November 22, 2022 By Muraleeswaran Karunanithi 8 min read

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack.

From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially increased, and attackers most frequently target the manufacturing industry.

It’s clear that further steps are needed to improve the standard of OT security. Operators of critical infrastructure must recognize the pivotal role of OT, the risks presented by threat actors and, finally, how to create a secure OT framework. 

The scope of OT

A wide variety of crucial industrial sectors utilize OT, including mining, construction, oil and gas transmissions, power and utilities, chemical plants, water treatment, industrial machinery and transportation. Settings for OT include industrial networks, industrial controls systems (ICS) and processes for operation and maintenance. 

The OT revolution occurred well before the information technology (IT) revolution. In fact, OT has existed since the beginning of the Industrial Revolution.

In what ways do OT and IT differ?

IT refers to the processing of digital data through computer systems that support corporate operations like marketing, sales, customer relationship management, communications and more. Your email server, web server, enterprise resource planning system, voice-over-IP phone, print server and helpdesk application are examples of typical IT systems.

While industries require computer systems to monitor and control industrial and technological processes, OT manages the operation of physical processes and machinery.

Applications and procedures employed in the IT sector aid in controlling the flow of the OT sector, which includes power generation and transmission, water treatment and chemical manufacturing. In OT, on the other hand, the endpoints being controlled are frequently physical assets, such as motors, conveyors, valves and forklifts. These “things” exist in a variety of sizes, shapes, levels of sophistication, versions and vintages.

In short, OT covers the range of systems that deal with the physical transformation of goods and services. They are task-specific systems that are also industry-specific and regarded as mission-critical. 

In terms of security, OT suppliers apply annual patches as part of the security strategy for their systems. Due to a lack of product knowledge and a complicated environment, many companies must rely entirely on OT vendors for security help. 

Common components of OT

The digital equipment used in industrial processes includes ICS assets. This covers many aspects of manufacturing, analogous applications and vital infrastructures, such as the power grid and water treatment systems.

Supervisory control and data acquisition (SCADA) and distributed control systems (DCS) are the main ICS elements that combine to form OT that interacts with the physical environment.

The following are all major ICS components:

  • SCADA systems gather data from sensors, frequently at dispersed locations, and transmit it to a centralized computer for management and control 
  • DCS is an automated control system composed of geographically distributed control units around the plant or control region
  • A programmable logic controller (PLC) is an industrial computer control system that continuously analyzes the status of input devices and decides how to regulate output devices based on a custom program
  • Remote terminal units (RTUs) are microprocessor-based devices that monitor and manage field equipment and connect to SCADA or plant control systems
  • Human-machine interface (HMI) is a function of a device or software application that enables people to engage and interact with machines
  • Process history database (PHD) is an application that gathers, stores and replays past and ongoing plant process data. It enhances process performance and data security to enable better and quicker judgments when used in conjunction with other industrial software programs.

OT protocols

Since OT protocols are typically closed systems, they are proprietary and vendor-dependent. At various levels of the Purdue model, different protocols are employed. To simplify operations and improve interoperability with older IT hardware, OT devices and systems have recently adopted IT-standard network protocols such as TCP/IP. Modbus is a commonly used communication protocol in all PLCs, irrespective of vendor.

The following are a few OT protocols:

  • Modbus
  • MelsecNet
  • DALI
  • DSI
  • Dynet
  • Obix
  • ZigBee
  • xAP
  • DNP3
  • M-Bus
  • BACAnet
  • EnOcean.

An increase in OT security challenges

For more than a decade, there has been a rising tide of cyberattacks against businesses with OT environments and systems, especially with the fusion of OT and IT. Industrial internet adoption has also increased the risk of disruptive threats to OT systems, which are present for all internet-connected devices.

Although OT systems are intrinsic components of crucial manufacturing and production equipment assets, they have not previously been included in security programs.

