“The oak fought the wind and was broken, the willow bent when it must and survived.” - Robert Jordan, "The Fires of Heaven”
Like the willow tree, Operational Technology (OT) infrastructure faces relentless and evolving cyber threats intent on exploitation and disruption. These threats are not just potential risks but pose imminent danger that could disrupt the lifeblood of our modern society.
Recent incidents highlight the severity of these threats. In May 2024, the NSA, FBI, and NCSC-UK issued an urgent warning to OT operators about rising hacktivist activity. These groups targeted insecure OT environments with simple yet effective tactics, exploiting outdated software lacking basic controls, such as multi-factor authentication (MFA).
Underscoring this rising danger, Microsoft reported in February 2025 that a Russian-based threat actor, Seashell Blizzard, actively targeted the OT sector by exploiting vulnerabilities in IT software, particularly remote access and firewall weaknesses.
The Impact of Cyberattacks on the OT Sector
The repercussions of OT hacks are profound. According to the 2022 IBM Cost of a Data Breach report, data breaches in the OT sector cost an average of US$4.72 million per incident. However, the impact extends beyond financial loss, affecting the stability of economies and even endangering lives.
OT-related cyber-attacks can lead to widespread blackouts, destabilize economies and put lives at risk. In the next section, I will share actionable steps Chief Security Officers (CSOs) must take to identify, detect, protect, respond to, and recover from OT cyber-attacks.
Battle-Tested OT Cyber Strategies
- Perform an OT Cyber Risk Assessment
The first step is to simulate real-world OT attacks using industry frameworks such as MITRE ATT&CK for ICS to assess vulnerabilities of existing controls.
- Map threat scenarios to MITRE ATT&CK for ICS. Based on reputable threat intelligence and industry trends, identify relevant tactics, techniques and procedures (TTPs) for gaining a network foothold via spear phishing, executing malicious code or manipulating OT processes.
- Assess current control. Map OT controls from industry-standards like IEC 62443 or CIS ICS to the TTPs. Analyze the likelihood of TTPs exploiting these controls.
- Evaluate risk. Assess the impact on revenue, operations, reputation, health and safety to derive the overall risk exposure.
- Define remediation roadmap. Apply risk treatments based on the risk appetite and tolerances set by the asset owner of operations. Finally, define your roadmap and prioritize remedial actions on high risks.
- OT Cyber Foundational Controls
Once you have a clear view of the OT threats and vulnerabilities, you must apply foundational controls to strengthen your OT cyber defenses. CSOs with budget constraints must adopt these low-cost safeguards to deliver rapid value.
| Category | Security Controls |
|---|---|
| Identify |
|
| Detect |
|
| Protect |
|
| Respond |
|
| Recover |
|
- Apply Multi-Layered Network Security
The next step in this three-pronged process is to invest in multi-layered network security solutions to automate safeguards and ensure that a breach of one layer does not result in complete compromise of the network.
- Automate discovery of OT hardware and software assets by spanning the ports of OT switches. Prioritize remediation of exploitable vulnerabilities, such as SCADA systems exposed to the internet.
- Perform continuous, risk-based vulnerability assessments to identify exploitable weaknesses in OT systems. For example, a SCADA system exposed to the internet with known exploitable vulnerabilities is high risk.
- Apply virtual patches with Intrusion Prevention signatures (IPS) and deep packet inspection (DPI) of OT traffic like Modbus, DNP3, OPC-UA, and IEC 104 for malicious commands. Virtual patching reduces downtime risk by avoiding emergency patches on critical OT systems, prevents zero-day exploits before OEM patches are available, and protects legacy OT systems that are end of support.
- Segment IT and OT networks, internal OT networks and between field devices like PLCs (micro-segmentation) with firewall policies. Firewall policies operate at Layer 3 (L3) and above as opposed to Layer 2 (L2) in VLANs, which are vulnerable to spoofing.
- Replace VPNs with Zero-Trust Network Access(ZTNA), MFA and user activity monitoring. ZTNA enables users and devices with time-based secure remote access to a single OT system, such as SCADA, without exposing the underlying system and network, effectively reducing the attack surface.
- Regulate data transmission with unidirectional gateways. These gateways contain data diodes to allow outbound data flows, such as remote monitoring of turbines, but prevent inbound malicious traffic from reaching critical OT systems. Deploy bidirectional gateways where time-based remote access from SCADA to PLCs is required.
- Ingest critical systems logs into the Security Information and Event Management (SIEM) for further visibility, alerts on active attacks and incident response.
- Deploy deception solutions to emulate OT systems and draw attackers to these decoys and away from production systems.
Apply Strategies with Urgency
The OT sector faces formidable cyberthreats fueled by escalating geopolitical tensions, regulatory pressures, increasingly converged digital and physical worlds and publicly accessible cyberattack tools. Those who neglect cybersecurity expose their organizations and the industry to severe risks that could destabilize economies, cost millions and endanger communities.
CSOs who apply these proven strategies with urgency and intent will benefit from resilient OT operations resembling the unyielding willow tree in the face of evolving cyber threats.
