Seven Strategies Business Leaders Can Adopt to Protect Operational Technologies and Critical Infrastructure Against Sophisticated Cyber Threats

Additional resources

Beyond Compliance: The Role of Threat Models in Safeguarding Critical Infrastructure

Securing CII goes beyond compliance. A risk picture and threat modeling enable risk practitioners to identify risk that manifests from threats to their environment.

Fortifying Digital Defenses: The Imperative of a Unified Cybersecurity Platform

A data-driven and cost-effective strategy—centered on governance, technology, and human expertise—is the approach organizations need to improve their cybersecurity posture and resilience.

ISACA’s Growing Influence as a Resource for Governments

ISACA's growing policy influence with global governments will create healthier digital trust disciplines and expand opportunities for ISACA members.

Cybersecurity Awareness Resources

ISACA offers Information Cybersecurity resources across audit & assurance, governance, enterprise, information security, and risk topics.

Industrial and critical infrastructure operations are leveraging digital transformation to boost productivity and cost efficiency through automation and real-time data-driven decisions. While this quest to embrace innovation has undoubtedly increased interconnectivity between IT and operational technologies (OT), it has also expanded the cyber-attack surface, enabling cyber threat actors to infiltrate and disrupt industrial operations and critical infrastructure.

In January 2024, attackers exploited a weak legacy OT protocol to disrupt a district heating utility in Lviv, Ukraine. The attack, which was attributed to a state-sponsored group, left 600 apartments without heat and hot water for about 48 hours in sub-zero temperatures.

In May 2024, the USA, UK, Australia, Canada, and New Zealand issued a joint advisory about a state-sponsored campaign, Volt Typhoon, rapidly gaining persistent access to critical infrastructure (CI) to conduct long-term espionage and undermine national security.

According to Check Point Research, attacks on critical infrastructure increased by 70% in the USA alone in 2024 compared to the same period in 2023, highlighting the growing threat to critical infrastructure. Microsoft affirmed this trend, which observed a spike in reports of attacks focusing on internet-exposed, poorly secured OT devices starting in late 2023.

The above and many more illustrate how cyber-attacks on OT and CI can directly and severely affect human safety, environmental well-being and national security.

But why have threat actors turned their eyes toward critical infrastructure? There are three major reasons:

1. High stakes
   State-sponsored cyber threat actors are the main culprits here. Often acting as proxies for adversary nations, these highly coordinated groups, motivated beyond financial gain, view critical infrastructure as a strategic target to achieve their geopolitical and ideological objectives.

2. Immature security practices
   OT systems are designed for specialized operations and lack fundamental security features like authentication, patching, encryption and endpoint protection. The increased integration of IT and OT networks inherently exposes basic OT systems to advanced threats that are poorly protected against. They present the classic path of least resistance for threat actors.

3. Disparate technologies and communication stack
   OT systems are less powerful and have limited memory and processing power compared to IT systems. They also utilize specialised and unsecured communication protocols. This prevents them from implementing IT-based cybersecurity controls, further compromising their security.
   
   According to Fortinet, 73% of OT and CI organizations faced cyber intrusions in 2024, up from 49% in 2023, despite increased legislative oversight.
   
   The key question is: What must organizations do differently?

Strategies to Secure OT and CI Against Cyber Threats

Securing OT and CI requires a strategic approach balancing innovation, risks and business acumen. Here are proven strategies for building a practical cross-functional OT cybersecurity function:

1. Tailor OT cybersecurity strategy to your unique environment.
   IT is generally more established than OT. As a result, most cybersecurity teams replicate IT cybersecurity measures across OT environments. However, applying IT-focused controls, like patching or encryption, can disrupt essential operations and create new vulnerabilities. Recognizing the differences between IT and OT is the bedrock for an effective OT cybersecurity strategy.

• Priorities: OT prioritizes availability, while IT mainly focuses on confidentiality. Security measures requiring reboots or restricting software may be unsuitable for OT.
• Risk Impact: OT risks must be addressed using the SAFIRP (So Far As Is Reasonable Practicable) concept, which means that all reasonable steps have been taken to eliminate safety and environmental risks. In contrast, IT risk, which is primarily financial, may be accepted if below the organization's risk tolerance.
• Technologies: OT systems differ from IT, limiting the applicability of IT-focused controls in the OT environment.
  
  Acknowledging these differences prevents replicating IT approaches across OT. Cyber leaders can leverage OT-specific frameworks like IEC 62443 and the NIST Guide to ICS security to determine best practices applicable to their environments.

2. Ensure strategic alignment with business goals.
   Successful OT cybersecurity requires alignment with core business goals.

