The other cybersecurity: 10 strategies for securing your operational technology (OT)

Most organizations have implemented security strategies for their IT environments, but many are less far along in securing their operational technology (OT) — the controls, devices and processes used to manage operations. Yet as industrial and other operations systems become more digitally connected, OT cybersecurity is becoming increasingly crucial.

OT is critical to overall business, production and supply chain operations, and the risks and challenges are many. Outdated systems, third-party access and IT vulnerabilities frequently leave operations susceptible to disruption that can halt production and delay deliveries. To add to the pressure, geopolitical tensions, evolving cybersecurity regulations and increasingly sophisticated AI-based attack tools are heightening risks to operational security.

Organizations must broaden their cybersecurity efforts beyond the standard IT security scope.

As one of the world’s leading security services providers, DXC Technology has comprehensive, real-life experience with the OT challenges commonly encountered in different industries. In this paper we explain typical OT-related challenges and share our top 10 strategies for tackling them.  

What is OT security?

The OT security domain is vast, but essentially it is made up of software and hardware used to manage and secure industrial control systems (ICS), devices and processes. OT devices are commonly found in almost any industry. Some examples include manufacturing, transportation, oil and gas, electricity and utilities. Organizations use OT systems to monitor, control and automate processes as well as manage distribution.

These OT devices can include programmable logic controllers (PLCs), remote terminal units (RTUs), distributed control systems (DCS), human machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, internet-of-things (IoT) devices, and industrial-internet-of-things (IIoT) devices.

Like traditional IT security, OT security covers the full defense-in-depth (DiD) security stack of controls, processes and devices, and many of the security strategies are similar (see Figure 1).

Figure 1. OT defense in depth

Top OT security challenges

Cyberattacks on OT systems have been on the rise since the start of the COVID-19 pandemic, according to McKinsey & Company. The OT cyberthreat landscape continued to evolve in 2023, with global conflict driving an increase in threat groups, ransomware events and other threat activities, according to Dragos. A 2023 Claroty report found that 54% of surveyed industrial firms suffered a ransomware attack that impacted their operational technology, either directly or because a linked IT system had been attacked. That’s up from 47% in the company’s prior 2021 report.

OT cyberattacks tend to have more negative effects than IT attacks, according to McKinsey. The attacks can cause shutdowns and physical damages. The consulting company discovered that approximately 96% of business leaders say they need to invest in OT cybersecurity, and approximately 70% of the companies who have already invested in it face implementation challenges.

DXC Technology is frequently approached by customers needing help with IT cybersecurity challenges, often proactively before an incident occurs and regularly during or after an attack. Through our ongoing engagement in safeguarding large and intricate IT and OT environments — both within our customers’ organizations and within our own operations — DXC has gained a comprehensive understanding of the OT challenges most commonly encounter across industries:

• Outdated systems. Obsolete and unsupported firmware and operating systems make updates difficult. Older devices also may lack modern security features and defenses against today’s threats, potentially leaving them vulnerable to attacks.
• Interconnected systems. Despite customers’ initial claims of separation between OT and IT environments, our forensic and incident response teams often uncover connections that expose OT systems to external access. This increases the likelihood that IT vulnerabilities will impact OT security and disrupt production.
• More sophisticated attacks. As is the case with IT security, the proliferation of AI-based tools that can be exploited by bad actors has led to increasingly frequent and complex attacks in the OT-security domain, making detection more challenging. The efficiency of AI-based tools also results in a higher frequency of new attacks, putting more pressure on organizations to learn how to spot and stop them. Doing this is not simple, and it requires advanced detection skills.
• Supply chain risks. Attacks like those on IT security technology software or services vendors, such as those on SolarWinds (2020) or Okta (2023), don’t just affect the provider. They can disrupt all organizations using the compromised software. That’s true for companies that have deployed security or other solutions for OT purposes, as well. This could halt production lines, even if the organization itself has strong cybersecurity defenses.
• Remote and third-party access. In large plant facilities, accessing control devices directly can be difficult or time-consuming. To address this, many devices offer remote access, but risks increase if that access technology is not properly protected. Moreover, granting third-party organizations access to controllers for support increases the attack surface. The OT environment should follow the same generic security principles of Confidentiality, Integrity and Availability (CIA).
• Incident response. Many organizations have sophisticated incident response and recovery plans for their IT environments, but they often lack a clear understanding of how these plans apply to their OT environments. Furthermore, they may not fully grasp the interdependencies of communication processes and assets in these environments.
• Regulatory compliance. Maintaining regulatory compliance is essential for selling services and products. Recent changes such as the European Union’s Network and Information Systems Directive (NIS2), which went into effect in January 2023 and must be integrated into countries’ national laws by October 2024, impact service provision and need to be addressed early to maintain compliance. Other influential standards include NIST SP-800-82/ISA/IEC 62443/ENISA and industry-specific standards. 

How to secure your OT

To effectively gauge organizational maturity, DXC typically performs cybersecurity maturity assessments. These assessments cover the spectrum from general maturity to in-depth analysis of General Data Protection Regulation (GDPR) compliance, ransomware or OT. Drawing on the assessment results and considering the typical challenges outlined above, we then propose recommendations to improve an organization’s OT security posture.

Our experience protecting the world’s most complex IT and OT estates has helped us develop the following top strategies:

1)     Initiate discovery and visibility to know what you have. In OT, as with any other infrastructure, you can only protect what you’re aware of. In both IT and OT we often encounter situations where the configuration management database (CMDB) fails to accurately depict the environment’s actual status. Many entries are outdated, missing or otherwise inaccurate. To combat this, make sure responsible teams monitor their OT environments for relevant systems and conduct discovery exercises to identify new or unknown devices and eliminate outdated or obsolete assets.