Convergence between IT and OT increases attack surfaces:

  • Unsecure credentials. For easy access to the networks, operators have been employing weak passwords. Due to this, it is simple for hackers to obtain operator access without authorization by using brute-force password attacks.
  • Default/shared user accounts. Without an appropriately secure system, operators have access to both the shared ID and the same default credentials for devices.
  • Legacy equipment. Vendor restrictions and legacy equipment further constrain endpoint tool coverage.
  • Security knowledge. In OT industrial situations, new networking technologies call for modern skills. It is necessary to fill the knowledge gap in OT security.
  • Limited skills. Threats are always evolving, and tactics are improving. A lack of OT cybersecurity skills and understanding causes many exploits.
  • Outdated operating system. An outdated operating system that isn’t getting security upgrades is vulnerable to security threats. To avoid compromise, it is necessary to inventory and patch every piece of equipment in accordance with the manufacturer’s guidelines.
  • Vulnerable protocols. By including features like authentication and encryption, many manufacturers are developing secure alternatives to currently unsecured protocols and equipment.
  • Security posture. The industrial computing community has traditionally received little attention from security. The OT industry lags far behind the IT industry in terms of security standards and procedures, as well as collaboration with outside security researchers.

Significant OT cyberattacks

The digitization of vital OT systems has introduced numerous concerns. In addition, the connection of ICSs to the internet has brought even more risks and threats. 

The following cyberattacks all had a significant impact on OT systems: 

Ukrainian power grid attack, 2015

In December 2015, threat actors attacked the Ukrainian power grid. As a result, power outages affected about 230,000 individuals and lasted for up to six hours. The attack on the power grid’s SCADA and computer systems then disconnected thirty substations for three hours. For more than six months prior, the adversary was present in the victim’s infrastructure.

The activities that took place in the months prior to the attack started with a spear-phishing campaign directed at system administrators and IT personnel who worked for different electrical distribution firms across Ukraine. 

BlackEnergy originally made headlines in 2014 for its wide use in hacking into energy companies. Its purpose was to acquire information about the networks and infrastructure to launch future cyberattacks.

In this case, a BlackEnergy malware variant launched when victims opened an Excel attachment in a malicious email. Threat actors remotely managed the BlackEnergy malware for several months to gather information, move between hosts, find security holes, enter the OT network and carry out additional “reconnaissance” activities.

During the attack, malicious actors took control of the SCADA systems and began remotely turning off substations. Using the KillDisk virus, the attack carried out file destruction on workstations and servers. They turned off the uninterruptible power supply, modems, remote terminal units and commutators.

Stuxnet worm, 2010

One of the most sophisticated pieces of malware ever created was Stuxnet. This malware’s purpose was to physically damage the centrifuges of the Iranian nuclear energy plant in Natanz.

Stuxnet was reported to have significantly harmed Iran’s nuclear program by targeting SCADA systems and PLCs, which enable the automation of electromechanical operations like those used to manage machinery and industrial processes.

The Natanz facility network was thought to have been infected with the Stuxnet malware through an infected USB device. Stuxnet included several “zero-day” exploits, stolen certificates and default access credentials to help it travel across the network and avoid detection.

After determining the hardware and operational circumstances, the malware introduced malicious function blocks into the targeted PLC. This function block’s goal was to accelerate the centrifuges’ spin rate at predetermined intervals, effectively forcing components to fail and the machines to eventually self-destruct.

Triton malware, 2017

The malware called Triton was the first to specifically target systems that worked to prevent major physical damage and life-threatening accidents at critical infrastructure facilities. A Saudi Arabian petrochemical factory was the target of this malware, which interfered with its safety systems.

The plant’s safety instrumented systems were vulnerable to the Triton malware. Once the malware was installed, those systems could be remotely taken over. The results could have been disastrous had the attackers disabled or tampered with them before using other software to cause plant equipment to malfunction.

Norsk Hydro (LockerGoga) ransomware, 2019

The software known as LockerGoga, which caused Norwegian aluminum manufacturer Norsk Hydro to experience a major business interruption, is a recent example of how ransomware attacks are evolving quickly.

