How to Build a Robust OT Cybersecurity Framework

As the frequency and sophistication of cyberattacks targeting Operational Technology (OT) environments continue to rise, organizations are under increasing pressure to strengthen their cybersecurity measures. However, the path to robust OT security is fraught with challenges, from technical complexities to operational constraints and investment hurdles. To navigate these challenges effectively, companies must develop a comprehensive OT cybersecurity strategy that addresses key areas such as network segmentation, asset inventory management, threat detection and response planning, and proper configuration of security solutions. By focusing on these critical elements, organizations can not only safeguard their OT assets but also ensure resilience against the evolving landscape of cyber threats.  
 
a. Segmentation of OT Networks: With the growing need for services such as real-time data access, remote support for OT networks, and the integration of OT systems with enterprise resource planning (ERP) systems, robust security controls have become essential. These include designing a secure network reference architecture and implementing well-configured security controls, such as firewalls, not only between OT and IT networks but also within OT networks. Moreover, organizations should adopt the Purdue Model for network security and architecture best practices. This model includes six levels, each requiring segmentation and security controls: 

b. Asset Inventory: Having a comprehensive understanding and inventory of all assets in the plant, especially legacy systems, along with their respective applications and vulnerabilities, is one of the most critical steps in the OT cybersecurity process. Legacy systems are particularly susceptible to cybersecurity and legal risks, and they experience increased crash rates, often lacking the robust security measures found in modern software. A good approach is to deploy threat detection solutions on existing assets to gain a clear understanding of their cybersecurity posture and take remedial actions if necessary. Once this is done, the assets can be grouped into three categories based on their criticality: low, medium, and high. 
 
c. Threat Detection and Response Planning (TDR): A process that identifies and mitigates threats to an organization’s digital assets. An article published by Microsoft highlighted that TDR is typically managed by a Security Operations Center (SOC), a centralized team that operates 24/7 to monitor, detect, and respond to cyberthreats. The SOC uses threat intelligence and technology to uncover breaches and employs TDR tools to eliminate or mitigate identified threats. Additionally, the SOC proactively works to identify emerging threats and vulnerabilities within the organization, typically including the following stages: 

• Detection: Monitoring tools identify potential risks and breaches.
• Investigation: The SOC confirms threats, determines their origin, and assesses the impact.
• Containment: Infected assets are isolated to prevent the spread of an attack.
• Eradication: The root cause is eliminated, and vulnerabilities are mitigated.
• Recovery: Isolated systems are brought back online.
• Reporting: Incidents are documented and communicated to leadership.
• Risk Mitigation: Lessons learned are used to prevent future breaches. 

READ: Prioritizing Connected Worker Safety in Remote and Hazardous Environments

d. Proper Configuration of Security Solutions: Implementing security controls and updates is an essential part of OT cybersecurity, but equally important is the proper configuration, management, and administration of security solutions such as firewalls, endpoint detection and response (EDR), intrusion prevention systems/intrusion detection systems (IPS/IDS), antivirus (AV), and encryption. This is particularly effective against medium threats that can breach primitive security solutions and architecture.  
  
e. Network Monitoring: Robust network monitoring helps organizations identify threats and misconfigurations, enabling them to deploy advanced solutions such as threat hunting.   
 
f. Cybersecurity Governance: The rapid integration of OT and IT operations can often lead to unclear responsibilities for certain devices, such as smart meters and digital twins. Therefore, strong cybersecurity governance, including clear ownership, roles, and responsibilities related to asset protection and collaboration, is imperative for a robust cybersecurity strategy.   

g. Risk-Based Approach for OT Assets: OT assets vary in their degree of criticality to business operations and safety requirements. For example, emergency shutdown systems and fire and gas systems are more critical and need a higher level of security. Therefore, organizations need to deploy cybersecurity solutions according to the criticality of OT assets to ensure business continuity in the event of an attack.  
 
h. Standardized Processes: The variety of systems in manufacturing plants, original equipment manufacturers (OEMs), and devices makes it challenging for organizations to standardize OT processes. Companies should map out standards across network architectures and various controls to accelerate the OT cybersecurity process.    
 
i. Robust Internal OT Capabilities: To implement effective cybersecurity measures, a thorough understanding of internal OT assets is essential. Companies need to hire the right personnel and ensure they are regularly upskilled and incentivized.  
 
j. Vendor Management: The complexity of OT systems usually results in many vendors, posing a challenge from a cybersecurity standpoint. Companies need to manage and control them effectively. One way to do this is by defining strict KPIs for each vendor, which not only optimizes the process but also improves accountability during disaster recovery. 
 
