Whoa there!
Looks like you’re getting a lot out of our resources — awesome! Want to get even more tailored insights that fit your specific needs? Let’s book a discovery call so we can help you achieve your goals faster.
.svg)
Introduction
Your IT security is solid as a rock. Data and networks are secure. Endpoints, protected. Your systems are ready for whatever comes their way. Meanwhile, attackers have seized control of connected machines within your operational technology (OT) environment, where most organizations still lack basic protections.
Historically, IT and OT have operated independently, with IT centered on digital systems and enterprise networks, and OT primarily focused on managing physical processes (e.g., energy generation, water systems, manufacturing lines, etc.).
But increasing connectivity and the integration of digital tools into OT environments have created new cybersecurity challenges with higher stakes. A breach to these systems could mean not only stolen data and downtime but also physical damage and safety risks.
In a recent discussion with Apptega, leaders from the Cybolt team shared stories from the field and tips for building integrated security and compliance programs across IT and OT.
Key Takeaways
- OT systems power critical infrastructure and physical processes but were never designed for modern cyber threats.
- Increasing IT/OT convergence creates major risks, including data loss, downtime, and safety hazards.
- Bridging cultural and operational divides between IT and OT teams is crucial for integrated security.
- Frameworks like the SANS Five Critical Controls provide a practical roadmap for securing OT environments.
- Safeguards such as network segmentation, OT DMZs, and the Purdue Model help contain threats and protect hybrid environments.
- Traditional one-off assessments aren’t enough, as organizations need continuous, objective, and actionable programs to reduce risk and maintain resilience.
What is OT?
Operational Technology (OT) refers to the specialized hardware and software used to monitor, control, and automate physical processes in the world, particularly in industrial, manufacturing, and critical infrastructure environments.
“It’s everything that makes physical things move or do something,” said Enrique Azuara, V.P. of OT Security at Cybolt. “The water that goes to your house, the energy that powers your office, and the food you eat at home all go through processes powered by OT.”
OT includes everything from factory floor control systems to power grid management tools, influencing how equipment operates in the real world, often in real time. And it plays a pivotal role in ensuring safety, reliability, and efficiency in sectors where physical outcomes matter as much as digital ones.
The Growing Importance of OT Security
Earlier this year, Russian hackers took control over a Norwegian hydropower dam, releasing 132 gallons of water per second over four hours, according to an article in The Guardian. A nearby town was lucky that river and dam water levels were well below flood capacity, avoiding any injuries or damage. But it’s a good example of the wider implications of an OT attack.
OT systems are often siloed and disconnected from broader enterprise networks to mitigate risk. But this traditional model is rapidly changing, opening the gates for cyber threats, ransomware attacks, and malicious actors targeting legacy OT infrastructure.
“In the old days, the mindset was that OT was isolated and separated, even though that wasn’t really true,” said Azuara. “Now, post-COVID, everything is connected. Everybody listens about phishing and ransomware, because those attacks are coming into OT.”
Unlike IT, OT is focused on uptime and safety, not just data. And these systems were never designed for modern threats, making them a high-value, low-resilience target.
“The difference, as people are noticing, is that when you hit a critical infrastructure, the impact is huge,” Azuara explained. “You’re not just losing data. You’re losing control of the pressure controls for a gas pipeline.”
Culture Shock: Bridging the IT and OT Divide
For those that primarily operate in the world of IT, stepping into an OT environment can seem like going back in time.
Many OT systems have been operational for decades and were designed without modern cybersecurity in mind. The software is often outdated, networks unsegmented, and access controls non-existent, making them highly vulnerable to external breaches and ransomware attacks.
“Seeing a Windows 98, Windows 7, or XP computer would be nonsensical in the IT space these days, but it’s very normal in OT,” said Erik Holmes, V.P. of Managed Security Services at Cybolt. “So, when we take IT folks and we drop them into an OT environment without segmentation, firewalls, or monitoring, with no EDR and old computers, they start to freak out a little bit. We’ve got to help them realize this is still normal in the space.”
Holmes stresses that bridging this cultural divide between IT and OT requires collaboration and a mutual understanding of priorities.
“If we’re going to communicate, we have to speak the same language. Getting into the governance, risk, and compliance space together helps us set the table for that. We use the Apptega platform to crosswalk frameworks between IT and OT, and we get objective metrics that everybody can see at the same time. So now we’re using ground truth to make data-driven, objective decisions together.”
Facilitating dialogue is especially important for organizations where Chief Information Security Officers (CISOs) are responsible for both IT and OT security. These leaders must manage the competing demands of both domains while adapting cybersecurity strategies to unique OT constraints.
Deploying Hybrid IT and OT Security Models
Integrating legacy OT systems with modern cloud-based solutions requires careful planning to avoid a poorly architected space. Most OT environments were built years ago with little thought given to security, which raises concerns about how to properly protect them, and not compromise IT.
Here are some deployment tips to guide you through deploying a hybrid IT and OT environment.
Secure OT with SANS Five Critical Controls
While OT systems present unique challenges, experts recommend initial steps rooted in proven frameworks. Azuara introduced the SANS Five Critical Controls for Industrial Control Systems (ICS) and OT security as a practical starting point:
1. Incident Response Plan: Ensure you have a clear and tested incident response plan, with defined roles, escalation paths, etc.
