Operational technology (OT) has long struggled with modern cybersecurity demands, but operators now face an increasingly dire cyber threat from nation-state actors. OT is essential for managing cyber-physical systems across fields, including manufacturing, transport, and energy, putting it in the sights of hostile actors backed by China, Russia, Iran, and more.
Yet many OT environments are profoundly unprepared for the threat, often struggling with essential vulnerability management activity that should be a baseline to reliable security.
OT security teams should consider a shift to a policy of exposure management, a smarter approach that prioritizes the most exploitable, high-risk vulnerabilities first. Organizations relying on OT must move to reduce operational strain while closing the gaps that leave their systems open to hostile state-backed actors.
General Manager, EMEA, Claroty
Why OT is a prime target for nation-state cyberattacks
OT environments are prime targets for nation-state actors and cybercriminals attacking critical national infrastructure (CNI). Adversaries have a range of objectives, from stealing classified data and conducting corporate espionage to disrupting economic stability.
In the last few years, multiple high-profile incidents have been linked to known threat groups. For example, Volt Typhoon and Salt Typhoon are two prolific groups linked to China that have conducted several attacks on U.S. infrastructure.
Volt Typhoon has infiltrated critical infrastructure, including communications, energy, and water, and is known for using stealthy, low-and-slow tactics to exploit native tools and systems. Salt Typhoon, meanwhile, is believed to be involved in exfiltrating data from ISPs for use by Chinese intelligence operations.
Sandworm, closely linked to Russia’s military intelligence, is another long-running APT targeting critical infrastructure. The group is believed to be behind several attacks on Ukraine’s power grid over the last decade, creating the Industroyer and Industroyer 2 malware designed for industrial equipment using specific protocols. Sandworm also unleashed the notorious NotPetya ransomware.
Iran has also proven itself to be a major player in international cyberattacks. The CyberAv3ngers group has attacked U.S. water facilities using compromised PLCs and HMIs. The group has also targeted civilian infrastructure with IOCONTROL, a Linux-based backdoor designed for multiple standard OT control systems.
While high-level APTs like these have the resources and expertise for advanced tools and tactics, many OT attacks begin with unsecured devices connected to the internet, providing a clear attack path to establish footholds in critical systems.
After assessing nearly one million OT devices across 270 organizations in multiple fields, we found persistent evidence of malware in OT systems. Sample companies in manufacturing, natural resources, and logistics and transportation all had more than 10% of their OT devices communicating with malicious domains.
The problem with traditional vulnerability management
Vulnerability management is a persistent issue across most sectors but can be particularly difficult when dealing with OT environments. In addition to the large and continuously increasing number of vulnerabilities to address, OT security teams must also deal with complex networks that include many disparate assets, often using their own proprietary operating systems. OT assets are seldom compatible with scanning and IT management tools designed for standard IT networks.
As a result, teams often struggle to implement the prioritized, ordered approach to vulnerabilities needed to keep ahead of hostile attacks.
Of the 270 organizations we assessed, 70% had at least one known exploitable vulnerability (KEV) in their OT systems. Twelve percent of the nearly one million devices included in the study contained a KEV that had yet to be patched. Worse, 40% of organizations have OT assets insecurely connected to the internet, creating a direct pathway for cyberattacks.
Security teams are often stuck pursuing slow and inefficient patch management programs that lack clear direction. Prioritization is usually based extensively on CVSS scores, which fail to consider the context within the company and, thus, the vulnerability's real-world exploitability and impact. More dangerous vulnerabilities may be overlooked while less important issues drain resources.
The case for exposure management
Dealing with vulnerable OT assets requires a more dynamic approach, prioritized by the real risk to the organization and its infrastructure. Exposure management has emerged as one of the most effective strategies, enabling teams to identify and focus on vulnerabilities with the most significant potential for real-world exploitation.
Exposure management weighs priorities based on multiple risk factors, including identifying which KEVs are actively exploited in the wild and whether assets are affected by insecure remote access or misconfigurations that increase risk. The assessment also considers a device's criticality to business operations, for example, prioritizing those that would disrupt production or cause safety issues in the event of a breach.
The result is a drastically reduced and more focused to-do list for security teams. For example, our research found roughly 111,000 devices with KEVS. But filtering the list by vulnerabilities linked to ransomware and devices with insecure connectivity immediately reduces the total number to 3,800. Suddenly, the task has shrunk by a factor of 30, even before applying more context for specific organizations.
How to start implementing exposure management in OT security
Exposure management follows a five-step process to identify, assess and resolve OT vulnerabilities.
1. Scoping
The first step is identifying those OT assets most critical to operations, such as production lines in manufacturing or scheduling control systems in maritime transport. This is especially important for asset-intensive companies with a large volume of devices to manage. The aim is to reduce the number of assets that need continuous security inspection.
2. Discovery
Next, this initial list of assets is built into a detailed inventory, focusing on the highest-risk devices. This needs to be a highly data-driven method, while more extensive and complex operations will need an automated approach to make discovery manageable.
3. Prioritization
The high-risk inventory can now be prioritized based on severity. As discussed, this process needs to move beyond basic CVSS scores to consider the actual risk posed by KEVs, the asset’s connectivity status, and the potential impact of a breach. Exploit prediction scoring and business impact assessments provide more data points to inform these decisions.
4. Validation
Before taking any action, it’s crucial to ensure vulnerabilities are exploitable and not blocked by elements like closed ports or firewalls. This avoids wasting resources on patching vulnerabilities that look severe on paper but are low risk in reality.
5. Mobilization
With all that preparation done, it’s time to get moving. It’s best to integrate exposure management into existing security workflows like patching and access control wherever possible to keep things efficient. Organizations should also look to establish cross-team collaboration between IT, security, and operations, as OT often becomes heavily siloed from standard IT practices.
Hardening OT against advanced adversaries
Traditional vulnerability management is failing OT security teams by focusing on attempting to patch everything rather than addressing real threats. In the face of increasingly aggressive state-backed actors, this inefficient approach leaves critical infrastructure vulnerable to severe security incidents.
Identifying and prioritizing high-risk vulnerabilities through an exposure management approach will enable these organizations to manage vulnerabilities quickly and efficiently, drastically improving defenses against nation-state threats, ransomware, and cybercriminals.
We feature the best network monitoring tool.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
