Overcoming OT Security Challenges and Complexities
The convergence of operational technology (OT) and traditional IT systems has transformed modern supply chains, bringing unprecedented efficiency but also introducing new vulnerabilities.
As organisations increasingly digitise their operations, the distinction between physical and digital infrastructure continues to blur, creating complex security challenges that demand innovative solutions.
Recent high-profile incidents have highlighted the critical nature of these risks. The Colonial Pipeline attack in 2021 demonstrated how cyber breaches in operational technology can paralyse essential infrastructure and disrupt entire supply networks. With the growing adoption of Internet of Things (IoT) devices, cloud platforms and smart sensors, supply chain leaders face mounting pressure to secure their operations while maintaining efficiency.
Industry experts warn that traditional cybersecurity approaches may no longer suffice. The integration of legacy systems with modern digital platforms, coupled with an expanding ecosystem of third-party partnerships, requires a fundamental rethinking of security strategies. This challenge is particularly acute in sectors dealing with critical infrastructure, where system failures can have far-reaching consequences.
The evolution of OT security
The role of operational technology in supply chains has expanded dramatically, creating new imperatives for security and monitoring.
These systems, often responsible for critical infrastructure, require specialised protection against emerging cyber threats.
Manu Gopeendran, Industry Analyst and SVP Strategy and Marketing at MetricStream, emphasises the vulnerability of OT systems to cyber attacks. "Monitoring these systems is imperative because cyber hacks or attacks can immobilise important infrastructure – such as water plants or energy processing systems – and therefore supply chains."
The challenge is compounded by the prevalence of legacy systems.
Manu continues: "Often, these systems are run by legacy hardware and software and can be brought down by simple missteps such as insider access – outdated employee credentials, for example – or out-of-date software that creates simple access for hackers.”
OT assets are involved across the entirety of the physical supply chain. This might include assets in the production line that create products, the vehicles that move those products to where they are needed and, potentially, telemetry and data from the products.
"Getting data together can make your supply chain more efficient, as you can understand where your products are in demand and manage your shipping and supply lines to be more efficient,” explains Matt Middleton-Leal, Managing Director EMEA at Qualys. “You can be more profitable by responding to changes in market demand faster. All these decisions rely on data from your network of OT assets.”
However, this connectivity inevitably introduces new risks. Connecting OT assets that weren’t initially designed to be on the Internet can cause significant issues.
“Once you start getting that data, there is a potential route back to those machines that can be exploited,” Matt goes on. “This is particularly problematic when you have older assets in place that are potentially out of date and don't have security fixes for any problems.”
Integration challenges and solutions
Integrating legacy OT systems with modern, cloud-based platforms presents one of the most significant obstacles facing supply chain leaders today.
This combination of technologies old and new creates unique security considerations that require careful management.
Manu lists some of the key challenges:
- Legacy systems: As mentioned, OT systems often run on legacy technology not designed with cybersecurity in mind and may have proprietary protocols or older standards that lack sufficient encryption or authentication. In addition, updating these with patches and software upgrades often has not been a priority.
- Different priorities: OT networks prioritise always-on availability and uptime, whereas IT systems prioritise data safety and confidentiality. This can create potential for increased attack points.
- Different standards: IT systems use standards like NIST-CST and other standards. OT systems may follow industry-specific standards, resulting in complexity in creating controls for cybersecurity.
- Lack of cross-domain training: IT security experts are not trained on OT cybersecurity and vice-versa. Finding the combined skillset or cross-training can be a challenge.
The disparity in development cycles between OT and cloud systems further complicates integration efforts, as Matt details: “The development models for OT assets and modern cloud-based applications are completely different. Those legacy assets would be updated infrequently, maybe once or twice a year. For a cloud application, developers can push changes constantly.
“While some companies might update their cloud apps every week, some will push updates every hour. That is a completely different model for running those systems.”
Ultimately, leaders want to obtain a view over all the assets in their operations, whether they are decades-old systems or the very latest software containers that exist for minutes at a time.
Matt adds: “It’s impossible to secure assets you don’t know about.”
Managing third-party risk
As is well documented, the security of supply chains extends far beyond an organisation's immediate operations, encompassing a complex network of third-party relationships.
