The Landscape
Every enterprise should be concerned about attacks on critical infrastructure. The potential for disruption is imminent, the danger is clear, and the possibility of destruction looms large. Organizational infrastructure often relies on outdated, vulnerable operational technology (OT) platforms and upgrading to more secure systems is often difficult or impossible.1 Compounding this issue is the fact that compensating controls are either non-existent or too costly to implement and maintain.
The best way to tackle this problem is to better understand the risk organizations currently face. Fortunately, there are tools available to help organizations effectively assess risk, and these tools are continuously improving. However, organizations must significantly decrease their willingness to accept risk and strongly increase their commitment to better monitor and secure these environments. These steps must be taken now before the next major cyberattack occurs.
The Challenges
Critical infrastructure faces increasing exposure to threats due to a combination of human error and outdated technology. These vulnerabilities are difficult to resolve which makes them persistent weak points in any cyberdefense strategy. However, overcoming these difficulties is paramount to protect these physical assets and ensure the continuity of services. Unfortunately, human error remains a weak link, and legacy systems contribute to cybersecurity risk. There are several challenges organizations must be aware of:
Human Error
It is widely acknowledged that humans are the weakest link in cyberdefense. Malicious actors can influence human behavior in various ways. One method is social engineering, which involves manipulating, influencing, or deceiving a victim to gain control over a computer system or steal personal information.2 Social engineering attacks can occur on workplace computers and mobile devices.
Human error plays a similar role in creating vulnerabilities in critical infrastructure as it does in IT. Security leaders must equip employees to be part of the solution. This means providing training on how to identify potential phishing attacks and where to report them. Training and awareness for staff working with critical infrastructure systems is essential. It is important to allocate time for security leaders to obtain industry certifications and maintaining common platform enumeration (CPE) is a worthwhile investment.
OT Systems
OT systems, which include the hardware and software that monitor and control physical processes, devices, and infrastructure, are another source of risk. Recent attacks or near misses highlighting the vulnerability of critical infrastructure sectors have involved OT equipment. The most well-known example of this is the Russian threat group Sandworm’s attack on the Ukrainian power grid that took over the electrical systems' supervisory control and data acquisition (SCADA) devices to open circuit breakers, causing blackouts that impacted over 200,000 citizens.3
Legacy OT systems present challenges. A significant issue is that they are not easily upgraded, and this difficulty varies depending on the system's age. Initially, they were built on a modern operating system that was meant to remain untouched. At that time, known vulnerabilities were minimal. Now, these systems operate using internet protocol (IP), which can be exploited. Unfortunately, patching the OT systems can disrupt code and the devices themselves.
Another challenge in securing legacy OT systems is exploitable IP. Most OT systems were designed without IP addresses. As organizations attempted to network them, IT workers assigned IP addresses to OT devices. However, these older systems were not built with security features, and once they were connected to networks, they became discoverable to hackers. Patching OT systems may disrupt the code and damage the devices. Many devices lack the memory or application support for patches, making implementation too costly.
What is necessary is new hardware and OT systems capable of receiving updates. Compensating controls, enhanced monitoring for threat activity, and multifactor authentication (MFA) are also essential. Furthermore, managing isolated devices at specific IP addresses is crucial for monitoring access activities and identifying anomalies, such as rogue IP addresses from foreign nations attempting to gain control.
IT and OT in Physical Infrastructure
Quantifying the exact number of OT devices in operation is difficult because these devices are built on proprietary systems, and the construction often varies widely across industries, with many of them not able to be tracked. In addition, organizations are constantly adding and replacing devices and sensors, exacerbating the problem of trying to quantify them. Without a centralized inventory, it is nearly impossible to know what is connected.
The integration of IT and OT systems presents unique cybersecurity challenges because devices that were typically isolated are now increasingly networked, enabling hackers to access an organization’s IT infrastructure. This means that cybersecurity measures must be tailored to the requirements of OT or face dire consequences.
One such consequence is the cyberweapon Stuxnet.4 Stuxnet was a sophisticated cyberweapon developed by the United States and Israel. The cyberweapon targeted Siemens SCADA systems used in Iran’s Natanz nuclear facility. Stuxnet infiltrated Windows-based IT networks and then moved to isolated OT systems to locate and reprogram programmable logic controllers (PLCs). Once inside the PLCs, the United States was able to alter centrifuge speeds to damage 1,000 centrifuges.
Cost
In addition to all of the technical challenges and the need for guidelines and training requirements, cost is the most significant barrier to implementing adequate security controls in critical infrastructure. The primary expense is the replacement of devices. Enterprises require modern solutions to replace them, but such solutions are hard to come by or do not exist. The next best option is to implement compensating controls. Because legacy OT systems cannot be patched or upgraded, compensating controls compensate for the lack of direct fixes by adding 24/7 threat monitoring, MFA, and a layer of strict access control.
Organizations must comprehend the risk that exists today and engage in meaningful discussions about it, so that they do not become a bigger, more costly issue tomorrow.
