June 4, 2024 Protecting OT in Critical Infrastructure

A piecemeal approach to cybersecurity will no longer suffice when it comes to protecting our most precious and vulnerable OT assets.

by Anand Oswal, SVP and GM of Network Security, Palo Alto Networks

In the business world, digital transformation has opened a door to untapped opportunities for efficiencies and output. Much of this is powered by Operational Technologies (OT), the systems and technologies that monitor and manage devices, infrastructure and processes. It helps ensure machines are running efficiently, prevents downtime through preventive maintenance, and drives faster innovation by connecting with IT services across the business. As OT becomes more interconnected and essential, it increasingly becomes a target for bad actors.

Palo Alto Networks and ABI Research’s recently published State of OT Security report offers insights into the complexities and inherent security threats to industrial environments.

These industrial companies are the engines behind so much of our way of life, powering critical infrastructure that allows us the conveniences we’re accustomed to – from drinkable water flowing from our taps to the gasoline available at our corner stations – and that we often take for granted until they don’t work.

The research found that over the past year, 70% of industrial organizations have fallen victim to cyberattacks and 1 in 4 industrial organizations are attacked by cyber criminals at least weekly. This also affects business continuity as approximately 25% of organizations said they had to shut down operations due to an attack.

These findings underscore the serious impact of these breaches and the reality of OT security. Attacks in this sector are primarily IT-borne, with ransomware creating the most devastating effects on industrial environments. While successful ransomware attacks on OT can offer bad actors financial gain, we are seeing increasingly alarming news headlines suggesting there’s more political motivations driving the targeting of these technologies. Over the past few weeks we’ve seen reports that shipping ports around the U.S. are increasingly using surveillance software, posing a risk to exploitation. More recently, the Environmental Protection Agency (EPA) penned a letter to governors sharing concerns over the increased cyber attacks disabling water and wastewater systems across the country.

In all of the above scenarios, legacy technologies and poor cybersecurity hygiene are to blame. For example, one testimony pointed to the use of end-of-life routers (which were not getting updates pushed to them) as a key entrypoint for bad actors to our critical infrastructure. And the threat isn’t hypothetical. Ireland and multiple U.S states have fallen victim to hacker group attacks on water systems. This is aligned with our research that suggests the state of affairs has pushed cybersecurity to the top of the agenda for industrial operators.

As we increasingly rely on the connected world and the business pressure to up production and efficiency intensifies, more companies and countries are on the digitization journey. When done safely and correctly, it can do wonders to a company’s market competitiveness and bottom line. When it’s not, it can easily become the ideal channel for espionage, data theft, operational disruption, and for sowing chaos.

What you can do to protect operational technology in critical infrastructure

There are two common arguments about the challenges related to protecting OT in critical infrastructure:

1. It’s not easy to upgrade and patch legacy and out-of-date OT equipment.
2. OT and IT tools and operations are still siloed, leading to ineffective security and complexity.

As IT and OT converge at the network level, there needs to be an integrated IT and OT approach that reduces complexity with dedicated OT visibility. This will provide a layer of defense, such as inline virtual patching, to mitigate vulnerabilities to defend connected devices at the network layer.

Implementing a Zero Trust approach will ensure your organization is always protected without needing to worry about disruptions stemming from constant verifications. Zero Trust is rooted in the idea of “never trust, always verify.” It can provide stronger visibility into your OT assets and risk, which you can use to augment segmentation, and then use that information to provide continuous monitoring and inspection against malicious activities and anomalies. This approach also helps tackle the insecurity of legacy OT equipment. It becomes even more important as attacks become more sophisticated, requiring best-in-class security detections leveraging AI/ML.

As the industry continues adopting new technologies like AI, remote access, cloud, 5G, and robotics, these technologies will not only bring new business opportunities but also add new security risks and usher in new compliance requirements. We also expect to see more regulatory pressure to protect OT over the next couple of years, especially related to critical infrastructure. It’s clear that a piecemeal approach to cybersecurity will no longer suffice when it comes to protecting our most precious and vulnerable OT assets. That’s why the best defense against cyber criminals is working with a cybersecurity company that can help reduce complexity with best-in-class security services that holistically cover both IT and OT. 

About the Author:
Anand Oswal is the Senior Vice President & GM for Network Security at Palo Alto Networks. His team of researchers and developers deliver best-in-class enterprise networking products and services to help to protect users, applications and infrastructure from cybersecurity threats.

He is a dynamic leader with a passion for building strong, diverse and motivated teams that excel through a relentless focus on execution. A holder of more than 60 U.S. patents, he focuses on disruptive innovation and inspiring his team to build awesome products and solutions.

Before joining Palo Alto Networks, Anand was SVP, Engineering, for Cisco’s Intent-Based Networking Group. He joined Cisco through the acquisition of Starent Networks, and earlier in his career, held leadership roles at Siara Systems, Sun Microsystems and Ericsson.

Anand holds a bachelor’s degree in telecommunications from the College of Engineering, Pune, India and a master’s degree in computer networking from the University of Southern California, Los Angeles. He is recognized as a thought leader on innovation, leadership, diversity and the importance of family.

Subscribe to Industry Today