k. Innovative Technologies: Companies and government agencies should continue investing in advanced technologies such as AI, ML, augmented reality (AR), virtual reality (VR), quantum-resistant cryptography, and cloud computing. These investments not only help develop advanced threat detection and response capabilities but also enhance training and simulations. 
 
l. International Collaboration: Governments and industry stakeholders, both domestic and international, need to establish robust information-sharing platforms to facilitate the timely exchange of threat intelligence across sectors. Additionally, governments should foster diplomatic relations and form mutually aligned policies to strengthen collective defense against transnational cyber threats. Cybersecurity standards, especially for critical infrastructure sectors, must be continuously updated and enforced. 
 
m. Zero-Trust Approach: Organizations need to adopt a zero-trust approach within their supply chains by continuously verifying and monitoring all entities involved. Zero-trust essentially refers to the elimination of the concept of implicit trust from an organization’s network architecture, thereby creating a heightened security posture. This applies not only to users but also to cloud workloads and infrastructure components such as OT devices and network nodes. Key elements of successful zero-trust implementation include: 

• Least-privileged access and continuous trust verification, which plays a big role in limiting the impact of a security incident. 
• Continuous security inspection that keeps transactions safe from both known and unknown threats, including zero-day threats, without adversely impacting user productivity. 

n. Compliance: Impacted companies may also be required to adhere to other reporting regimes, such as the Health Insurance Portability and Accountability Act (HIPAA) and the SEC's cyber disclosure rules. Since they vary in scope and timelines, the company’s legal and compliance teams must ensure compliance before the attack occurs.  

READ: 5 Trends Defining the OT and Cybersecurity Landscape
 
Ensuring Cyber Resilience 
The Biden administration is working to implement new minimum cybersecurity standards for critical infrastructure sectors, with a comprehensive plan expected to be ready by early 2025. Caitlin Durkovich, a White House cybersecurity official, recently stated that the administration pushed for the recent National Security Memorandum (NSM) to be signed in April 2024 to allow sufficient time for implementation during the President's first term, which ends in January 2025.  
 
Under the memorandum, sector risk management agencies (SRMAs) are directed to develop new "sector risk management plans" in coordination with the Cybersecurity and Infrastructure Security Agency (CISA). If a sector lacks minimum cybersecurity standards, the plan must include recommendations on how to establish them, which could involve new regulations. While some critical infrastructure sectors are already subject to cyber regulations, many are not. Past efforts to institute new requirements, such as those at the Environmental Protection Agency for the water sector, have faced industry pushback.    
 
Despite these obstacles, the Biden administration is working towards establishing new baseline cybersecurity standards across critical infrastructure sectors.  
 
CISA outlines several directives for OT owners who either operate within the critical infrastructure environment and are not small businesses or meet sector-based criteria, regardless of business size, to report cyber-attack incidents.   

• Reportable Incidents: The four reportable incident types include (i) substantial losses of confidentiality; (ii) serious impacts on system safety; (iii) disruption of an entity's ability to engage in business operations; or (iv) a compromise of a service/hosting/provider or supply chain that leads to unauthorized access to an information system or any non-public information.
• Incident Reports: Reports to CISA must include: (i) technical details about the incident; (ii) affected data categories; (iii) an assessment of the incident's impact; and (iv) any known details about the attacker. This information will help CISA discern patterns, disseminate threat intelligence, and strengthen the nation’s cybersecurity stance.
• Reporting Timelines: Covered entities need to report all incidents, except ransomware, within 72 hours once they reasonably believe a breach has occurred.
• Preparation: To meet the 72-hour response timeline, companies must test and fortify their detection and response capabilities before an incident occurs. This requires building a robust cybersecurity infrastructure, investing in personnel training, and establishing clear incident response protocols.
• Ransomware Reporting: Covered entities must report ransomware incidents within 24 hours of discovery.
• Ransomware Strategy: Since companies are required to report ransomware incidents within 24 hours, they should establish clear guidelines for when a payment should or should not be made to ensure timely decision-making.
• Penalties: Entities that fail to meet the reporting timelines will likely face significant fines and other punitive measures.
• Other Requirements: Impacted companies may also be required to adhere to other reporting regimes, such as the Health Insurance Portability and Accountability Act (HIPAA) and the SEC's cyber disclosure rules. As these requirements vary in scope and timelines, the company’s legal and compliance teams must ensure adherence beforehand. 

READ: A Step-by-Step Cyberattack Response Checklist

Interested in learning more?

Join us at the upcoming Connected Worker: Energy Summit in Houston, TX, from March 18-20, 2025, to learn more about why energy, utilities, and industrial manufacturers need to reassess their approach to cybersecurity and mitigate against attacks across converged systems. Reassess your approach to cybersecurity and prioritize investment in advanced threat detection, employee training, and incident response capability. Access Event Guide | Register Here