The threats to operational technology (OT) are increasingly coming from a range of sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, natural disasters, insider actions and unintentional incidents such as human error or failure to follow established policies and procedures. In its recently released survey, State of Operational Technology and Cybersecurity 2024, Fortinet reported an increase in attacks on industrial control systems and OT during the second half of financial year 2023-24. These systems are attractive targets for attackers, requiring constant vigilance and resource allocation. The report also noted that OT systems are not fully visible within an organisation’s central cybersecurity operations, and fewer organisations are successfully detecting ransomware, indicating a more sophisticated and targeted threat landscape.
A look at the key highlights of the report and major takeaways…
OT cybersecurity threats
There has been a significant increase in intrusions, with phishing emails being the most common cause. Business email compromise was reported by nearly two-thirds of the organisations surveyed. Ransomware and wiper intrusions also saw a spike. Meanwhile, ransomware volume has not reduced, with threat actors using more sophisticated strains due to the expansion of ransomware-as-a-service. Distributed denial-of-service intrusions have doubled over the past year, with malware being the only category that saw a decline.
The report findings indicate that multiple techniques were involved in the intrusions. Mobile security breaches and web compromises ranked highest while insider breaches by bad actors were among the least common.
Further, OT cybersecurity posture made significant progress in 2024, with 20 per cent of the surveyed organisations establishing visibility and segmentation as compared to 13 per cent in 2023, while 30 per cent of organisations implemented access control and profiling. The number of organisations that established predictive behaviour decreased, whereas those leveraging orchestration and automation increased.
Impact of intrusions
The survey revealed that organisations have witnessed a significant number of intrusions in 2023-24, affecting productivity, brand awareness, revenue, physical safety and compliance. These intrusions also led to failure to meet compliance requirements and loss of business-critical data/internet protocol. The majority of organisations reported that cybersecurity intrusions are affecting either OT systems or both information technology (IT) and OT systems. Specifically, intrusions impacting only OT systems rose to 24 per cent from 17 per cent, and those affecting both IT and OT systems increased to 49 per cent from 32 per cent during 2023-24. Meanwhile, intrusions impacting only enterprise IT systems saw a decline, dropping from 51 per cent in 2023 to 28 per cent during the reported period.
OT and cybersecurity
Organisations are monitoring and reporting various cybersecurity metrics, including risk management outcomes, vulnerabilities, cost reduction, financial implications, productivity gains, and intrusion detection and remediation. However, there has been a decline in tracking detected and remediated intrusions. This disparity between increased monitoring of cybersecurity measurements and a decrease in actual detection of intrusions may create a false sense of security.
However, the trend of OT systems determining an organisation’s overall risk score is declining, with respondents stating that their OT security posture is less influential. There has been a significant increase in respondents reporting that OT is not a factor in risk scoring, from 1 per cent in 2023 to 7 per cent in 2024. Meanwhile, 39 per cent of organisations consider OT a moderate factor, while 55 per cent consider it as a significant factor in overall risk assessment.
Senior leadership is also frequently being informed about OT cybersecurity issues, including compromises, scheduled assessments and compliance requirements. However, there has been a decline in reporting penetration and intrusion test results as these tests are expensive, and organisations may be investing less in these areas to improve their security posture. OT professionals have also increased their cybersecurity features and protocols, with internal network segmentation, internal security training and role-based access growing significantly.
Global impact of OT intrusions
Surveyed organisations have mentioned that security incident response time/return to service time is one of their top three success factors, followed by security vulnerabilities response time and efficiency/productivity gains.
Moreover, OT professionals are increasingly adopting a wide range of cybersecurity measures and technologies to enhance security within their organisations. As per the survey, there have been significant investments in internal network segmentation, role-based access controls and internal security training programmes.
With the convergence of IT and OT networks, organisations must address threats to sensitive OT systems that were previously isolated. This requires improved visibility, network segmentation and controlled access to OT systems. Organisations are adopting a zero-trust approach to security, which involves strict access controls and continuous monitoring. As cybercriminal activity has increased, greater responsibility for OT security is being placed on leadership, leading to increased spending on cybersecurity measures. Despite the positive trend of increased investments, the expanding scale and sophistication of cyberattacks mean that more resources are needed to effectively protect OT systems.
Intrusion reduction practices
To reduce intrusions, building a robust OT environment with strong network policy controls is essential. This architecture involves creating network zones or segments, following standards such as the International Society of Automation or International Electrotechnical Commission 62443. Teams should assess the complexity of managing a solution and consider the advantages of an integrated or platform-based approach with centralised management capabilities. Implementing a secure networking strategy involves asset inventory and segmentation, followed by advanced controls such as OT threat protection and micro-segmentation.
Organisations must also ensure visibility of all OT assets on their networks and protect vulnerable devices using protective compensating controls. These controls, including protocol-aware network policies, system-to-system interaction analysis and endpoint monitoring, can detect and prevent asset compromise. Combining application-layer policies, OT vulnerability protections and virtual patching can significantly reduce the exposure of vulnerable legacy systems.
Further, organisations should integrate OT into security operations and incident response planning to address the differences between OT and IT environments. This includes considering unique device types and the broader consequences of an OT breach impacting critical operations. Developing playbooks that include the organisation’s OT environment fosters better collaboration across IT, OT and production teams to assess cyber and production risks. It also ensures that higher authorities within the organisation have proper awareness regarding prioritisation, budget and personnel allocations. Security tools with machine learning capabilities can enable data aggregation and analysis to detect and respond to potential threats.
Organisations often have a complex security architecture involving multiple vendors offering security solutions. This can reduce visibility and strain limited security team resources. Adopting a platform-based approach can simplify the architecture by consolidating vendors and providing specific capabilities tailored to both IT networks and OT environments. This integration not only improves security efficacy and efficiency, but also enables automated responses to threats. Security platforms equipped with context-aware generative artificial intelligence capabilities can further strengthen security posture and increase operational efficiency by automating tasks such as troubleshooting device vulnerabilities and threat hunting analysis.
Moreover, effective OT security relies on timely awareness and analytical insights about imminent risks. A platform-based security architecture should leverage threat intelligence for near-real-time protection against threats, attack variants and exposures. Organisations must ensure that their threat intelligence and content sources include robust, OT-specific information. This includes specialised intrusion prevention system signatures to detect and block malicious traffic targeting OT applications and devices.
Conclusion
OT is vital for businesses and governments worldwide, including critical infrastructure, healthcare systems and manufacturing operations. However, its importance makes it particularly vulnerable. OT security objectives prioritise integrity, availability and confidentiality, but safety must also be considered as a top priority. While the report indicates positive signs of OT security maturity within organisations, the current survey cycle reveals an increase in intrusions and a decline in OT’s influence on risk score factor. To reverse these trends, renewed efforts must be made to protect sensitive OT systems and allocate resources towards an effective security architecture.