2)     Implement network segmentation/isolation. A typical strategy in safeguarding IT environments involves network segmentation. The goal is to thwart lateral movement within the environment in order to prevent malicious actors or software from crossing device and component boundaries.

This strategy goes beyond pure technical and logical segmentation and applies to OT security as well. It also entails introducing security layers — deploying mechanisms to ensure that systems with the same security requirements reside within the same security boundaries. Assets that require higher levels of security should only connect to or be accessed by devices with equivalent security requirements. Avoid connecting lower-security systems to highly secure ones — including third-party connections (such as support) and administrative workstations. Also, if devices cannot be updated or secured, a fundamental principle is to isolate them, restricting access and continuously monitoring them for unexpected behavior.

3)     Define and verify access restrictions. During our support engagements, we regularly see wireless networks for controllers and SCADA devices that are insufficiently protected and pose a significant risk to the environment.

Segmenting the network also necessitates implementing robust authentication and authorization measures, including segregating credentials between IT and OT environments.

• Do not permit IT administrative accounts to access and operate systems in the OT environment.
• Restrict access to OT assets to a few defined, monitored and secured channels.
• Employ multifactor authentication (MFA) wherever possible and adopt a least privilege, zero-trust approach.

4)     Define data flows. Knowing what you need to protect also involves understanding the communication needs of specific applications and devices. This task involves identifying which protocols need to communicate through which routes, as well as which data flows in and out of specific devices and components. Based on this, only allow essential data and protect it by following general CIA principles. Unfortunately, in real-life scenarios, we often observe all ports being open for unrestricted communication, posing a significant risk to the environment.

5)     Patch software. As described, the age and nature of the OT environment complicates fulfilling security requirements. Frequently, devices are handcrafted and customized for specific customers, rigorously tested and under guarantee in this specific configuration. But the vendor refuses to provide guarantees when software is altered or other patching modifications are made to the systems. As a result, we frequently encounter systems with outdated operating systems lacking proper updates and protections.

6)     Update configurations. The OT environment often evolves over time, leading to outdated initial configurations. Not all older control devices prioritize security, so it is crucial for the responsible teams to regularly review their configurations to apply strict security measures. Additionally, make sure security settings adhere to the onion model, addressing security concerns across all layers of the DiD model. This approach ensures that if a threat actor breaches or bypasses one layer and compromises it, the underlying layer can still thwart intrusion attempts. Be sure to apply this principle to all components within the communication chain.

7)     Foster employee awareness. As with IT security, the most effective OT countermeasure is an educated employee. When responsible teams have a thorough understanding of the risks and common attack vectors within their environment, the organization is better equipped to detect potential attacks early on. Additionally, fostering a culture of open communication within the organization encourages colleagues to provide feedback about potential weaknesses or suspicious access patterns. View false positive detections as opportunities for improvement. By positively enhancing the reporting approach and striving to reduce the false positive ratio, organizations can enhance their detection capabilities.

8)     Investigate modern technologies. As the frequency and complexity of AI-based attacks increase, consider introducing AI-based tools for detection and response. This is essential because traditional approaches are unlikely to sufficiently cope with the heightened risk and attack surface posed by AI.

9)     Introduce redundancy. Given the critical role of OT in an organization’s production processes, it’s imperative to assess whether and where redundant components can be deployed. Key areas for redundancy strategy in OT include network, data, power, geography, devices and applications. Be sure to apply security measures to these redundant components.

Isolate redundant components from each other to prevent potential malicious activities from affecting all redundant systems. This strategy avoids your company ending up with multiple versions of compromised systems or components.

10)  Create backups. Backup is a fundamental principle of all security strategies, and this holds true for OT security. Wherever possible, create backups for components and store them in immutable vaults to reduce the risk from ransomware. Be sure to also secure the backup infrastructure and avoid relying on any unsecured assets. Additionally, regularly test the backups’ functionality and the employee training for recovery procedures to expedite system rebuilds. As in IT security, leadership needs to define acceptable downtimes for OT components. Discuss and regularly update the OT environment in the OT business continuity concept.  

Figure 2 illustrates how security principles can be effectively applied in an OT environment. Key points and principles include network segmentation, separation of duties, backup and monitoring. It’s important to note that the DiD approach has been applied to all these controls, with a layered security model implemented across all available layers. In the scenario below a manufacturing environment is shown with many security principles applied leveraging technologies from Microsoft. Different vendors are available to support a business aligned OT security infrastructure across various assets, based on specific requirements and circumstances.

Figure 2. High-level example of OT security design

Embracing OT security practices

With the emergence of AI and the increasingly sophisticated capabilities of organized crime and nation-state-sponsored threat actors, significant compromises in OT security are inevitable.

OT security is the next frontier in building cyber resilience for many organizations. As soon as organizations gain a solid understanding of the importance of securing their IT environments and recognize IT security as a vital component of their overall security strategies, they need to turn their attention to the OT side of operations.

As one of the world’s leading security services providers, DXC supports customers worldwide, across all industries, delivering security solutions in all phases of the IT life cycle. Based on this broad IT security services spectrum, we can develop an informed point of view on almost any security challenge facing our customers or our own organization, including OT security. If you need help getting started or assessing your OT cyber maturity, we can provide consulting, planning, design, testing, implementation, operation, transition, transformation and other required services.

Learn more about DXC Security.