Encore Episode: Insights on Protecting OT from Growing Cyber Threats
David Moulton: Welcome to this special encore episode of Threat Vector. I'm David Moulton, Director of Thought Leadership at Unit 42. Today, we're excited to bring the key insights from our October series, where our focus was on operational technology security, where we engage with industry leaders, experts, and innovative thinkers in the cybersecurity realm, specifically concentrating on the challenges and advancements in OT security. From discussions on protecting critical infrastructure to strategies for mitigating risk associated with legacy systems, this series has been packed with really valuable knowledge. In this special episode, we've compiled the key moments and insights that have sparked significant conversations and empowered organizations to enhance their security posture. Operational technology is the cornerstone of a modern society, and safeguarding these systems is not just a priority, but a necessity. Let's dive into the best of October's insights today. On Threat Vector, we always emphasize that zero trust is more than just a buzzword, especially in the OT space. While securing high-risk areas is essential, what about maintaining operational efficiency while doing so? In this next segment, we'll explore how to strike that critical balance. Del, how can organizations effectively implement, say, like a zero-trust architecture in those OT environments?
Del Rodillas: Yeah, I mean, that's the interesting part about zero trust for the OT domain, is it's very, very foreign, right? And when you boil it down to the key elements, I think the first thing is around understanding and prioritizing the risk. And it's very, very high risk considering, you know, what happens if a power grid went down or, you know, your money-making factory stopped producing widgets, right? So it's an exercise, I think, in terms of not trying to secure all of your estate, but focusing on the ones that matter the most. So some kind of prioritized risk ledger, working with the stakeholders to understand this view of asset and their related risks. And from there, I think it's much more easy to implement programmatically the awareness, visibility of your assets and their communication. This really informs the fundamental approach for zero trust in terms of, okay, trying to minimize your exposure by locking down the communications and the way users interact with your network, your assets, the data from a least privileged role-based access standpoint, right? And then implementing the segmentation. So typically, what I've seen as best practice is starting with the IT/OT perimeter, you know, biggest bank for the buck there, right? And as you kind of have that stronger perimeter, work your way in and kind of segment further, but not to the point where it's operationally impractical, right?
David Moulton: Del, talk to me about how organizations can balance their security and operational efficiency in those OT environments.
Del Rodillas: Yeah. Again, if you think about the key consideration for zero trust, which starts with a risk-based approach, it's always trying to prioritize the risk -- understand the risk and prioritize that such that you're not trying to boil the ocean and you're protecting the crown jewels and, you know, focusing where you think you can get the best bank for the buck. So starting with a risk-based approach is key. I think the other aspect, especially on the operational efficiency side is how can you leverage automation. And automation in the OT world is not necessarily about automating the response to stop trust. In fact, a lot of OT asset owners don't want to do that, but at the same time, you can still leverage automation to better disseminate and highlight the alerting process such that you at least know that there's an issue and have the option to take action, if you will. And the other aspect is leveraging AI to baseline the behavior. Some will argue that OT is more predictable than IT, and with that, it's a little bit easier to detect anomalies. [ Music ]
David Moulton: Automation and AI can be powerful allies, yet they're not a silver bullet. The reality remains that OT environments face relentless cyber attacks. Just how prevalent are these attacks and what trends are we seeing? Let's unpack that with these insights.
Michela Menting: We have been covering critical infrastructure and kind of industrial systems for a number of years, for a good decade at least. And those patterns are becoming much more common now, much more prevalent. You know, unfortunately, attacks against OT are very frequent, right? And Qiang mentioned it, you know, 75% of industrial operators experience a cyber attack in their OT environments. We really need to dispel the myth that such attacks are rare in OT. You know, on the contrary, they're terribly common, just like they are in IT. And for sure, the research shows that the majority of operators have experienced an attack on their OT, and this on a monthly basis, right? So it's become recurring.
David Moulton: The data speaks volumes. Attacks on OT are alarmingly common. But have you ever wondered how IT-based threats find their way into OT systems? In our next discussion, we break down the common paths from social engineering to sophisticated exploits that attackers use to infiltrate OT environments. How do IT-borne threats typically make their way into OT systems? This is honestly something that I've always been curious about, Michela, maybe you can --
Michela Menting: Well, I think, I mean, there's two -- if you're looking at it from a very high-level perspective, maybe there's two primary ways. One is, you know, you can exploit vulnerabilities in industrial control systems, right? Build a zero-day around it, you know, do some smart coding, and maybe brute force your way in. But, you know, that's complex, requires a lot of skills. It's not everyone that can do that. The easier way and the very common way is through social engineering, unfortunately. And that is just immensely popular because it works all the time. Not all the time, but it works more often than not, right? You have email compromise, you have phishing, and, you know, threat actors are able to obtain credentials that they then use for remote access. And quite often, you know, it starts in the IT space and then they escalate their privileges and there's a lot of lateral movement that happens until they can hit, you know, those OT assets. But I think increasingly, you'll see some of that happen and target directly OT, right? So they won't even need to go through the IT space to get to those OT assets. So unfortunately today, I mean, it's still very much whacking someone over the head for the password rather than trying to, you know, crowbar their way in through, you know, an iron door or something like that. So social engineering, unfortunately, is highly prevalent and still highly successful even against OT.
