Recent assessments of OT environments have found these technologies often have gaping holes in their security. This has sent alarm bells ringing among cybersecurity experts. Over half of the assessed environments had little to no Security Information and Event Management (SIEM) capabilities. Further, they had no SOC telemetry for their OT or management zones. This gap not only impedes the detection of an incident when it occurs, but raises susceptibility to cyber attacks.
The assessments highlighted a troubling trend: weak separation between information technology (IT) and OT systems, which facilitates lateral movement by potential attackers. That absence of segregation adds to rot inside IT’s core. Even a modest compromise can quickly turn into significant disruptions in OT operations. Interestingly, almost 60% of the engagements found identity-related vulnerabilities. These were things such as credential reuse, non-rotated credentials, too many admins in the admin groups, and bad MFA implementation.
These findings underscore the critical decision Chief Information Security Officers (CISOs) face in addressing such vulnerabilities. They need to move quickly to adopt robust security controls across their OT landscapes.
Inadequate Security Measures in OT Environments
These assessments were aimed at identifying a worrying trend in OT security practices. More than half of the assessed environments lacked adequate SIEM or SOC telemetry, which are crucial for monitoring and responding to security incidents. Without these systems in place, organizations are left with a heavy burden of identifying and preventing threats from developing, often before they have a chance to turn dangerous.
Insufficient separation between IT and OT systems worsens this issue. The test results showed that attackers were quickly able to lateral across these environments with weak and/or nonexistent separations. It is this lateral movement where the greatest risk lies. This can escalate an initial breach in IT into an outage in OT, with the potential for catastrophic impacts to our nation’s critical infrastructure.
Additionally, issues pertaining to individuals’ identity were a focus in nearly 60% of those engagements. These ran the gamut, from credential reuse across IT and OT systems, to non-rotated service accounts, to over-sized administrative groups. The lack of MFA makes matters worse, putting systems at risk of unauthorized access by leaving doors wide open. Each one of these vulnerabilities greatly increases the risk of successful attacks. Once attackers achieve that initial access, they move through networks with terrifying ease and speed.
Pathways for Compromise and Escalation
The assessments uncovered numerous vectors that adversaries used to compromise OT environments. In about three out of five adversary simulations, compromise was gained through management infrastructure, especially through jump servers. Moreover, vendor laptops and site-to-site tunnels offered quick entry points into OT environments 39% of the time.
All of them focused on OT Interestingly, the assessments concluded that the majority of compromises were not due to direct exploitation of OT systems. Rather, it was misconfiguration, over-delegation of trust relationships, and inherited privileges which enabled attackers to take advantage of legitimate access paths. This highlights a critical area for improvement: organizations must focus on tightening configurations and minimizing trust between systems to mitigate these risks.
Additionally, lack of awareness across IT and OT that allows for overly permissive traffic flows further compounds this vulnerability landscape. When permitted unmoderated communication between these two domains, organizations open themselves up to increased risk. Keeping this traffic flow lateral movement is key to being able to keep potential threats within the confined/off-setting environments.
Progress and Recommendations for Improvement
While the results were shocking, they do point to some positive strides being made in certain OT settings. Only about 30% showed mature detection capabilities, being able to consistently identify simulated attacker activity with a high degree of success, particularly among operations centers. Less than one-third of the evaluated landscapes are demonstrating strong progress on fundamental OT protections. These enhancements are rigorous remote-management architectures and a stupefied Production Demilitarized Zone (DMZ).
Challenges remain. Nearly half (46%) of OT environments had no indication of a proven recovery plan that has been tested against an incident. Previously, most backup platforms weren’t available to anyone below IT or higher management levels. Moreover, they frequently didn’t have offline or immutable copies, a gap that could be hugely impactful on recovery efforts post-cyber incident.
As CISOs, it’s our responsibility to do more to improve our security posture. They can do that by adopting holistic solutions that integrate event logging, endpoint protection, and SIEM-integrated network detection across IT and OT environments. Settings that used these strategies showed significantly better detection results than those with standalone security measures.