Why OT Security Is Paramount for the Future Health of Enterprises

“The hardest part about an OT environment is its size and scale of uniqueness. A single manufacturing warehouse could have thousands of little OT components serving different functions, and each one could be an attack surface,” says Patrick Perry, public sector field CTO at Zscaler. 

It’s crucial that enterprises understand their OT systems and shift toward a more proactive mindset when it comes to securing them. Otherwise, the financial losses and operational disruptions can be devastating. 

Common Hurdles in Securing OT Environments 

Perry notes that OT systems are not as mystifying as people may think. It doesn’t help that many organizations struggle with complete knowledge or visibility of their OT environments. 

Organizations must improve training and education to foster a level of comfort in understanding how an OT architecture works in a modern-day enterprise and how it integrates with the larger IT ecosystem, Perry says: “’How do I manage it? How do I control it? And, more important, how do I assess if it’s doing something wrong?’” 

Misguided architecture is another common issue for OT systems. Sometimes, organizations think a solution that comes out of a box with 15 components requires all components to function within the greater enterprise system, making assumptions that don’t fit with the reality of operational needs today. 

DISCOVER: Enterprises can modernize their physical security infrastructure today.

That can be particularly detrimental given the legacy architecture present in some environments. 

“In legacy OT environments, where patching is difficult, the most impactful step is to address cybersecurity fundamentals and hygiene, such as securing misconfigured identities, removing default passwords and implementing robust authentication,” says Meir Asiskovich, senior director of OT security at Tenable. 

The Importance of a Zero-Trust Security Foundation 

Despite the complexities of these interconnected systems, Perry says, there are familiar standards and frameworks that organizations can and should rely on. 

“If I could completely rearchitect a security architecture for an organization that had everything — whether it’s OT, IT, people and machine entities, AI, all of that kind of stuff — I still am grounded in the concepts of zero trust. That’s where I would start,” he adds. 

Of course, zero trust is just the starting point. Organizations should work to reduce their attack surface and understand that every part of the environment, no matter how small or seemingly irrelevant, needs to have a form of identity that can be managed.

“What I boil it down to is, how do I optimize threat defense? How do I optimize access of the data that it's moving? How do I optimize the logging and analytics of that system to be able to react faster? This informs me on how I’m mitigating risk concerns,” Perry says. 

Rethinking Access Management With Nonhuman Identities 

The management of nonhuman identities is a growing area of concern for IT environments, and it presents questions for OT as well. 

“The foundation of your zero-trust architecture is your identity management program,” Perry says. “At times, OT systems can have little wiggle room to put things like a machine certificate on in order to provide it a unique identity. You have to get creative with many methods for coupling unique attributes to form an identity. But it may not be repeatable across many things, which can turn into an administrative burden.” 

LEARN MORE: How to find a cyber resilience strategy that supports success.

The solution, however, is not to treat these particular aspects of OT environments as a problem to solve another day. Instead, eliminate attack surfaces and lateral movement, while bringing better visibility upon these systems. 

Asiskovich points to recent Tenable research that found that “52% of nonhuman identities, including AI agents, hold critical excessive permissions, compared with 37% for humans, while 49% of identities with critical-severity excessive permissions are dormant. Identities pose a major threat if left unchecked.” 

He says that becoming an “identity-first organization” is crucial for enterprises across industries. 

“By treating nonhuman identities as critical assets and eliminating permanent access, organizations can maintain security across environments, not just OT environments,” Asiskovich says. 

What Does a Resilient OT Environment Look Like? 

Undergirding all of these concerns is the push to move OT security from a reactive patching posture to a proactive, continuous assessment approach. 

“Know your attack surface, limit it and then harden it. It’s that simple. That’s where I would start — period,” Perry says. “Then, I would fine-tune how to understand who accessed what, and how I controlled it and how to fine-tune my analytics so I can respond extremely fast when something is abnormal. It’s why I always focus on threat defense, access management, and visibility and analytics. This is modern defense in depth.” 

Asiskovich adds, “Ultimately, a mature program integrates deep situational awareness with consistent cyber hygiene to stay ahead of adversaries that continue to exploit the interconnected nature of modern cyber-physical environments.”