Current Cyber Threats in OT/ICS: What You Need to Know
Current Cyber Threats in OT/ICS: What You Need to Know
Cyber threats to Operational Technology (OT) and Industrial Control Systems (ICS) aren’t a static lineup of usual suspects. Instead, threat actors constantly tweak and refine their methods to find better ways to intrude into these environments. So, what’s working for hackers lately? This blog takes a look at current threats in OT/ICS, backed up with data from the latest industry reports.
Traversing the IT-OT Boundary
The age of digital isolation for OT and ICS from IT environments is decisively over. The allure of operational efficiency and seamless data flow is hard to resist, but threat actors continue to probe for and exploit weaknesses at the security boundary between IT and OT environments.
A recent (2024) SANS survey found that the most common attack vector in OT/control systems cybersecurity incidents was compromises in IT, allowing threats into operational technology (45.8% of all incidents). But how exactly does this happen?
Inadequate segmentation between IT and OT networks can allow attackers who have compromised IT systems to access OT assets. This might involve bypassing improperly configured firewalls.
Common software platforms and management tools that span both IT and OT systems can serve as conduits for malware. For example, an infected update for shared endpoint management software could simultaneously affect IT workstations and OT controllers.
Lateral movement techniques like pass-the-hash or RDP hijacking can exploit cases where users with access to both IT and OT systems use the same credentials on each.
Threat actors who target these environments have the resources to develop or acquire exploits that can traverse tightly controlled boundaries. They are driven by motivations that range from espionage to sabotage, so they often have a level of patience that hackers who are just looking to bag a quick payday might lack.
Also, the complexity of modern industrial environments doesn’t help. Many organizations struggle to track and secure every endpoint, particularly as new devices and software are continually added to the network. This lack of visibility can leave unnoticed gaps in IT-OT security.
Supply Chain Poisoning
Supply chain poisoning is where malicious actors deliberately insert harmful code or modify product components at any point in the supply chain. It’s a particularly troubling problem in OT/ICS because poisoning the supply chain for physical devices that control critical infrastructure can pose risks to human safety. Recent HP research found that one in five businesses has been impacted by hardware supply chain attacks.
What makes this threat tougher to mitigate in OT/ICS is that these environments often rely on highly specialized hardware and software that can’t be easily substituted. This dependency limits the number of suppliers capable of providing necessary components, which reduces the options for sourcing and vetting.
A power plant might integrate newer IoT sensors with decades-old turbine controllers. Each piece of equipment might come from different suppliers with varying security postures. Components like microchips, sensors, or other embedded systems can pass through multiple handlers — such as manufacturers, third-party integrators, and software providers — before being installed. Every handoff represents a potential point of compromise.
Compromising Direct Internet Access
Security leaders usually advocate a cautious approach to internet connectivity in OT environments. The focus is on minimizing direct connections wherever possible, using secure intermediaries, and ensuring that any connectivity doesn’t compromise the overarching principle of safety and resilience. But sometimes, direct access is inevitable, and security gaps appear.
External remote services are software or network services that allow remote access or management of systems and devices within an industrial environment. These services, like virtual private networks (VPNs) and remote desktop protocol (RDP), are vital for remote operations, especially in sectors like manufacturing, energy, and utilities, where direct physical access to facilities can be impractical or expensive. However, these services are also susceptible to various compromises, from brute force hacking to underlying software/code vulnerabilities that can allow intruders into engineering workstations and human-machine interfaces (HMIS).
Another category within this threat is unmanaged, agentless assets. These are devices or systems connected to the internet without any centralized management or security software (agents) installed. Industrial IoT devices, like sensors and smart meters, continue to proliferate. These devices sometimes lack basic security measures and remain unaccounted for by security teams. A recent report found that up to 14% of unmanaged devices connect to both internal networks and the internet, which makes them both an appealing and accessible target for hackers.
Exploiting the Human Factor
The human factor plays a strong role in cyber incidents that target OT/ICS. In an OT/ICS cybersecurity report by txONE, of the attacks that involved IT incidents spilling into industrial environments, phishing campaigns targeting employees (41%) and errors by staff (39%) were the dominant attack vectors.
A big part of the issue comes down to cybersecurity budget allocation. Although 66% of respondents in the SANS 2024 OT/ICS cybersecurity survey identified people, including employees and contractors, as the most significant risk to their ICS environments, most budget allocations focus on technology. So, leaders try to solve security issues by focusing too much on tech and not enough on limiting the influence of the human factor.
It’s also important to consider the advancements in AI that make phishing attacks easier to carry out. Gen AI can craft convincing phishing emails, while other AI tools make it easy to spin up lookalike domains that mirror legitimate login pages for various portals. There is a clear need for greater investment in basic cybersecurity awareness, especially among OT employees like engineers.
Really, though, the human factor is not just about increasing awareness of basic cybersecurity practices. It’s also about adequately equipping SOC and IR teams with the training and tests they need to combat evolutions in ICS/OT cyber threats.
A worrying finding from the SANS report was that 28% of respondents still lack an ICS-specific incident response plan. Also, paper-based tabletop exercises remain by far the most common type of response plan testing. Training and testing need to move on to use live-fire simulated drills where IR teams experience what a real-world incident feels like.
Traditional tabletop exercises are fine for conceptual understanding and strategizing, but they often fall short in replicating the stress, chaos, and quick decision-making needed in actual incidents. Live-fire drills, tailored to the intricacies of OT/ICS environments and cyber threats, help teams face simulated real-world cyber incidents in a controlled environment. Personnel can practice dealing with incomplete information, coordinating across different teams, and implementing recovery procedures under pressure.
Elevate Your Cybersecurity Readiness with Cloud Range
Live-fire training provides the realism, urgency, and complexity needed to truly test and enhance your team's readiness and response capabilities. Cloud Range’s leading cyber-range-as-a-service provides simulation exercises with dedicated ICS/OT attack scenarios. Customizable OT environments can replicate your network to give as much realism as possible to scenarios. Because so many incidents in OT start at the IT level, Cloud Range advocates for and gives you the option of letting IT and OT incident response teams work together on cyber attack simulations.
