Operational technology (OT) risk may not always get the publicity afforded to big-name IT breaches. But it’s a ticking time bomb for global enterprises recently costed at $330bn annually. These risks can be managed. But only by building resilience to deflect as many threats as possible, and rapidly detect and respond to those that are successful. That’s easier said than done given the limitations of many OT sites.
Why OT is in the crosshairs
It wasn’t always like this. OT systems once benefited from “security by obscurity.” Unfortunately for OT operators, those days have gone.
Increasingly, OT and IT are converging. Combine these efforts with IoT device proliferation and the attack surface is broader than it’s ever been. At the same time, legacy hardware persists, complicating patching efforts. The challenge is compounded by OT management priorities, which foreground stability and availability over security. Flat, unsegmented networks, static passwords on endpoints, and poor visibility into assets add extra risk exposure. The latter is such a concern for the UK’s National Cyber Security Centre (NCSC) that it recently published guidance to help OT organizations create a definitive and dynamic record of their environment.
The NCSC is right to be concerned. According to a 2024 report, 62% of assessed Fortune 1000 companies admitted to having no visibility at all into their OT networks. Just 17% claimed they could detect breaches.
When things go wrong
The $330bn valuation of annual OT financial risk was estimated by insurer Marsh McLennan, based on data from one the world’s largest insurance claims databases, as well as third-party breach recovery and other reports over a decade (2014-2024).
Sometimes it’s not the attack itself but the “abundance-of-caution” shutdowns that follow which cause much of the damage, the report notes. Seventy percent of breaches incur these indirect costs, it says. The Colonial Pipeline ransomware attack of May 2021 falls into this category. Although it targeted the firm’s IT systems, it shut down its extensive OT network due to concerns the threat could spread, causing fuel shortages and higher prices for several days on America’s east coast.
All of which speaks to the huge potential damage that an attack on a critical OT environment could inflict. Marsh McLennan reveals that healthcare, construction, manufacturing are the top three sectors for OT breaches over the decade period it studied.
Yet, truthfully, no sector that runs OT is safe. Just look at the Chinese state-sponsored threat actors who “pre-positioned” themselves in US critical infrastructure (CNI) networks. Discovered last year, the Volt Typhoon campaign was designed to launch crippling destructive attacks on providers in communications, energy, transportation, and water/wastewater sectors in the event of military conflict.
How to improve resilience
Given the scale of the challenge, organizations must accelerate plans to build resilience into their most critical systems. But historically, it’s been difficult for CISOs to engage boards due to the difficulty of quantifying financial exposure and measuring the effectiveness of specific security controls. The Marsh report should help them in this respect.
But once they have the buy-in and funding from senior leadership, what happens next? Improving OT architecture is an obvious place to start. That means enhancing resilience so it is more capable of withstanding attacks, such as via risk-based patch management, isolation of OT networks from enterprise systems, and enforcement of strict access controls on remote connections.
Improving visibility into all assets and communication links is also essential: you can’t protect what you can’t see. Yet continuous monitoring of OT environments is challenging in many locations, where space and power limitations rule out physical monitoring and low bandwidth makes real-time insight tricky.
This is where specialist OT sensors come in. Instead of requiring intrusive software agents, they’re designed to operate passively in these restricted environments – monitoring traffic, asset behaviour, and control system commands without impacting operations. This means critical systems can remain online while being monitored 24/7 for anomalous behaviour. Asset information, network metadata, behavioural indicators and event context telemetry is fed to the SOC, where it is normalized, enriched with threat intelligence, and correlated with IT data.
This empowers expert analysts to detect lateral movement, command manipulation, or the early signs of ransomware staging. Alerts are triaged under defined SLAs, with high-priority incidents escalated in near real-time. It all means that attacks are identified, investigated and contained before they can do any damage.
There are several benefits to arming your SecOps team in this way, or outsourcing to an expert third-party managed detection and response (MDR) provider. Passive monitoring delivers resilience by design, supporting real-time detection without introducing downtime risks. And it provides holistic visibility into both IT and OT environments – correlating OT telemetry with IT logs to close detection blind spots and ensure attacks traversing both environments are stopped in their tracks.
This proactive approach also enables SOC teams to identify and escalate true-positive OT alerts within minutes, meaning attacks are mitigated early on. That crucially means business continues as usual, even in the event of a breach. And enriched chains of evidence will keep NIS2 regulators happy, while reducing board-level anxiety around non-compliance.
Bringing IT and OT together
With this kind of approach, organizations can finally start to break down those historic IT/OT silos, and provide SecOps with a unified view of their environment. To amplify resilience further, they should consider regularly testing and validating the detection surface against the MITRE ATT&CK for ICS framework. And running OT-inclusive attack simulations and tabletop exercises, with a strong focus on the impact of an IT breach on OT operations.
Those specialized OT sensors will continue to support best practices in asset management, enabling continuous asset inventories to ensure security posture is fit for purpose. But success is not a given. Organizations must continue to perform traffic monitoring at all layers of IT and OT infrastructure to baseline what’s normal and alert on exceptions. And they need to feed OT intelligence into detection engineering to stay ahead of adversary tactics.
TTPs will continue to evolve, so there’s no room for complacency. But the good news is that resilience need not be a pipe dream. It’s within the grasp of any OT organization. Given what’s at stake, there’s no time to delay.
Join our LinkedIn group Information Security Community!
