Touch panels on machines, telecontrol stations and edge gateways for IoT data: An industrial site such as a smart factory can quickly have up to 500 individual OT devices in use – enough of a target for hackers and cybercriminals. These are seven challenges that organisations should have on their radar today.
The security of operational technology (OT), such as production robots and control machines, tends to be overshadowed by traditional IT security – but wrongly so. Companies that fail to proactively secure their OT devices and adapt them to new challenges can face significant business damage. This is because cyber criminals have long focused on these gateways.
The Critical Infrastructure Protection Act (KRITIS) and the NIS2 Directive are designed to provide greater protection. They will significantly expand the group of companies that will have to deal with stricter OT cyber protection in the future – to over 30,000 affected companies in the critical infrastructure sector.
OT in practice – but safe!
What best practices already exist in the industry to secure industrial plants and critical infrastructure – such as a hydroelectric power station – in the best possible way? On 13 May, eco’s Security and IoT Competence Groups will bring together interested parties for the ‘Security meets Operational Technology‘ event in Cologne. Presentations and expert discussions will highlight challenges and present successful solutions.
The State of OT/ICS Security 2024 study by eco member SITS will also reveal the vulnerabilities companies should be looking for in their OT security strategy and the risk factors currently affecting companies.
- More professional attacks
The current threat landscape shows a clear pattern: industrial systems are increasingly becoming the focus of cyber criminals. Highly effective attacks on industrial systems have multiplied since 2020. By 2023, the number of such attacks will increase by 140 per cent. Ransomware is the most common attack vector (74 per cent of all cases) – such attacks on industrial companies have increased by 50 per cent compared to 2023.
- Legacy systems without support
Many industrial facilities continue to rely on old systems that no longer receive security updates. This leaves serious vulnerabilities permanently open. Often, this is because replacement is not easy for operational reasons – systems need to be replaced seamlessly to avoid losing valuable production time.
- Securing IT-OT convergence with care
Although converged architectures can be implemented relatively quickly and flexibly, they are complex environments that organisations need to secure professionally. After all, 70 per cent of OT security incidents originate in the IT domain. Most critically, 67 per cent of network connections are considered unauthorised or unwanted, indicating weak network segregation and access controls.
- Securely integrate IoT devices into OT environments
IoT technology can introduce new risks to the OT network, such as insecure firmware, untested components or poorly protected access. An attack often starts with credentials – automated scanning systems systematically identify and compromise devices with default or weak passwords.
- Effective organisational structures
Only 38 per cent of organisations have a dedicated OT security team. Slightly more (39 per cent) still traditionally entrust their industrial cybersecurity to the IT security team. In 23 per cent of cases, an attempt is made to share responsibility between IT and OT.
- Lack of continuous monitoring
Only 26 per cent of organisations continuously monitor their OT systems. Many rely on periodic checks at hourly, weekly, monthly or even quarterly intervals. Companies that have established enterprise-wide security operations centres are best at monitoring.
- Heavy regulatory pressure (NIS2 & CRA)
In light of the NIS2 Directive and the Cyber Resilience Act (CRA), companies and OT manufacturers are legally required to ensure that their OT devices are subject to stricter security measures. This includes a 24-hour incident reporting requirement, mandatory security measures and stiff fines of up to €10 million or two per cent of global turnover.
- Best practices: Solutions from and for industry
Companies using or planning to use smart machines should be aware of the technical vulnerabilities and current regulations. It helps to share ideas with other stakeholders. Together we can find solutions and learn from each other. The eco Competence Groups (CGs) provide a regular framework for this.
Â
Interested in security best practices and expert exchange?
Register here for the eco event ‘Security meets Operational Technology’ (in German) on 13 May in Cologne.