Key Security Measures
Governments must fund or mandate critical infrastructure security improvements. They must finance research and development to ensure that only trusted and tested products reach the market. Quasi-government or public–private funding for research will encourage innovation and provide further guidance. , which is managed by the National Institute of Standards and Technology (NIST) in the United States.5
Information sharing among critical infrastructure operators regarding threats and incidents is essential for preventing and mitigating attacks. In the United States, this information sharing is highly effective. The US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) provide the most helpful industry standards and frameworks for guiding critical infrastructure security.6
Furthermore, organizations such as the Institute of Electrical and Electronics Engineers (IEEE), the International Society of Automation (ISA), International Electrotechnical Commission (IEC), International Organization for Standardization (ISO), European Union Agency for Cybersecurity (ENISA), and the German Federal Office for Information Security (BSI), to name a few, establish standards and best practices for OT security.
Ultimately, developing a plan for responding to and recovering from security incidents is paramount. Part of this plan includes educating employees about cybersecurity threats and best practices, ensuring that employees know what to do in the face of cyberthreats and inevitable attacks.
For added protection, organizations can invest in security information and event management (SIEM) tools and services to monitor, detect, and respond to security threats in OT environments, ensuring that the organization can respond swiftly, minimize damage, and maintain resilience in the face of evolving cyberthreats. In other words, real-time, 24/7 threat monitoring is the most effective compensating control for protecting legacy OT systems.
The good news is that newer technologies have enhanced the ability to detect and respond to threats in OT environments. For example:
- Network detection and response (NDR) for OT systems monitors network traffic for unusual patterns and protocol misuse, which helps detect real-time threats.
- Artificial intelligence (AI)-powered anomaly detection can establish an OT baseline behavior to flag subtle deviations that may indicate early-stage intrusions.
- Passive asset discovery tools automatically inventory and profile OT devices, enabling better security without disrupting sensitive systems.
These advancements provide organizations with the visibility needed to assess risk; however, they still face exposure to danger since threat actors possess the same ability to utilize these tools. For example, threat actors can utilize AI to detect and exploit vulnerabilities, just as an organization can harness AI to identify exploits quickly and prevent catastrophic outcomes. Ultimately, each organization must evaluate its unique business needs to determine the most effective tools for detecting threats in OT environments. By aligning security tools with organizational risk and operational priorities, organizations can strengthen their defensive capabilities.
Finding The Right Expertise
Finding IT and OT security expertise poses a significant and urgent challenge to infrastructure security. There are simply not enough IT and OT security experts available. This shortage of experts creates a considerable obstacle, especially with the growing convergence of IT and OT systems and the rise of cyberthreats targeting critical infrastructure. Cybercriminals can exploit vulnerabilities in OT/ industrial control systems (ICS) by using default credentials, brute force attacks, or other unsophisticated methods to gain access to these devices and cause harm. The reality, however, is that there is a global shortage of more than 4 million cybersecurity professionals who could confront these dangers.7
Additionally, beyond the shortage of professionals, retaining the talent organizations already have is a significant challenge. Everyone wants to be part of a winning team and pursue financial incentives. The tech industry is renowned for offering competitive salaries and benefits packages, so organizations must ensure they can match or exceed these offerings to attract and retain skilled workers. The rapid pace of technological advancement requires employees to continuously learn and adapt, which can be stressful and lead to burnout or the desire to seek alternative employment if not managed appropriately. Therefore, effective management and leadership are crucial for fostering a positive work environment and motivating employees. When cybersecurity professionals experience poor management, it can lead to dissatisfaction and frequent turnover. These individuals will be satisfied if they are given the tools needed to protect the organization effectively. By addressing managerial support, cybersecurity tool gaps, and establishing guiding standards, an enterprise will take the necessary steps to ensure robust infrastructure security, which will safeguard its infrastructure.
Conclusion
The convergence of aging IT networks with decades old OT systems, combined with a global shortage of skilled cybersecurity professionals is creating a perfect storm of risk for the most mission critical infrastructures around the world. The good news is that AI-driven monitoring and detection tools are beginning to provide a layer of protection. However, these tools must be paired with skilled leadership, government support and buttressed by clear industry standards to become effective. Without the right tools, organizations face blind spots.
Organizations must act with urgency by investing in training, upgrading systems and implementing monitoring tools and compensating controls. It is not an optional task for organizations to protect their infrastructure; it is a matter of organizational security, public trust, and economic stability.
Endnotes
1 OT systems such as SCADA and PLCs typically run on outdated hardware and software that’s often decades old and was not designed for updates. Attempting to upgrade them could break dependencies of other connected systems.
2 Cybersecurity and Infrastructure Security Agency (CISA), “Avoiding Social Engineering and Phishing Attacks,” USA, 1 February 2021
3 Proska, K.; Wolfram J.; et al.; “Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology,” Google Cloud, 9 November 2023
4 Zetter, K.; “An Unprecedented Look at Stuxnet, the World's First Digital Weapon,” Wired, 3 November 2014
5 ortinet, “What Is the National Vulnerability Database (NVD)?”
6 CISA, “Critical Infrastructure Sectors”
7 ISC2, 2024 ISC2 Cybersecurity Workforce Study, 31 October 2024
Greg Sullivan, CISSP
Is the founding partner at CIOSO Global, LLC, specializing in cybersecurity and technology risk management. He advises clients on regulatory compliance and cybersecurity strategies, helping organizations design and implement risk-based cybersecurity capabilities. Previously, Sullivan served as senior vice president and global chief information officer at Carnival Corporation, leading global IT, innovation, and cybersecurity efforts. He also held leadership roles as CEO and CTO at Global Velocity, focusing on enterprise and cloud security.