Cyber Defense Advisors

Hiding in plain sight: The risks posed by OT systems and how to secure them

When we consider what security means for an organization, most think of needing to secure systems and devices like cloud computing instances, servers, employee workstations, and other tech commonly seen in the workplace. While these are certainly important, there are many other devices requiring protection that are hiding in plain sight. Operational technology (OT) is an area that is often overlooked as they include systems and technologies that the eye cannot always see. Frequently, security leaders conceptualize OT as only in use in very specific industries, such as power generation, or energy extraction. However, OT systems are present on the networks of nearly every organization, as they also include systems such as building management systems, fire control systems, physical access control mechanisms, HVAC systems, medical devices, and manufacturing equipment, to name a few. When you think of this list, do you know how many of them are actually secured within your organization?

If you aren’t sure, you aren’t alone. This is a common issue for organizations, especially as digital transformation has brought on even more new tools and solutions to streamline business operations. As a result, there is more to secure today than ever before. To address this, attack surface management (ASM) offers a lifeline for organizations to secure their OT systems. An ASM solution can help organizations actively discover, learn about, and respond to unknown risks in all publicly connected systems and exposed services – and this can be the saving grace to avoid a disastrous attack.

Here are three reasons OT systems are tough to secure, and how ASM can help:

Systems are built without security in mind

Unfortunately, because many OT systems were built before the advent of the Internet or were purposely designed to be walled gardens, segmented from internet access, there has been little consideration for security, which makes them more vulnerable to an attack. These systems can often include legacy devices, like Programmable Logic Controllers (PLC) and medical equipment, which were built to last an organization a long time. Consequently, they lack advanced security controls needed to address and prevent modern-day threats. While this task isn’t impossible, it can be difficult to achieve.

As a result, IT and security departments need to be incredibly vigilant in knowing exactly what systems are part of their larger organization and what is required to secure them. To address this, these teams can implement ASM tools to provide them with the continuous visibility capabilities they need to identify and manage security gaps across their OT ecosystems.

You can’t secure what you don’t know about

Finding that you have OT systems that aren’t a part of your security plans can be a wake-up call to the security risks that exist within your environment, and in particular, proof of how OT technologies tend to lead the bulk of these unknown and unseen systems. Given many OT systems consist of legacy technology that were built before today’s modern and advanced threats, today’s security solutions may have unexpected blind spots when it comes to recognizing these systems and the vulnerabilities they pose to the broader ecosystem.

To add another layer of complexity, the systems you think are secure, may actually not be. For example, at an industrial site, a manufacturing line alone is not directly accessible over the internet. However, there are systems controlling the line that can be online, which pose a threat and an opportunity for threat actors to gain access to the broader ecosystem. While OT systems are meant to be segmented to avoid back-door access like this, today’s connected world means that this may not always be the case. As mentioned, ASM capabilities can actively monitor each of the endpoints across the entire ecosystem and even discover hidden systems. This enables security and IT teams to develop a strong security and defense strategy, especially when it comes to prioritizing and remediating potential vulnerabilities.

Isn’t it someone else’s problem?

Consider your organization is renting office space that is part of a larger building. What parts of the office are your responsibility to secure? This is a gray area and confusion about how to approach it often leaves entire systems vulnerable to an attack because all parties involved are assuming someone else is responsible for securing it – such as building management systems, HVAC systems, access control systems, and more. In the 2022 Attack Surface Threat Report, researchers found that nearly 14% of all exposed infrastructure on the public internet was related to building control systems. Many think that securing these building systems is a need outside of IT teams, however, with so many people involved with the building, it’s difficult to know who is really in charge of its security. One company may own the building, another in charge of property management, another for physical security, and so on. With so many players, nobody knows who’s managing broader security. Utilize your ASM solution to identify these gaps and then begin conversations to determine levels of responsibility and access across the system to ensure a Zero Trust security posture for the entire organization.

While securing OT systems can seem daunting, it’s not impossible. The power of attack surface management provides the necessary technology to discover and lock down assets in your organization. By combining the power of ASM with diligent security posture, which includes doing regular asset inventory, we can better protect critical, and often legacy systems against the ever-evolving threat landscape.

Learn more about attack surface management, including Palo Alto Networks ASM solution, Cortex Xpanse.

Security