Strengthening resilience across operational technology  

James Neilson at OPSWAT considers the most cost-effective way of securing OT environments

 

Operational Technology (OT) is the vital link that enables critical services in the energy, water, healthcare, and oil and gas sectors to function reliably and efficiently.

 

Its importance is exactly why OT is a prime target for cyber-criminals, not only as a means for disrupting these essential services, but also as a vulnerable entry point through which to gain access to IP, financial and other sensitive data. In fact, the NCSC has previously warned that nation-state threat actors are targeting OT environments aimed at causing disruption to Western critical national infrastructure, and the societies they serve.

 

With global geopolitical tensions continuing to rise, the target on the back of OT systems is only growing. Despite this, the majority of cyber-security spending and activity remains focused on traditional business support systems such as standard IT network infrastructure. So, why is this the case, and how can CISOs implement the most effective defences for Industrial Control Systems (ICS) and OT environments? 

 

Why OT security budgets are falling behind

With threat groups increasingly targeting OT systems to cause widespread disruption, recent research conducted by the SANS Institute on ICS and OT cyber-security budgets sought to shed light on how organisations are investing in the protection of this infrastructure. The findings reveal a mixed picture and highlight the areas that need focus to address these high-stakes challenges effectively. 

 

This research shows that most organisations with OT and ICS systems in their operations are spending between 25-50% of their budgets on securing them. However, while ICS and OT are rarely the priority, it’s important to note that findings from the SANS Institute report also show cyber-security budgets for these systems have increased in recent years, with 55% of respondents reporting budget growth over the last two years.

 

At the very least, this indicates a growing recognition that securing these systems is essential; it is an acknowledgement of the need for enhanced resources to protect the systems that power critical services around the world.

 

However, the findings highlight significant challenges when it comes to skilled personnel to oversee these systems. Just 9% of security professionals are dedicating 100% of their time to OT and industrial control system (ICS) security, highlighting a resourcing gap which could potentially increase operational and safety risks.

 

Understanding data flows

State-sponsored actors and cyber-criminal groups are evolving their strategies to infiltrate IT networks and then move laterally to target OT systems. This includes deploying botnets, exploiting zero-day vulnerabilities and utilising Advanced Persistent Threats (APTs).

 

Volt Typhoon, a Chinese state-sponsored group that infiltrated US critical infrastructure in 2024 using living-off-the-land techniques, is an example of how cyber-criminals can penetrate IT networks and remain undetected until they locate critical systems to attack. The group lay dormant inside US critical infrastructure for as long as five years, potentially harvesting data.

 

CISA has warned that Volt Typhoon may also be planting seeds for later attacks, leading to the “disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies.”

 

One of the main reasons state-sponsored actors and cyber-criminal groups can target critical assets is the convergence of IT and OT systems. Technologies such as programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems were not designed to withstand modern cyber-threats and are difficult to secure without specialised tools.

 

This has left security teams responsible for managing IT systems and environments that they may have little or no understanding or experience with. For example, many organisations have connected SCADA systems to standard IT networks for remote access and telemetry capture. While this integration enables efficiency, it also expands the attack surface and increases the expertise and resources required for effective defence.

 

IT systems, internet connectivity and transient devices continue to be significant attack vectors for OT infrastructure. This is reinforced by the SANS Institute’s findings, which found that 85% of respondents identified IT compromises as a leading initial attack vector for OT incidents.

 

One of the key reasons for this is that many organisations fail to adequately secure data flows into and out of their OT networks. If teams can’t detect and block malicious content before it reaches critical infrastructure, it is more difficult to prevent IT-borne threats from impacting OT environments.  Securing data flows between OT and IT systems, and across assets, offers a cost-effective way to improve protection of critical systems.

 

Securing data flows

One of the most effective defences is multi-scanning, which uses multiple antivirus engines alongside heuristic analysis and deep file inspection to comprehensively screen portable media. This approach significantly increases the chances of detecting sophisticated and well-concealed threats. Purpose-built scanning kiosks further enhance security while ensuring operational efficiency is maintained.

 

In addition to scanning, Content Disarm and Reconstruction (CDR) techniques should be employed to sanitise files by removing potentially malicious content without compromising usability. This proactive method neutralises threats before they can execute.

 

All data transfers, whether via removable media or email, should be governed by secure workflows. Managed File Transfer (MFT) solutions with centralised logging provide visibility, traceability, and help ensure compliance with standards set by bodies such as the NCSC and NDA.

 

To safeguard telemetry, data diodes enforce unidirectional data flow from operational networks to monitoring systems, eliminating any return path that could be exploited to issue malicious commands. This physical separation is critical to maintaining the integrity of industrial control systems in high-security environments.

 

Visibility into OT assets is also vital. While many legacy systems cannot support modern endpoint protection tools, specialised solutions are available that accommodate diverse architectures and can detect anomalies or unauthorised activity without disrupting operations.

 

These interconnected layers create a robust and comprehensive defence, securing systems and preventing the damage cyber-attacks can cause, without budgets spiralling out of control.

 

By investing in OT security, critical infrastructure organisations can lay the groundwork for a more resilient cyber-security posture despite increasingly sophisticated, persistent, and powerful adversaries. 

 

---

 

James Neilson is SVP International at OPSWAT

 

Main image courtesy of iStockPhoto.com