• Industry-specific considerations: For instance, aviation cybersecurity strategy must support safety and reliability requirements and cater to the operating regions’ legislative obligations, covering infrastructure within the airport premises and remote air traffic control towers hundreds of miles away.
• Geographical considerations: In SCADA operations such as utilities, energy, or rail, the OT cybersecurity strategy must address people, processes and technology across decentralized facilities. In contrast, the strategy for a Process Control System (PCS) operation, such as in the manufacturing industry, may only need to address a single facility.
• Collaboration: Engage with business stakeholders in planning and executing the strategy to ensure alignment and gain the support required for success.

3. Leverage the strengths and address the weaknesses of cross-functional teams.
   Effective cybersecurity in industrial environments requires collaboration among OT, IT and cybersecurity teams. Leveraging their strengths ensures sustainable initiatives. Fail to create a unified vision, and you will have teams pulling in different directions.
   
   Strengths to Leverage:

• Diverse Expertise: Utilize OT, IT and cybersecurity professionals’ combined knowledge to address OT/IT convergence challenges.
• Collaborative Decision-Making: Promote communication across boundaries and silos to establish alignment between operational and cybersecurity priorities.

          Weaknesses to Address:

• Distinct Cultures and Skills Gaps: Establish regular cross-training and standardized terminologies to bridge gaps. Transfer skills through cross-training and role shadowing.
• Competing Priorities and Resource Constraints: Establish transparent governance, defined roles, prioritized goals and shared vision to align objectives and create efficiencies.

4. Establish processes for comprehensive asset and risk awareness.
   Limited asset visibility and legacy infrastructure pose significant OT risks. There are three simple yet powerful strategies to mitigate this common risk.

• Implement Asset Visibility: Use automated tools to track and categorize OT assets by criticality. Incorporate OT professionals’ historical knowledge for accurate mapping and be cautious with tool deployment to avoid disruptions. Tools from Tenable, Nazomi, Forescout, or Claroty support active and passive scans to automate asset visibility and avoid operational disruptions when properly configured.
• Conduct Risk Assessment: Thoroughly evaluate threats and vulnerabilities across OT systems. The IEC 624433-2 OT risk assessment guidelines may be adopted for complete OT asset risk awareness.
• Address Legacy Infrastructure: Legacy systems lack the controls required for cyber defenses. Mitigate this risk through compensating controls, including:
  • Isolation: Isolate legacy systems on the network to reduce the likelihood of a compromise.
  • Access controls: Limit access to essential personnel using logical and physical measures.
  • Virtual patching: Implement layers of security and policies to identify and intercept threat vector paths to vulnerable legacy systems.

5. Implement network segmentation and zero trust capabilities.
   Strong network security in OT/ICS environments reduces cyber-attack impacts by isolating systems by functions and sensitivity, isolating legacy infrastructure from the wider network, and reducing the likelihood of a compromise.

• Design effective OT architecture using standards like IEC 62443-3-2, the Purdue Model, and CISA Zero Trust guidelines.
• Focus on critical assets and legacy assets with poor security controls first.
• Treat every connection outside the primary ICS network as remote, and secure them at network boundaries.

6. Adopt security monitoring and detection.
   OT network communication patterns are deterministic and rarely deviate from the norm; leverage this to support continuous monitoring and early detection of cybersecurity incidents.

• Use OT-aware IPS/IDS, EDR tools, and sensors for continuous monitoring.
• Enhance detection with AI-powered analytics for pattern identification and threat prediction.
• Utilize cost-efficient and specialized 24/7 Managed Detection and Response (MDR) services.

7. Establish plans for operational resiliency.
   OT environments have no tolerance for downtime to support the continual delivery of critical services.

• Guided by Business Impact Assessments (BIA), implement redundancies, backups and failover mechanisms.
• Developed tailored Disaster Recovery (DR) and Business Continuity Plans (BCP).
• Regularly test plans to ensure readiness and quick recovery during a cyber incident.

Tailored Strategies Urgently Needed

Cyber threats significantly affect Operational Technology (OT) and Critical Infrastructure (CI) assets, leading to safety risks, environmental damage, essential service interruptions and national security threats. Organizations and government agencies must implement tailored strategies to protect critical assets, preserve the resilience of essential services, ensure community safety and safeguard national security.

About the author: Ope Ajibola is a cybersecurity thought leader specializing in advancing critical infrastructure resilience for government and private organizations. He advises senior leaders on strategic approaches to counter emerging cyber threats while driving cybersecurity transformation initiatives. Renowned for his insights into operational technology and critical infrastructure security, Ope actively shapes industry dialogue through ISACA, AISA, and the Cyber Leadership Institute, where he was a finalist in the prestigious Cyber Strategy and Transformation Competition.