Cybersecurity risks are becoming increasingly dangerous for critical infrastructure and cyber physical assets in heavy industries across the energy, transportation, and manufacturing fields. These, and other heavy industrial sectors, face unique operational challenges based on limited abilities to implement security controls for legacy systems and devices.
Such operational technology (OT) includes all the hardware and software systems used to monitor and control industrial equipment, assets, and processes. Many of these systems were built before cybersecurity became a huge problem, and the aging infrastructure remains highly vulnerable to both physical attacks and digital threats. Consider that attackers can easily infect old servers that still run outdated Windows operating systems or sensors installed on valves connected to networks without internal hardening procedures. To address these vulnerabilities, cybersecurity professionals, such as those found at guidepointsecurity.com, are diligently developing strategies and solutions to strengthen these systems against attacks.
Because cyberattacks on these OT infrastructures target complex public facilities, they create severe risks for public safety through direct physical impacts such as plant shutdowns, utility outages, gas leaks, or even refinery explosions. Additionally, many facility managers depend on solutions at vulnerable remote sites, with decision-making gaps between the IT and OT teams regarding who owns which networks, systems, and processes. This underlines the critical role of cyber professionals in bridging these gaps and enhancing the resilience of these essential systems. operational technology (OT), which includes all the hardware and software systems used to monitor and control industrial equipment, assets, and processes, often involves systems that were built before cybersecurity was a significant concern.
Cybersecurity and High-Value Targets
Plants with OT networks are high-value targets for ransomware attacks because the attackers can use less-secured third-party connections to take over vulnerable OT devices. By locking down computer networks and halting business-critical operations, the attackers can then intensify the pressure for ransoms to be paid.
As heavy industrial sites come under greater threat, some standards bodies and government agencies have stepped up efforts to address this concern. The National Institute of Standards and Technology (NIST) released its new 2.0 edition Cybersecurity Framework in February. This CSF 2.0 has an expanded scope to focus on how organizations should prioritize their cybersecurity strategies, and how they should align their technical cybersecurity protections with strategic cyber risk governance.
Also in February, the President’s Council of Advisors on Science and Technology (PCAST) released a report on steps to fortify the nation’s cyber-physical assets. That report addresses integrated digital and infrastructure resources, including the electrical grid, public water systems, internet and telecom, banking systems, air traffic control, and more.
And in March, the European Union (EU) Parliament approved the European Cyber Resilience Act (CRA), that describes the cybersecurity requirements for hardware and software products with digital elements placed on the market of the European Union, including industrial automation & control systems (IACS) such as programmable logic controllers (PLC), distributed control systems (DCS), computerized numeric controllers for machine tools (CNC) and supervisory control and data acquisition systems (SCADA). The new regulation highlights that securing these systems is necessary for the reliability of critical infrastructure, which is the backbone of our civilization.
The Need to Quantify Risk for OT Infrastructure
Owners and operators of OT infrastructure should be encouraged by the emergence of engineering-grade tools that are designed to prevent cyberattacks from harming OT networks. As an example, unidirectional security gateway technology is a hardware cybersecurity solution that ensures unidirectional information transfer between two networks. The hardware can only send information in one direction, while the software makes copies of servers and devices from the OT network in real-time to share with the enterprise network. This clever approach prevents any attack from being propagated back into the OT network through the gateway server.
Despite growing attention for OT security by vendors, policymakers, and industry groups, many CISOs and facility managers still find it hard to show a return on investment for their OT security solutions. When security protections work right, there is no cost for a breach or failure. OT facilities only suffer financial and physical losses when a cyberattack succeeds.
To make the case for cybersecurity investments, facility operators should run analyses of potential scenarios and outcomes based on key risk metrics. Such metrics include Value at Risk, Expected Loss, Most Probable Loss, Types of Potential Loss, Drivers of Risk, or the overall Loss Exceedance Curve—a chart that helps organizations visualize the exceedance probability of a loss event.
By applying such AI-powered analysis and advanced modeling, OT organizations can get a much better sense about their greatest vulnerabilities and how to prioritize their weaknesses. Analyzing outside-in and inside-out data sets for each facility allows CISOs to produce executive reports that justify cyber investments to CFOs and boards of directors.
In this fact-based way, OT security teams can help elevate cybersecurity to a business imperative that is managed in the same way as any other business risk—through evidence, financial analysis, and “what-if” scrutiny of potential risk and risk mitigation scenarios and outcomes.
Building in Sturdy Risk Mitigation Strategies
To overcome multiple challenges for OT security, CISOs and facilities managers need to become more strategic in how they assess and mitigate their most consequential risks. To get there, they should first identify which assets are most at cybersecurity risk due to internet exposures and shifting threat vectors. The next step is to pinpoint where the greatest cyber risks exist across the organization. This includes assessing vulnerability gaps in terms of physical systems, digital controls, and employee security training levels.
Security hygiene requires segmenting OT networks from other networks and maintaining proper configurations for all software applications and security systems. After identifying and rating various risk levels, OT managers can quantify the financial costs associated with each worst-case vulnerability. A cyber risk portfolio also includes components to address compliance for shifting regulatory requirements, and to meet all internal governance controls. Solving this OT security riddle can only happen by implementing mitigation strategies based on clear risk assessment and quantification. The return on security investments can be quantified by comparing the costs of a mitigation project versus the potential losses if a breach occurs. After all, it only makes sense to prevent attacks in the first place, rather than absorbing the fallout from a disastrous breach—including the damaging costs to operational integrity, public safety, and brand reputation.
