A Field CISO’s Perspective on Threats to OT Environments

July 2024, Munich

In an increasingly interconnected world, companies face the significant challenge of protecting not only their IT systems but also their Operational Technology (OT) from increasingly sophisticated cyberattacks. The hardware and software used to monitor and control physical processes, devices, and infrastructures are exposed to targeted attacks from both internal and external sources.

OT is used, for example, to control robots in a production plant or to monitor ventilators in hospitals. If these devices are not adequately protected, vulnerabilities can be exploited and malware can be introduced. Malware can also infiltrate operational technology through external hardware, removable storage devices, or the intranet.

In our interview, Guido Kraft, Field CISO at WALLIX, discusses the latest developments, strategies, and best practices for strengthening OT security.

How has the threat landscape for OT (Operational Technology) evolved recently?

Guido Kraft: The threat landscape for OT has changed significantly, with a notable increase in threats. We have seen a significant rise in attacks, especially in the area of critical infrastructures (KRITIS), which are often politically motivated.

For example, state-directed hacker groups, such as the Russian “Five Bears,” continuously target critical infrastructures, as well as governments, authorities, political parties, and other system-relevant areas. The Bundestag hack in 2015 is a prominent example.

We register several thousand attacks per month. The geopolitical situation and changes in global power dynamics play a crucial role. Cyber warfare is a reality and is conducted alongside conventional conflicts, severely affecting our technical supply infrastructures such as energy, transport, and healthcare.

Are there specific fields or technologies that are particularly targeted?

Guido Kraft: Yes, industrial manufacturing and chemical production are frequent targets. Intellectual property theft and the theft of trade secrets also represent growing threats. Older machines, which still operate on outdated systems—sometimes even older than Windows 2000—are particularly at risk, as they are often not sufficiently protected. With the increasing interconnectedness and integration of new machines into OT networks, the number of potential attack points also rises.

What role do technologies like machine learning and AI—artificial intelligence—play in OT security? Guido Kraft: AI and machine learning are double-edged swords. On one hand, they can help detect anomalies in user behavior and efficiently monitor networks. On the other hand, they pose a threat if attackers use these technologies to exploit vulnerabilities in OT systems. AI used in internally operated programs, for instance, to control production facilities, should also be strictly monitored by the cybersecurity department: what accesses and permissions do these systems have?

Studies show that the majority of respondents perceive AI attacks as a threat to their OT infrastructure. The key is to carefully select use cases and develop control mechanisms to minimize risks.

And how does the proliferation of Cloud and SaaS technologies affect OT security?

Guido Kraft: The integration of Cloud and SaaS technologies into OT environments presents both opportunities and risks. While these technologies are widespread in IT, their application in OT environments is often problematic due to specific requirements and security concerns. To implement these technologies securely without affecting operations, a comprehensive strategy is required.

To address these new challenges, what measures can companies take?

Guido Kraft: It is crucial to establish privileged access systems that only allow access to authorized individuals, often secured by MFA, or multi-factor authentication. A multi-stage approval process and full auditability are also important elements. Standards like IEC 62443 provide a solid foundation. It’s about strictly controlling access and ensuring that only necessary permissions are granted.

What are the best practices for companies looking to improve their OT security?

Guido Kraft: Companies should integrate Zero Trust principles into their security strategy. Privileged Access Management (PAM) and Identity and Access Governance (IAG) solutions are essential to strictly control access. The trend is clearly towards preventive security. A risk classification model can help classify different systems according to their risk and secure them accordingly. It is also important to consider industry-specific regulations and standards such as IEC 62443 and NIS2.

Compliance standards aim to enhance security but often present challenges for companies in terms of adherence. How can Privileged Access Management (PAM) help in this regard?

Guido Kraft: First, it is essential to get an overview of which regulations are relevant to an organization or the individual systems within it. Our risk classification model is a tool for categorizing systems and their protection needs—from high-risk systems like data servers to less critical components. This model allows for the targeted implementation of specific security measures. For example, in high-risk systems, access can be strictly regulated and secured with multi-factor authentication, while less critical systems can use more flexible security protocols. Along with PAM solutions, sector-specific and general data protection regulations—from NIS2 to ISO 27001—can be met.

What obstacles do you often see clients face when implementing PAM or Identity and Access Governance (IAG)?

Guido Kraft: The biggest obstacle is often complexity. Many clients are hesitant to implement these solutions because they perceive them as too complex and maintenance-intensive. However, our experience shows that well-designed solutions are relatively easy to implement and allow for seamless integration into existing security infrastructures. Nevertheless, challenges always exist, especially when adapting to specific company requirements and integrating with existing systems, such as when using SaaS solutions.

Can the effectiveness of PAM and IAG solutions be measured and evaluated?

Guido Kraft: It is difficult to quantify effectiveness, as the ROI of security measures is often not directly measurable. However, important metrics include the number of unauthorized access attempts prevented and the time required to respond to security incidents. An indicator of effectiveness is also the usability and acceptance of security measures within the company.

Finally, what trends should companies keep an eye on in the coming years?

Guido Kraft: Companies should prepare for increasing interconnectedness and the integration of AI into OT systems. Zero Trust security models will become increasingly important, as will compliance with new regulations and standards. It will also be crucial to implement flexible and scalable security solutions that can cover both old and new systems. Continuous training and awareness of employees remain central aspects of OT security.

Guido, thank you very much for the interview!

 

Guido Kraft, Field CISO at WALLIX