Operational technology (OT) security in 2024

The digitization of operational technology (OT) continues to advance this year. The networking of machines, cyber-physical systems, IoT devices, and equipment of all kinds is far from complete. This trend affects not only industry and production but also a variety of sectors such as healthcare, energy suppliers, and many others.

Digitization also means optimization. Machines are monitored, errors are detected before they happen, and quality and efficiency are perfected. This all reduces costs, but it comes with a price. Networking always means vulnerability. This problem can be solved, but it should not be ignored.

The biggest challenge is the steadily growing attack surface. Internally, machines in OT environments are often exposed in large, flat networks. As business networks grow and change, companies add more machines, devices, and control systems without properly adjusting and segmenting the network architecture. Because of the long lifecycle of OT systems, the cautious approach to software patches, and the use of vulnerable and insecure protocols, there is a serious risk of large-scale failures. A single wrong USB stick, an unconsidered click on a link, or a contaminated laptop of a maintenance technician can be enough to bring operations to a standstill. In some industries, this can be truly dangerous.

Companies are also vulnerable from the outside. Cloud services and external services cause an opening towards the internet; the air gap is definitively a thing of the past. Careless handling of firewall policies and permitted applications and services makes life easier for an attacker. One of the biggest and often hidden problems remains in open remote maintenance access points. Company employees and third-party technicians frequently use remote access to manage devices in OT networks. Problems arise when there is no uniform solution or secure remote access application in place and when companies have no overview of OT management. Many technicians use many different applications or repurposed screen-sharing tools to access operational technology. While these tools may work, they lack the security features to fully protect critical technology. The exposure of the remotely managed OT applications and management interfaces directly to the internet provides attackers with many opportunities. Combined with a lack of or non-existent internal segmentation, this presents an easy target.

What can be done?

Without jumping on every new technology hype, companies must reduce the attack surface as much as possible, which means first reducing it to the essentials. IT and OT security teams must ensure that all indispensable services that cannot be consolidated are brought up to current security standards.

A lack of awareness of security risks and vulnerabilities is also a problem. OT personnel should be engaged in security awareness measures and training. These individuals often have immense knowledge about processes and the tools and services used and can be extremely helpful in implementing security measures if they are on board.

OT security projects cycle continuously and represent a continuous process. When tackling this issue, it is important to set realistic goals, start with the biggest security gaps, and then refine.

Asset and vulnerability management

Once the company knows the intended scope and effort, the IT/OT managers must obtain an overview. This involves determining which assets and control systems exist and how the communication paths between them run. Ideally, this process identifies which systems are vulnerable to known threats, and these systems are secured accordingly. This is a difficult process for many companies, but network scanners and anomaly detection tools can be very helpful in assessing the initial situation.

External attack surface

Experience shows that external remote access services to OT networks create the biggest gap in OT security. Ideally, the company should approve and manage a single tool for all remote accesses internally or through a managed service provider. Using a Zero Trust Network Access (ZTNA) tool is highly recommended because it allows individual enablement of applications and protocols based on the user group, which prevents widespread network access from the outside, as often happens with traditional VPN connections. ZTNA solutions can also perform posture checks on the end device and ensure that the device and user comply with security policies.

Regardless of opinions on VPN tools, anything is better than services exposed directly on the internet. Disable unrestricted access to screen sharing, web interfaces, remote desktop protocol (RDP) sessions, and APIs immediately if these are present in the network. Prohibiting this type of access is necessary, as it is an absolute no-go in cybersecurity. Avoiding jump hosts in the internal network or a DMZ is also important, as they serve as single points of failure and high-value targets for threat actors. If there is an absolute necessity to make assets accessible, the organization should restrict access based on user roles. Not everyone needs access to everything; “least privilege” is the concept of choice.

Internal attack surface

Relying solely on perimeter security is short-sighted today. Of course, we must fend off all attacks and keep malware out, but the design of defense measures must always assume that an attacker will eventually breach the internal network, and there are many attack vectors. Implementing security measures is necessary to contain a compromise and prevent total failure. Even if an attacker gets a foothold, it is not too late for a successful defense. For OT environments, this means dividing and structuring flat networks. There are different methods for micro-segmentation, depending on the company's individual needs. Many follow the Purdue Model, which makes sense. The biggest challenge is to segment a network without rebuilding it entirely. We must minimize downtime and not overlook the risk that some machines may not cope with a network redesign. Therefore, when choosing a suitable solution, it is advisable to ensure a seamless implementation in Transparent Mode.

What to do when there’s a breach

It is important to answer this question promptly. Incident detection and response are critical, and a company cannot respond to an incident if it doesn’t know what is happening in the infrastructure. In addition to technical means for visibility and analysis, security managers must also establish the technology and business continuity processes. Security incidents rarely happen on Monday mornings, but when they are least convenient.

The human factor

...is still the weakest link in the chain. Therefore, every company should cultivate a culture of vigilance and enable awareness and training measures so employees can recognize attack attempts. It is also very important for all involved to accept security measures and understand why they are required.

Cyberattacks are becoming increasingly technically sophisticated, threat actors are better prepared for contingencies, and the victims are pre-selected and strategically targeted. Artificial intelligence (AI) is being used by cybercrime organizations to improve and accelerate all phases of cyberattacks. Organized cybercrime, nation-state groups, loosely affiliated threat clusters, and individual actors are all becoming better at stealing our data and sensitive information.

The Barracuda solution for OT security

At Barracuda, we recommend using our award-winning, purpose-built Secure Connector solution in dispersed IoT infrastructures. The Secure Connector uses Barracuda’s proprietary Traffic Independent Network Architecture (TINA) VPN protocol over ethernet, Wi-Fi, or 4G/LTE and is available as regular or rugged hardware. These compact appliances work with Barracuda CloudGen Firewall or Barracuda SecureEdge to connect remote devices and micro-networks to corporate resources, providing full next-generation security and effectively serving as a connectivity hub for all connections between the IoT devices and the internet. Secure Connector also supports edge computing so technicians can create custom control and surveillance logic for protected devices.

Barracuda SecureEdge is an enterprise-grade Secure Access Service Edge (SASE) solution that provides full visibility and management capabilities for hybrid and converged networks. SecureEdge makes it easy to step into a full SASE solution at your own pace. See this blog post for more on introducing SASE into your existing security environment.