Rob McNutt is the Chief Strategy Officer at Forescout Technologies, responsible for innovation and company strategy.
Operational technology (OT) has long been the backbone of critical infrastructure, spanning utilities, manufacturing plants and military systems.
Historically, these environments were isolated, operating on the premise that limited access equated to inherent security. This assumption guided the design of OT systems, which were often engineered to perform specific tasks reliably over long periods with minimal human intervention.
However, the increasing integration of smart technologies, artificial intelligence and a drive toward a hyper-connected blend of IT and OT is reshaping the security landscape, requiring a fundamental evolution in OT security strategies.
The Growing Complexity Of OT
Over the years, organizations have built vast portions of their critical infrastructure, believing that these systems were “risk-proofed” due to their isolation. However, the modernization trend marked by smart utilities, automated manufacturing processes and even autonomous military systems has dissolved the boundary between OT and IT.
The advent of digital transformation is introducing a myriad of connected devices, remote monitoring capabilities and real-time data analytics, which, while improving efficiency, also broadens the potential attack surface.
Furthermore, organizations face a significant challenge in safeguarding these systems. Many OT environments rely on legacy equipment or purpose-built systems designed years ago. These older systems often need more inherent security features, and their vendor-managed nature adds an additional layer of third-party supply chain risk.
Blending traditional OT with modern IT demands a shift in how organizations approach security.
From Detection To Protection
Traditionally, OT security has centered around detection. The logic was straightforward; isolate the system as much as possible, monitor for any anomalies and respond to threats as they arise. However, as recent cyber incidents have demonstrated, this approach must be revised. More sophisticated and targeted attacks on critical infrastructure now have the potential to disrupt essential services, threaten public safety, and, in some cases, cause loss of life.
In OT environments, downtime is rarely an option. Systems controlling the power grid, water supply, or critical manufacturing processes are designed to run continuously, often without the luxury of regular updates or patches.
Many of these systems are unpatchable by design, as they were engineered with stability, not security, as the primary concern. As a result, the traditional “patch and protect” mindset of IT security does not translate well to OT environments.
The evolving threat landscape demands a strategy that goes beyond mere detection. Organizations must adopt a more proactive posture, focusing on “protection” to complement existing detection mechanisms. This involves implementing robust security controls tailored to the unique requirements of OT environments, such as network segmentation, access control and zero-trust principles.
Given the unpatchable nature of many OT systems, behavior analysis and access control become essential strategies for mitigating potential threats.
Quantifying Risk
Unlike conventional IT systems, the risks associated with OT extend far beyond financial loss or reputational damage. When an OT system is compromised, the consequences can be severe, affecting critical services, public safety and even human lives.
For example, an attack on a water treatment facility could compromise drinking water safety, or a disruption in power delivery could jeopardize the operation of hospitals and emergency services. These high-stakes scenarios demand risk quantification that reflects their potential impact on society.
In this context, OT security professionals must recalibrate how they measure risk. While ransomware attacks have often been quantified in terms of financial loss or brand damage, the risks to OT systems are more complex, encompassing potential human casualties, widespread service disruption and national security implications.
Consequently, organizations must prioritize OT security investments, ensuring that their critical infrastructure can withstand not just simple cyber intrusions, but also highly targeted, sophisticated attacks.
The Role Of Third-Party Risk
Another critical aspect of OT security is managing third-party risk. Many OT systems are operated in vendor-managed scenarios, introducing an additional layer of supply chain complexity. Relying on external vendors for maintenance, updates and support creates multiple entry points for potential cyber threats. Attackers have exploited this vulnerability, as seen in high-profile supply chain incidents, to compromise critical infrastructure indirectly.
Organizations must now scrutinize their third-party relationships, ensuring that vendors adhere to strict security standards. This may include conducting regular security assessments, establishing clear protocols for remote access and implementing comprehensive vendor risk management programs. By addressing these supply chain vulnerabilities, organizations can reduce the likelihood of a compromise that originates from their partners.
Future-Proofing OT Security
The rapid introduction of newer devices, particularly those categorized under the internet of things (IoT), further complicates the OT security landscape. The convergence of IT, OT and IoT creates a complex, interconnected environment that is increasingly difficult to secure. Moreover, the potential emergence of quantum computing in the very near future poses a significant challenge to the encryption methods currently employed to protect data integrity and confidentiality.
With quantum computing’s ability to break most existing encryption, organizations must begin to explore alternative encryption solutions. This inherently poses a challenge to the existing infrastructure and devices, which are likely unable to make this adoption due to hardware limitations. This poses a new concern for organizations that rely on public networks to monitor or manage these critical systems.
Integrating Detection And Protection
The future of OT security will require a multi-layered approach that integrates detection and protection seamlessly. Organizations must transition from a reactive to a proactive security posture, deploying tools and technologies designed specifically for the unique challenges of OT environments. This includes investing in solutions that offer real-time monitoring, threat intelligence and automated response capabilities while ensuring that the systems in place can operate without causing disruptions to critical processes.
OT security’s evolution is driven by the increasing integration of innovative technologies and the changing nature of threats. Organizations must move beyond the outdated notion of risk-proofing through isolation and adopt a comprehensive strategy that balances detection with robust protective measures.
As the world moves toward a hyper-connected blend of IT and OT, securing these vital systems will be paramount to safeguarding critical infrastructure, human safety and societal well-being.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