First, early versions of LockerGoga encrypted infected systems’ files and other data. The malware then presented victims with a message requesting a ransom in exchange for the decryption keys. Additionally, newer versions of the malware added the ability to forcibly log victims off an infected system and prevent them from regaining access.

The attack compelled the manufacturer to switch to manual processes at several locations. This caused the Norsk Hydro’s extruded solution group’s production systems to be severely damaged, resulting in interim plant closures and operational slowdowns. Norsk Hydro responded right away, but the damage was severe. The LockerGoga ransomware affected all of the company’s employees:  more than 35,000 people throughout the aluminum giant’s global operations. 

Common attack vectors

OT security solutions involve procedures and technologies used to monitor and regulate physical objects, processes and events. In addition, these technologies also serve to protect people, assets and information. A broad risk management strategy that includes traditional physical security and disaster recovery should incorporate OT cybersecurity.

To effectively protect their networks from unauthorized access, organizations need to be aware of the most common attack vectors for malicious cyberattacks. An attack vector is a method or path that an attacker uses to access the target of the attack.

Below are the common types of cyberattack vectors:

  • Removable media. A USB flash drive or similar device for internal data transfer can potentially infect systems with malware.
  • Compromised equipment. Equipment in the supply chain may be vulnerable. During the changeover, device firmware might be replaced.
  • Unauthorized connections. Computers, laptops and mobile devices are forms of connected endpoint devices that may be vulnerable to attack.
  • Remote access: An attacker could exploit a system with remote access to gain access to a network or device.
  • Exploit unpatched vulnerabilities. Attackers could either perform actions they are not permitted to or inherit the permissions of other users by taking advantage of an unpatched vulnerability in an application or operating system.
  • Phishing. This conventional vector approach is well-known. Phishing is a type of social engineering that seeks to get sensitive or important information by adopting the identity of a trustworthy person or organization and using that information to attack the victim.
  • Weak credentials. Credential exposure serves as a conduit for initial attacker access and lateral movement because of weak passwords and password reuse. Recent malware attacks, such as Mirai, have exploited weak credentials on managed devices and IoT-connected devices.

Best practices for OT solutions

Organizations use different classifications and priorities for cybersecurity controls. Security technologies used by OT security solutions include:

  • Risk assessment
  • Compliance and standards
  • Inventory management
  • Network security
  • Vulnerability management
  • Security information and event management
  • Malware protection
  • Defense in depth
  • Access control.

To improve their cybersecurity posture and meet best practice cybersecurity standards, organizations must make sure their OT is supported by a solid framework of rules, procedures and guidelines. Examples of best practices for OT cybersecurity include:

  • Performing GAP analysis and risk assessment to ascertain the maturity level of OT security, and report the findings which require remediation
  • Creating a customized roadmap and strategy for raising the maturity level in accordance with the environment and the client’s goals
  • Identifying the most valuable operational assets and creating a strategic plan for their hardening and security
  • Developing and designing security operations center (SOC) use cases and incident response playbooks for OT-specific assaults in accordance with MITRE’s ATT&CK for ICS framework
  • Integration of OT applications with cyber tools and deployments
  • Restricting access to the ICS network and its devices, both physically and logically
  • Preventing unwanted data tampering and safeguarding specific ICS components from exploitation.

OT security cannot be ignored

When it comes to IT/OT convergence, operators of critical infrastructure need to be more proactive. A comprehensive cybersecurity plan that considers the entire security lifecycle of the organization is necessary to move forward.

In conclusion, creating an efficient OT cybersecurity framework offers thorough assistance for the entire organization. This includes recommendations on governance, risk management, system development and commissioning, document protection, incident response and disaster recovery, as well as other issues.

Enterprises will need to implement a combination of IT cybersecurity products and services with specialized, OT-specific cybersecurity solutions to mitigate the risks posed by unsecured OT.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today