Close this search box.

The Critical Importance of OT Security And How NDR Might Help

Operational Technology (OT) has remained in a state of blissful obscurity for decades. Now, however, attackers are starting to wake up to the reality that many OT systems are outdated, unprotected – and used to control some of the most critical pieces of infrastructure on the planet. This article will uncover the critical importance that OT security now demands – and explore how well NDR can help.

How Important is OT, Anyway?

OT makes the world go round. This category of tech includes industrial control systems and remote terminal units – pieces of automation that allow factories, warehouses, and other industrial powerhouses to monitor and control their output.

To give a simple example of OT, let’s break apart an everyday dishwasher. When you press the input button on the front, a small CPU confirms which program you’ve selected, and whether the door is shut properly. From there, a small controller initiates a cycle of inputs and outputs. Opening and shutting the fill valve; activating the water heating element; pumping water through the sprayers. Each of these processes take place at the right time thanks to a microprocessor. This is, fundamentally, how Programmable Logic Controllers (PLCs) work: they register an input, perform logic on it, and turn an output on or off.

When they first appeared in the mid-1960s, PLCs were one of the only forms of OT. They were almost always air-gapped, with all inputs and outputs existing independently of other devices. With this ultimate security measure in place, OT was free to undergo a period of massive growth. From the initial, intensely-niche PLCs, manufacturers quickly saw the potential benefits of the tech on a wider scale. Initially, these PLCs were controlled in aggregate via a large control panel, which would demand constant human oversight. While all controls were physically in one place, each control loop still demanded its own button or switch on the control panel. Throughout the 90s, the evolution of the Distributed Control System (DCS) allowed these controllers to be replaced by a network of input/output racks, controlled by an algorithm and interacted via a graphics display. Even more recently, Supervisory Control and Data Acquisition (SCADA) systems allow digital controllers to manage even geographically separate assets

OT Security is Outdated

OT is still outgrowing its old-school approach: while IT today is built around confidentiality, integrity, and availability, OT has typically prioritized real-time control and availability over all else. This worked for the decades in which OT was off-grid, but large swathes of OT have been benefiting from online connection since the early 2010s. And while OT has also been kept protected by its obscurity, the emergence of cyber-kinetic attacks – and OT’s critical deployment within critical infrastructures – should be a wake-up call.

In 2021, an employee stationed in the control room at a water treatment facility in Florida noticed something strange: his mouse was moving around the screen erratically. Thinking it was the remote tech support team connecting through TeamViewer, his concern was only piqued when the mouse began navigating through the treatment plant’s controls – and attempted to change the amount of sodium hydroxide being pumped into the water from 100 parts per million, to 11,100ppm. This would make the water corrosive to human tissue.

While ultimately unsuccessful, the attack highlights the sheer importance of OT – and how a vulnerability within unrelated IT systems can set off a chain reaction with deadly consequences.

How NDR Secures OT Against Today’s Threats

The cornerstone of security is visibility: in the same way, OT security benefits drastically from asset inventory practices. This allows you to prioritize the areas of most concern: the elephant within the control room is often the sheer number of legacy devices that make up an OT tech stack. If it’s not economical to switch them out, segment them.

While perimeter-focused security has developed a poor reputation in the last few years, segmentation still plays a vital role in securing high-risk OT devices. It’s why the Nuclear Regulatory Commission (NRC) requires sites to separate its assets across five, criticality-based, security zones. This also restricts where data can be sent from within each segmented zone. Few organizations want the extra faff of dealing with NRC-quantities of firewalls, however: they’re notoriously noisy, and often muddy the downstream security waters with endless logs.

And while segmentation is vital, it’s only the first layer of OT security: for the devices outside of high-critical segments, they need all the same security support as enjoyed by IT. This can partly be achieved by Network Detection and Response (NDR) systems. NDRs dig deeper than just regular maintenance by analyzing the network activity across online devices. NDR for OT provides a passive way of monitoring network activity and requests that can be indicative of a bad actor. While a step in the right direction, it’s worth noting that network-level incidents aren’t the only things to keep an eye on.

Future-Proof your OT with Stellar Cyber

The more you dig into OT security, the blurrier the line gets between IT and OT. Unfortunately, many organizations continue to rely on a single IT security team: asking them to pick up OT’s slack isn’t always possible – or fair.

Instead, embrace the fact that IT and OT are increasingly connected: your security teams can focus on bringing the two fields up to the same level of protection. A single, unified tool that integrates with SCADA networks and enterprise IT alike, Stellar Cyber’s Open XDR platform ingests all telemetry data flowing across your OT and IT networks, connects up with noisy firewalls, and collates endless alerts into actionable incidents. Combining the identification possibilities of an NDR with the on-the-ground action of an IDS, Stellar’s custom security rules detect non-standard protocols and communication paths, allowing it to find active exploits and malware. Stellar is uniquely positioned to show your security analysts the gaps across the full breadth of your attack surface.