The Expert View: Reducing cyber-risk across OT and critical infrastructure

Operational technology security has moved up the boardroom agenda. That was the starting point at a TEISS dinner briefing at the House of Lords, hosted by Claroty. Around the table were CISOs and senior security leaders from a range of sectors, brought together to consider how to secure environments built for safety and uptime in an era of widening critical infrastructure, deeper supply chain entanglement and a quickening pace of attacks.

 

“You can’t easily patch a conveyor belt or a blast furnace,” said Tim Wallen, RVP Northern Europe at Claroty. Most security products, he argued, were not designed for the world of OT and IoT, where security is rarely the first concern. Safety, efficiency and resilience tend to come higher up the list, and the kit on the factory floor cannot be taken offline at will.

 

The global temperature heats up

 

CISOs are now picking up oversight of that space, attendees noted, and the official definition of critical national infrastructure has expanded to take in more of it.

 

The timing is uncomfortable. Global conflict has lifted attack volumes, with a marked rise in malicious activity targeting suppliers and third parties.

 

Recent disruption in the United States, including attacks on the aviation supply chain, has been linked to nation state-backed hacktivist groups, some of them well-funded. AI has lowered the bar further. DDoS-as-a-service can now be hired by the hour.

 

One challenge, several attendees said, is that attackers scan for vulnerabilities and go after whatever they find rather than choosing targets in advance. “You might not think you’re a target, but as a third party you can be a way in,” one participant noted. The most uncomfortable risk is the advanced persistent threat sitting on a network for years, ready to act.

 

Some attacks, attendees agreed, are demonstrations of capability designed to undermine confidence in markets and governments. Hostile groups also appear increasingly willing to collaborate when there is something in it for both sides.

 

Supply chain risk and the contracts question

 

Securing third parties is hard, attendees agreed, even when you are one. Suppliers can hold the keys to a whole site through their own kit, and the contractual position rarely protects the smaller firm. Securing every device in the chain could cost more than most companies can carry. But perhaps, some suggested, the focus should not be on the cost of fixes, but the value of the contracts a business could lose if a plant goes down.

 

The pressure can work both ways. A supplier might be audited and told to fix issues that arise, but in practice contractors typically can’t afford to walk away from a supplier who fails. Better, several suggested, to focus on the failures that would hurt most and accept that the rest must be managed rather than eliminated.

 

Despite concerns about AI exploitation, attendees were clear that the more pressing weaknesses sit elsewhere. Most of the biggest attacks remain social engineering. Identity and access management is, as one put it, “a problem we still haven’t fixed”.

 

Indeed, BYOD came up as a bigger live concern than AI. Personal devices carried by staff in retail stores, for example, cannot be fully controlled, and issuing company devices is not affordable. When contractors or third parties visit a site, it’s rarely possible to know what networks their devices connected to previously and whether those were secure.

 

Patching attracted the most candid exchange of the evening. Wallen described a supermarket scenario: fridge freezers running stock worth millions cannot be turned off to apply a patch, and there is no guarantee the patch will not break them. Nobody wants to be the first to update. Most organisations sit at minus one or minus two on the version number, waiting to see who breaks first.

 

Sharing what we know

 

The threat intelligence gap was a recurring theme. Aviation has built a strong safety culture, attendees noted, partly through deliberate trust-building over many years. Other sectors face different stakes, retail being the obvious contrast, but cross-pollination of ideas and intelligence can be powerful.

 

Concentration risk sat close behind: too many organisations dependent on the same handful of platforms, and a sovereign cloud option may require state investment to become real.

 

A simpler answer also surfaced. Rationalise the attack surface. Run a “minimal viable company” and switch off what you don’t need. An approach that is cheap and effective, yet rarely taken.

 

Closing the discussion, Wallen pulled the threads together. AI is on everyone’s mind. Identity is still the harder challenge. And the sector is, by his own diagnosis, still in the dark about what really needs to be secured.

 

“The answers are different for everyone,” he said. But one thing is for sure: “We don’t share enough.”

 

---

To learn more, please visit: www.claroty.com