“Do you have a network diagram? Do you have an asset list? Do you know what’s critical? You need a plan. You have to do drills and be prepared. It’s not just contracting some hours.”
2. Defensible Architecture: Implement network segmentation and create zones to isolate critical systems.
“Split your IT and OT networks, and use a firewall. Group devices into zones based on cybersecurity requirements, and do micro-segmentation, EDRs, SIMs, etc.”
3. Network Visibility & Monitoring: Monitor for threats in real time and regularly audit the system’s security posture.
“You have to know what you’re securing, but you also need to know who the devices are talking to. Are devices talking to each other? Or talking outside the org?”
4. Secure Remote Access: Monitor and control remote connections into your environments.
“A lot of teams say they’ve secured OT remote access because they use a VPN. But that VPN often connects straight into OT, and the traffic is encrypted, which means you can’t see what they do once inside. At best, you only know who logged in and when, not what actions they took.”
5. Risk-Based Vulnerability Management: Prioritize vulnerabilities that directly impact operations.
“A list of 4,000 vulnerabilities without context will overwhelm OT teams. What they need is prioritized, risk-based guidance that helps keep the factory running.”
So, where do you start? Do you implement the SANS controls in order, starting with incident response and working your way down? Azuara recommends starting with visibility/monitoring and secure remote access.
“Whatever piece you’re trying to do, if it’s controlling, incident response, or defensible architecture, everything must be aligned with two things: safety and availability. Those are the two priorities the OT team is going to be thinking about.”
Separate Your Systems with an OT DMZ
Some organizations may decide it’s easier to just transfer all their IT and OT data to the cloud, which Azuara calls a big “no-no.”
“You have to separate IT from OT. Even though it’s a little more expensive, it’s going to be secure. You must have tools that are only for IT. And whatever you need to bring into the cloud, you must do it using an OT DMZ.”
An OT DMZ, or Operational Technology Demilitarized Zone, is an additional layer of security between legacy OT systems and IT, isolating vulnerable physical environments from your enterprise network and the internet.
“Depending on your risk tolerance, you can do it through only filtering on the OT DMZ, or you can use tools like unidirectional gateways to do it in a safer way.”
Use the Purdue Model as a Reference
The Purdue Model can also be a useful guide for structuring your IT and OT networks, organizing them into hierarchical levels with security controls layered between them.
“The Purdue Model is a great reference into what things should talk to,” Azuara said. “What are my policies? What type of filters do I have to put in place. And how can I realistically implement this?”
Many organizations face constraints, as it’s not always easy to undo and redesign entire environments, especially when clients are trying to increase productivity and decrease costs.
“Sometimes they have a flat network, they only have a core switch, and we have to overlay something like a security network via crypto segmentation or via identity segmentation to accomplish what they want.”
Rethinking OT Security Assessments
Questionnaire-led assessments and tool-led assessments aren’t scalable or actionable. The information just sits in a spreadsheet or PDF until it’s time to show what you did, but it doesn’t translate into something that’s going to reduce risk.
“One of the things I hate about assessments is that they’re a snapshot in time,” said Holmes. “They’re long, dry, technical documents that don’t focus on what makes the business move forward. That’s why they become shelfware.”
The alternative is a living assessment program, focusing on a few things at a time and continuously measuring progress.
“If I hand you a document with 7,000 findings, you can’t digest it. But if I could say, these are the top three priorities to maximize uptime and prioritize security for the things that move your business forward, that’s when we can take action.”
For a proper OT assessment, Holmes provided five guidelines:
- Start with an incident response tabletop drill led by a third party in the incident response space, such as Cybolt. Make sure it is well planned and practiced, so you’ll know if it will work in your environment.
- Next, is an offensive simulation (i.e., pen testing or red teaming), which isn’t done often in OT because of the risk of downtime. This isn’t a vulnerability scan but rather simulating a threat actor breaking into the OT space, with guidelines in place to make sure you don’t bring anything down.
- Make sure you have visibility into where your OT SOC and IT SOC cross from one environment to the other. Pay attention to the east to west as well as the north to south firewall traffic.
- Do a tech stack review. Focus on qualitative information over quantitative. So, not if you have a firewall, but how is it working? Have we tested it? How are they set up? Are they wired tightly? Limiting traffic?
- Perform a governance review to make sure your organization is following its own rules. Are you doing your maintenance windows, patching, and following SLAs?
And of course, none of this works without transparency. People can get a bit defensive during assessments, holding their cards close to their chests. But effective assessments are not about proving perfection. Or shaming imperfections.
Holmes recommends moving away from assessments based on emotions (“I feel like we’re doing a great job”), instead taking an objective look at your environment (“I know where we suck, and I know where we excel.”).
“We need to get objective on our assessments so we can start to retune focus and take an actionable step. We’re not worried about what you did or didn’t do in the past. We’re only architecting a plan to go forward.”
Conclusion
Cyber threats no longer stop at your IT network. They now extend into the physical environments that keep businesses, communities, and economies running.
Protecting critical infrastructure requires an integrated approach that brings IT and OT security together. By aligning priorities and leveraging proven frameworks, organizations can better secure both their digital and physical environments.
Continuous, actionable programs that balance safety, availability, and compliance are key to keeping your defenses strong over time.
Related Posts
