OT Devices: 5 Ways IoT and OT Security Falls Short

OT (Operation Technology) devices use software and hardware to monitor, manage and control physical devices and related processes. OT devices as a security system according to Gartner is a set of “practices and technology used to (a) protect people, assets, and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems.” The key difference between IT and OT devices is that IT controls data while OT controls equipment.

Despite advances in internet of things (IoT) and operational technology (OT), we often see the same types of security issues that we’ve long seen in traditional IT environments: malware, lateral movement, DDoS (distributed denial of service) attacks, and the like.

But today, these are often tied to mission-critical systems for most organizations. This is especially true for OT, where the financial and operational implications can be huge. Manufacturers rely on the supply chain operating at peak efficiency, and any breakdown could mean the difference between delivering on schedule and incurring penalty costs.

Picture a production line in a typical manufacturing operation. To bring the factory to a grinding halt, all it would take is for one of the systems controlling one part of the process to be compromised. Remember, these sorts of cyber-kinetic attacks – where an attack in the digital space affects something in the physical world – can bring real physical danger into the equation as well. For example, overriding security controls or safeguards, causing machines to not only become unresponsive but to break down could result in huge productivity losses, as well as the potential for bodily harm.

Below are five significant ways IoT and OT systems are at risk:

1. Lack of Visibility Visibility is central to the security of both OT and IoT. Many organizations don’t realize the volume or variety of devices they have connected to their networks, the nature of those connections, or the condition of the security built around them. The old maxim “you can’t protect what you can’t see” holds true for IoT devices.
2. Poor Patch Management Even when organizations account for the IoT devices in their environment, they don’t always manage them appropriately. For example, IoT and OT devices aren’t always included in patching and maintenance plans, leading to poor security hygiene. One study published by the HIPAA Journal in January 2022 found that half of medical IoT devices have known but unpatched vulnerabilities.
3. Insecure Software and Firmware In some cases, software and firmware vulnerabilities in IoT and OT devices can be inherent to the devices themselves, despite the best efforts of those administrating the systems. In the case of IoT, there can be a lack of built-in security capability and access control in the devices themselves, limiting the options for security teams. If IoT devices without basic hardening capabilities aren’t placed within a properly segmented network, they can be particularly open to attack—doubly so if combined with the lack of visibility described above. In OT environments where uptime is critical, companies are often hesitant to change systems that have worked in the past. This has led to controller systems running on outdated hardware and software, creating huge vulnerabilities difficult for security teams to manage. Consider the fact that medical IoT (or MIOT) devices are certified according to specific standards, and often can’t be changed in any way during their life span, which could be 10 years or more.
4. Account and Password Mismanagement Failures in device management and security hygiene principles aren’t limited to a lack of patching and updating. Account management has also been an issue. Hackers recently breached thousands of security cameras deployed across multiple companies, jails, hospitals, and other organizations after finding administrator account credentials for the third-party company that provided the cameras publicly exposed on the internet. From there, in some cases the attackers were able to move laterally and gain access to other areas of the corporate networks within these organizations.
5. Weak and Inconsistent Monitoring Historically, IoT and OT devices have been difficult to monitor with SIEM tools. Traditionally cybersecurity tools have also usually lacked detection capabilities for the attacks faced by IoT and OT devices. This tends to lead to these devices being monitored by a secondary system, checked manually, or not monitored at all.

Operational Constraints Affecting IoT and OT

With IoT devices often connected directly to the internet—sometimes via third-party cloud services—they’re inherently vulnerable to hacking and cyberattacks. In addition, relying on cloud-based services for data storage and processing can lead to service outages and data loss.

With OT systems, the operational constraints vary widely. At the highest level, the need for extremely high reliability and availability is key. Many OT control systems run on outdated operating systems and hardware simply because they work. Operators are very reluctant to take a chance on a new update, causing a problem in the operation. OT security providers need to be sensitive to this. It’s critical to employ passive monitoring to avoid interrupting or disrupting the operation of OT systems.

Additionally, OT systems and equipment need high levels of interoperability between them, enabling monitoring and controlling of those systems in real time, while maintaining the flexibility and scalability needed for the business.

One of the main considerations in terms of the differences between IoT and OT is that companies are less likely to have extensive Dev/Test environments for OT. This poses yet another reason businesses are so hesitant to disrupt their production environment at all.

But where do organizations go from here? Watch for my upcoming post where I’ll discuss where to start with security for IoT and OT. And if you missed the first blog in this series, check out Why You Should Care about IoT and OT.