These include suppliers, contractors, vendors and beyond, with each presenting potential vulnerabilities.
Manu believes a robust third-party risk management programme is a “must-have” and should involve identification of critical suppliers and deep due diligence on suppliers during the onboarding process – including assessment of their cyber risk posture.
He also recommends ongoing monitoring for changes to cyber risk, contractual notification of cyber events and the timely offboarding of suppliers to prevent use of credentials.
"Risk management must be proactive – not reactive,” insists Manu. “Annual or quarterly assessments are not sufficient. Ongoing monitoring and timely action is a must.”
Matt advocates a systematic approach to third-party risk assessment, beginning with an examination of third-party applications and how they are used.
Of course, some of these will be essential to specific teams, while others will be more important to the wider business
Regardless of the application, Matt contends: “Where you provide access to third parties into your network, or where you bring third party services into your applications, you should carry out a risk assessment. As part of this, you should complete risk questionnaires with your suppliers and ensure they have effective security policies in place for their staff.”
Regular review and verification of third-party security measures is also a key consideration.
“This exercise is something you should carry out annually, so you can demonstrate you’re tracking this with your partners or service providers," Matt continues.
IoT and smart supply chain security
The proliferation of IoT devices and sensors in smart supply chains introduces additional layers of security considerations.
These devices, often controlling critical systems, require careful monitoring and management to prevent breaches.
Emphasising the high stakes involved, Manu explains: “Often, IoT devices control not just information but also human life – think pacemakers, building heating.
“Organisations need to adopt a comprehensive programme comprising documented policies and procedures, assessment of compliance requirements, regular risk assessments and employee training.”
Physical security remains a crucial consideration when it comes to implementation of sensors or IoT devices.
Matt insists a series of key questions must be asked: “Are they hardened against attacks? Do they have open ports or access points that a determined attacker can get to? What would happen if someone really did want to take something apart?
“This kind of threat modelling can help everyone understand the potential risks and see if defending against them across your supply chain environment is realistic.”
Matt also raises communication as a sticking point, especially between teams across the business.
He says: “Getting these teams talking effectively is where a CISO can have the most impact, enabling everyone to understand their goals and ensure security is in place beforehand, rather than scrambling to add security after decisions have been made.”
Future considerations
As supply chains continue to evolve, the balance between security and operational efficiency remains a critical concern.
Manu offers a straightforward, four-step plan that organisations should adhere to in the event of a supply chain cyber attack occurring:
- Notify authorities and customers
- Stop or contain the damage
- Investigate the breach
- Activate your incident response plan
“Critical supply chain infrastructure attacks, like potential attacks on power grids leading to widespread blackouts or water supply attacks, are both terrifying and real,” Manu asserts.
“These steps assume you have a cyber resilience plan, including a communications plan. Reputations and businesses can be broken by cyber attacks, so the time to act is before an attack happens.”
Matt admits that, from a security perspective, managing risk across environments is far from easy.
“One must consider how important legacy OT assets are to the business,” he says. “They are probably responsible for driving revenue and making changes may necessitate taking the system offline to carry out updates.
“From a risk perspective, going through potential challenges and risk opportunities with the board is essential. Mitigating risks is a business decision – not just an IT or technology decision.”
For CISOs and security leaders, being able to put real-world financial data together on risks and impact will help the business leadership team make more effective decisions around risk.
Manu ends with a profound assessment: "Cybersecurity measures can't be so punitive that they shut down businesses, but cyber attacks are a real fact of life.
“Operational resilience must be balanced with operational efficiency. Building a culture of cybersecurity awareness, following security standards and implementing a robust cyber risk management programme are essential protection steps.”
To read the full story in the magazine click HERE
Explore the latest edition of Supply Chain Digital Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Supply Chain Digital is a BizClik brand
- Blockchain’s Potential to Transform Procurement and SCMTechnology
- Ivanti: Social Engineering Hits Warehouse CybersecuritySupply Chain Risk Management
- Black Friday: Reinforcing Supply Chains to Meet DemandDigital Supply Chain
- Why US Energy Sector is at High Risk of Supply Chain AttacksSupply Chain Risk Management