David Moulton: With attackers probing from every angle, one might assume organizations have clear sight over their OT assets. Unfortunately, the opposite is often true. Without visibility, securing these systems becomes an uphill battle. Up next, we dive into why visibility remains one of the biggest challenges in OT security.
Qiang Huang: Yeah. Sure, David. We talk to hundreds of these industrial organizations to understand what are the top challenges. It doesn't matter what industry, the top challenge I've heard is about the lack of visibility. "I don't know my OT assets. I don't know the risk. I don't know who is talking to whom." Without that, it's very hard to secure what you don't see. That's the number one challenge. Then you have to realize that because of these OT operational constraints, uptimes, these are assets managed by a different team. Often, the existing security tools don't quite work well on these legacy OT assets. It often comes down to segmentation. But because of a lack of visibility, we see insufficient segmentation or threat prevention. Now, there are also new challenges because of this digital transformation, the new way of doing business. Two things I want to highlight. One is, sort of how do I, you know, have visibility and the security control for all these remote operations, all these unsanctioned connections? It's a big challenge nowadays. And also, how do I secure my private LTE and private 5G networks? Most of these enterprise folks, they're not mobile experts. So when you bring all of these together, the industry is also facing a huge amount of complexity when they have to bring multiple set with tools to drive that OT security in an effective way. [ Music ]
David Moulton: Visibility and segmentation issues highlight the complex landscape CISOs must navigate. But with constrained budgets and growing threats, where should security leaders focus their spending to maximize security outcomes? Here's an inside look at making budget decisions that count. Brian, CISOs are often caught with these limited budgets and, you know, if you read the news growing threats, what factors should CISOs prioritize when they're considering their budget decisions to ensure that they have that maximum impact for their security posture or security outcomes?
Brian Wrozek: So first and foremost, get the most out of your existing controls. You know, how many times have you deployed a product and you're using 10, 20% of the functionality? So really making sure that I'm getting as much use out of my contract and my technology as I can. And then the other way is really have a method to your madness. So, you know, what are you doing and why? What's the purpose? How does this align to a, you know, industry framework or a standard? And can you back up your decisions with things like external threat intelligence, maybe some benchmarking or other, you know, frameworks and industry standards?
David Moulton: Allocating budget wisely is one part of the strategy, but ensuring that security measures don't stifle business operations is another challenge entirely. How can CISOs create robust defenses without frustrating their teams or hampering productivity? The next segment offers practical advice on aligning security with user experience. I'm curious how CISOs can make decisions that protect an organization without hindering the business operation or the user experience of those employees.
Brian Wrozek: Yeah, this is something I've been very passionate about is -- because security is difficult, people are going to, you know, work around it or avoid it. And that's worse than having no security control at all. So the first thing is you have to be realistic about the risk. You know, I had a boss that always used to ask me, you know, "Is this something that, you know, I could do or, you know, do you need to be a physicist and stand on one leg and Venus and Mars have to be in alignment?" So really being realistic about the risks that you're dealing with. And then a technique that used to work really well for me was to get advice from non-security experts. So if everybody you're talking to are fellow security professionals, we're all paranoid. We're all going to look at the worst-case scenario and we all read threat reports about just how dangerous the internet is. Getting advice from, you know, somebody in the sales department, the marketing department, the engineering department gives you that perspective and kind of grounds you a little bit better. And then the third aspect is looking at compensating controls. So, you know, there's multiple aspects to security. You can protect it. You can detect when something bad happens. You can react better if you've detected that something bad happens. And there's insurance, right? You may have to take legal action that could be your only recourse.
David Moulton: That's it for today. I, again, want to thank our guests that appeared on Threat Vector in October for sharing their insights. As always, cybersecurity is a journey and not a destination. And staying ahead means asking the right questions and learning from each other. If you found today's conversation useful, please subscribe and leave us a review wherever you listen to podcasts. I want to thank our executive producer, Michael Heller, our content and production team, which includes Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back in a week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]