A Field CISO’s Perspective on Threats to OT Environments

July 2024, Munich

In an increasingly interconnected world, companies face the significant challenge of protecting not only their IT systems but also their Operational Technology (OT) from increasingly sophisticated cyberattacks. The hardware and software used to monitor and control physical processes, devices, and infrastructures are exposed to targeted attacks from both internal and external sources.

OT is used, for example, to control robots in a production plant or to monitor ventilators in hospitals. If these devices are not adequately protected, vulnerabilities can be exploited and malware can be introduced. Malware can also infiltrate operational technology through external hardware, removable storage devices, or the intranet.

In our interview, Guido Kraft, Field CISO at WALLIX, discusses the latest developments, strategies, and best practices for strengthening OT security.

How has the threat landscape for OT (Operational Technology) evolved recently?

Guido Kraft: The threat landscape for OT has changed significantly, with a notable increase in threats. We have seen a significant rise in attacks, especially in the area of critical infrastructures (KRITIS), which are often politically motivated.

For example, state-directed hacker groups, such as the Russian “Five Bears,” continuously target critical infrastructures, as well as governments, authorities, political parties, and other system-relevant areas. The Bundestag hack in 2015 is a prominent example.

We register several thousand attacks per month. The geopolitical situation and changes in global power dynamics play a crucial role. Cyber warfare is a reality and is conducted alongside conventional conflicts, severely affecting our technical supply infrastructures such as energy, transport, and healthcare.

Are there specific fields or technologies that are particularly targeted?

Guido Kraft: Yes, industrial manufacturing and chemical production are frequent targets. Intellectual property theft and the theft of trade secrets also represent growing threats. Older machines, which still operate on outdated systems—sometimes even older than Windows 2000—are particularly at risk, as they are often not sufficiently protected. With the increasing interconnectedness and integration of new machines into OT networks, the number of potential attack points also rises.

What role do technologies like machine learning and AI—artificial intelligence—play in OT security? Guido Kraft: AI and machine learning are double-edged swords. On one hand, they can help detect anomalies in user behavior and efficiently monitor networks. On the other hand, they pose a threat if attackers use these technologies to exploit vulnerabilities in OT systems. AI used in internally operated programs, for instance, to control production facilities, should also be strictly monitored by the cybersecurity department: what accesses and permissions do these systems have?

Studies show that the majority of respondents perceive AI attacks as a threat to their OT infrastructure. The key is to carefully select use cases and develop control mechanisms to minimize risks.

And how does the proliferation of Cloud and SaaS technologies affect OT security?

Guido Kraft: The integration of Cloud and SaaS technologies into OT environments presents both opportunities and risks. While these technologies are widespread in IT, their application in OT environments is often problematic due to specific requirements and security concerns. To implement these technologies securely without affecting operations, a comprehensive strategy is required.

To address these new challenges, what measures can companies take?

Guido Kraft: It is crucial to establish privileged access systems that only allow access to authorized individuals, often secured by MFA, or multi-factor authentication. A multi-stage approval process and full auditability are also important elements. Standards like IEC 62443 provide a solid foundation. It’s about strictly controlling access and ensuring that only necessary permissions are granted.

What are the best practices for companies looking to improve their OT security?

Guido Kraft: Companies should integrate Zero Trust principles into their security strategy. Privileged Access Management (PAM) and Identity and Access Governance (IAG) solutions are essential to strictly control access. The trend is clearly towards preventive security. A risk classification model can help classify different systems according to their risk and secure them accordingly. It is also important to consider industry-specific regulations and standards such as IEC 62443 and NIS2.

Compliance standards aim to enhance security but often present challenges for companies in terms of adherence. How can Privileged Access Management (PAM) help in this regard?

Guido Kraft: First, it is essential to get an overview of which regulations are relevant to an organization or the individual systems within it. Our risk classification model is a tool for categorizing systems and their protection needs—from high-risk systems like data servers to less critical components. This model allows for the targeted implementation of specific security measures. For example, in high-risk systems, access can be strictly regulated and secured with multi-factor authentication, while less critical systems can use more flexible security protocols. Along with PAM solutions, sector-specific and general data protection regulations—from NIS2 to ISO 27001—can be met.

What obstacles do you often see clients face when implementing PAM or Identity and Access Governance (IAG)?

Guido Kraft: The biggest obstacle is often complexity. Many clients are hesitant to implement these solutions because they perceive them as too complex and maintenance-intensive. However, our experience shows that well-designed solutions are relatively easy to implement and allow for seamless integration into existing security infrastructures. Nevertheless, challenges always exist, especially when adapting to specific company requirements and integrating with existing systems, such as when using SaaS solutions.

Can the effectiveness of PAM and IAG solutions be measured and evaluated?

Guido Kraft: It is difficult to quantify effectiveness, as the ROI of security measures is often not directly measurable. However, important metrics include the number of unauthorized access attempts prevented and the time required to respond to security incidents. An indicator of effectiveness is also the usability and acceptance of security measures within the company.

Finally, what trends should companies keep an eye on in the coming years?

Guido Kraft: Companies should prepare for increasing interconnectedness and the integration of AI into OT systems. Zero Trust security models will become increasingly important, as will compliance with new regulations and standards. It will also be crucial to implement flexible and scalable security solutions that can cover both old and new systems. Continuous training and awareness of employees remain central aspects of OT security.

Guido, thank you very much for the interview!

Guido Kraft, Field CISO at WALLIX

Related resources

May 28, 2024

Enhance Cybersecurity for U.S. Water and Wastewater Facilities

December 15, 2023

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

A Field CISO’s Perspective on Threats to OT Environments

Related content

OT Cyber Challenges for U.S. Water and Wastewater Facilities

International tensions: manage the implementation of cybersecurity measures in emergency situations

Industry 4.0: The importance of securing a connected future

The five top tips to reassess your IT security risk

What Happened in the Colonial Pipeline Ransomware Attack

Related resources

Enhance Cybersecurity for U.S. Water and Wastewater Facilities

ISA62443 Compliance

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US

A Field CISO’s Perspective on Threats to OT Environments

Share this article

Related content

Related resources

PRODUCTS

RESOURCES

SUPPORT

ABOUT

FOLLOW US