OT cyber attacks proliferating despite growing cybersecurity spend

The sharp increase in attacks on operational technology (OT) systems can be primarily attributed to two key factors: the escalating global threats posed by nation-state actors and the active involvement of profit-driven cybercriminals (often sponsored by the former).

The lack of success on the defense side can be attributed to several factors: the complexity of OT environments, the convergence of information technology (IT) and OT, insider attacks, supply chain vulnerabilities, and others.

Despite increased cybersecurity awareness, effort, and spending on the part of manufacturers and critical infrastructure organizations, one common misstep can help cybercriminals gain access: the insistence on visibility and detection without prevention.

Here’s what happens: to exercise better control, many CISOs and other executives ask for visibility into cyber events, but obtaining such visibility requires connecting the OT network to IT or transmitting statuses offline, both of which open new attack surfaces. Often, this makes things even more complicated.

It’s not surprising that the severe implications of attacks on OT are keeping more and more CISOs up at night: think about what happened after the 2021 ransomware attack on Colonial Pipeline, the 2023 attack on a California water treatment system by a former contractor, or the 2023 ransomware attack on global food giant Dole.

In addition to malevolent outsiders and insiders who can cause massive damage, CISOs and security leaders must deal with everyday human errors.

The advent of cyber physical systems

With the convergence of IT, OT, IoT (Internet of Things), and IIoT (Industrial Internet of Things), cyber physical systems (CPS) emerged.

The combination of a vastly expanded attack surface, new vulnerabilities, and advanced attack capabilities meant a field day for attackers. They could make big bucks through ransomware, potentially bring entire economies to a halt, or accomplish the types of immense damage previously only physical attacks could (e.g., bringing water or electricity facilities to a halt).

From a business and technology perspective, the converged CPS are key to efficiency, value creation, and competitive edge. Even just a brief pause in their functioning can lead to significant losses. However, the more interconnected the CPS became, the more vulnerable organizations have become.

Wrong assumptions

Many businesses used to be under the impression that isolating production assets from the internet is the only protection they need. As attacks continue to increase in frequency and scope, industry leaders now know that air-gapping isn’t as secure as it appears. Plus, disconnecting machines and devices from the internet can limit their usefulness.

The right cybersecurity solution for CPS cannot be a combination of generic cybersecurity products, as we see some vendors advise. Such products were built around IT needs before IT converged with OT, IoT, and IIoT. These solutions cannot secure physical assets nor the continuity of production lines. They cannot ensure that machines continue to do their core task no matter what or that their sensitive modus operandi aren’t tampered with.

Since cyber-attacks and human errors can come from the outside, inside, supply chain, and other contracted third parties, a network-based anomaly detection solution would not cover all the bases. Such a solution would provide warnings after a network breach; it cannot prevent an attack that uses stolen credentials or an employee who conducts malicious wrongdoing on operational devices.

A modern approach

Today’s CPS comes with complex and unique topologies. They combine legacy systems (engineered to last) with recent innovations (engineered to change). In some instances, they also involve retrofitted equipment now connected to IT systems, making the situation even more complex. Plus, every production environment is unique based on the types, combinations, and the age of assets, protocols, and operations.

The way to achieve cyber resilience in such a complex environment is to focus the protection on OT devices – whether they are legacy or new.

A zero trust mechanism should be implemented to enable cyber prevention, support uninterrupted CPS processes and ultra-low latency, and put machine uptime above all else. The solution must end the culture of shared passwords yet must not slow engineering or operational processes down. This device-level, zero trust approach can protect CPS fleets even in an IT/network attack.

As for device OEMs, they must incorporate robust cybersecurity measures from the initial design stage to be effective throughout the entire lifecycle of their products.

Ideally, organizations should seek a solution by a vendor that understands their specific industry and their unique needs – a solution that not only helps solve the crisis at hand but also helps comply with emerging regulations such as the NIS2 and the Cyber Resilience Act in the European Union, NIST SP 800-82r3 in the United States, and CCoP 2.0 in Singapore.