti and the OT side is meticulously organized and neatly labeled. This isn’t a judgment on IT, it’s a simple observation—the two operate in vastly different ways.
Convergence is as much a cultural exercise as it is a technical one: both sides must genuinely try to understand the needs, considerations and “how we got here” of the other side. IT advocates for “defense in depth,” while OT relies on the Purdue model. Both share similar principles with emphasis on hiding the “crown jewels” deep in the network. But OT needs simple, elegant solutions that recognize how everything implemented will ultimately impact performance, and that impact must be minimal in order to make it worthwhile.
Using proven engineering principles to design no-nonsense network segmentation protocols can protect critical OT systems without compromising operational efficiency.
3. Access control: Raise awareness and use practical solutions
In IT’s eyes, access control is simple: put passwords on everything. But with the Human Machine Interfaces (HMIs) on the factory floor, that’s completely impractical. Operators need to make constant changes and minute-to-minute adjustments on a computer buried in the middle of the factory. Requiring a password every time just makes no sense. Even if the machine itself may have vulnerabilities, is requiring constant logins that interrupt production the best solution?
IT must talk to operators and understand their processes to build trust and align their day-to-day tasks with sensible workflows. For example, access control may be as simple as raising awareness. If it’s a static environment, focus on physical access to the machine. Urge operators to speak up or alert someone if they see any suspicious activity, such as an employee in the area who’s not typically there or the use of a thumb drive where one normally wouldn’t be used.
4. Incident response: Use fact-based justification
In making the pitch for IT resilience, security teams often lean heavily on FUD—fear, uncertainty, and doubt—to convince business leaders to make investments. While those can be valid arguments, the OT crowd is going to need proof.
Start by presenting decision-makers with downtime cost calculations to show an accurate impact of losses per hour and per day in the event of production disruption. Business continuity data can illustrate the broader impact of an incident on the business to OT teams who are typically more focused on production quotas.
Develop mitigation and incident response plans based on historical data and real-world scenarios from OT environments in your company, your industry and peers. This provides insight to address known root causes and threats, rather than relying on speculation and hyperbole. It also ensures response plans are practical, effective, and reflect the engineering mindset to build trust and alignment.
5. Continuous monitoring: Create a culture of trust
Approaching OT security with the right “bedside manner” is key for IT personnel to effectively support security measures. Start by implementing simple solutions first to address the low-hanging fruit, adding more over the long term to maximize resilience and minimize disruptions. Focus on observations, not judgement.
Use tools that are fit-for-purpose, which may not be the conventional IT tools you’re used to, and can be too cumbersome, ineffective and create confusion in OT environments. Be transparent, willing to collaborate, and flexible; don’t use the hammer when you really need a screwdriver just because it's all you know.
Build enduring OT cyber resilience by combining forces with IT
Although these five controls provide a strong framework for security based on preventative strategies for known successful attacks, closing the gap between OT and IT can require cultural guidance as much as technical. When that’s the case, having a neutral third-party to coalesce a strategy that addresses the concerns of both sides can be a strong advantage.
NCC Group’s Facility Due Diligence can help bridge the gap with a strategic, technology-enabled approach to identifying assets, vulnerabilities, and threats that considers the operations point of view and prioritizes minimal impact on production.
Our transparent, collaborative approach provides recommendations, remediation advice and the justification behind those conclusions, so you understand the “why.” Unlike black box and transactional services, NCC Group empowers organizations to help themselves with the tools and knowledge to achieve and maintain long-term operational resilience.
Secure your operational resilience.
Learn more about our Facility Due Diligence (FDD) service and take the first step towards a prudent, practical OT security program. Sign up to hear more of NCC Group’s IT/OT & Safety perspectives in our new 3-part webinar series.