Strengthening Operational

Technology Security
Best Practices for Improving Cyber Readiness and Mitigating Risk

Executive Summary
Operational technology (OT) is a favorite target for threat actors. OT security incidents can
impair business-critical operations, disrupt essential services, and even threaten public health
and safety. Numerous disconcerting OT cybersecurity events made the headlines in 2022
including:

• An attack on a UK water company where adversaries gained access to the systems used
to control the chemical levels in public water supplies

• A Canadian mining company incident that shut down mining operations for over a week,
affecting revenues

• An attack against a US agricultural equipment company that disrupted manufacturing

operations at multiple production facilities, impacting business results

Going forward, operators of OT systems must take a fresh look at their security systems, pro-
cesses, and design principles to reduce exposure and comply with emerging government and
industry regulations. This paper examines some of the OT security challenges accompanying
digital transformation, reviews the OT threat landscape, and describes practical steps OT
systems operators can take to improve cyber readiness and mitigate risk.

Together we succeed ...

Digital Transformation Creates New Opportunities For Threat Actors
Energy utilities, water companies, chemical producers, equipment manufacturers, transportation
systems, and other critical infrastructure operators are implementing digital technologies and cloud
services to simplify operations and improve business agility. But digital transformation opens the
door for threat actors. Adversaries routinely exploit inherent OT system vulnerabilities and poor
cyber-hygiene practices to penetrate OT networks and carry out malicious attacks.

When it comes to cybersecurity, OT systems operators face a variety of systemic organizational

and technological challenges.

Organizational challenges
Quite frankly, most OT systems were not engineered with and are not operated with a security-first
mindset. OT systems are typically beyond the purview and control of security-conscious CISOs
and CIOs. Most OT systems are designed, procured, and managed by engineering organizations
that are primarily focused on meeting key business performance objectives related to system up-
time and efficiency. Many OT systems operators are not well versed in cybersecurity, governance,
and compliance matters.

Technological challenges
Many OT systems operators are constrained by aging, fragile technology that is inherently vulne-
rable. Operational technology has a lifespan of 10+ years, compared to 3-5 years for IT systems.
Legacy OT devices sometimes run unsupported or end-of-life software that is easy prey for adver-
saries.

Unlike in the IT world, in the OT world, security patches and firmware updates are often kept to a
minimum. Many OT engineering teams have a “not broke, don’t fix it” mentality. Their primary moti-
vation is to maintain system stability and availability to keep the business running smoothly.

Attackers are setting their sights on ot systems and critical

infrastructure
Historically, most OT systems were air-gapped and were less susceptible to external threats than IT
systems1. Today, many OT systems are connected to the public internet to support cloud services
and to provide remote access for employees, vendors, and contractors. Clever adversaries can
break through perimeter defenses, infiltrate OT networks, and take over critical infrastructure to
disrupt essential services or extort victims.

Threat actors are increasingly setting their sights on OT systems. Contemporary threat groups like
CHERNOVITE and BENTONITE specifically target industrial control systems. Malware variants like
Incontroller (aka PIPEDREAM) exploit vulnerabilities in OT protocols (MODBUS, CODESYS, OPC
UA, etc.) allowing adversaries to gain control of PLCs and other OT devices.

Many of these cyberattacks are linked to rogue nation states. Nation-state-backed attacks on criti-
cal infrastructure doubled year-over-year in Microsoft’s 2022 Digital Defense Report, accounting for
40% of all nation-state-backed attacks. According to Microsoft, the spike was due in large part to
Russia-backed groups targeting Ukrainian infrastructure and the infrastructure of Ukrainian allies,
including the United States.

1. Stuxnet, the first malware known to target industrial control systems, was designed to be implanted via a USB thumb
drive. Stuxnet attacks were scarce because they required physical system access. Today, adversaries can easily
orchestrate large-scale malware campaigns directly over the internet, targeting inadequately secured OT networks

Together we succeed ...

 ICS Malware Chronology
Incontroller is not to the first malware to target operational technology. Over the years, security
researchers have identified numerous malware variants aimed at industrial control systems.

2014 2015 2016 2017 2022

Black­ Indu­ In­

Havex Energy stroyer Triton controller

• In 2014, researchers discovered that for several years a threat group known as Dragonfly
had been using Havex backdoor malware to infiltrate industrial control systems at energy,
pharmaceutical, defense, and chemical companies across Europe and North America.
While these attacks were believed to be part of non-disruptive corporate espionage
campaigns, they served as a harbinger of things to come, demonstrating just how
susceptible to attack some OT systems are.

• In 2015, a threat group known as Sandworm used BlackEnergy 3 malware to gain access
to a Ukrainian energy company’s SCADA network, ultimately disrupting power for 225,000+
customers in one of the first widely publicized cyberattacks on a major energy provider.

• In 2016, Russian nation-state actors used Industroyer (aka CrashOverride) malware to

orchestrate attacks against the Ukrainian electric grid, knocking out power in the capital
city of Kyiv. Industroyer is believed to be the first malware framework specifically designed
to attack power grids.

• In 2017, attackers deployed Triton (aka Trisis) malware to infiltrate the safety control
systems of a Saudi Arabian petrochemical plant, reportedly disabling an emergency plant-
process shutdown system.

Ot systems operators must reexamine

“The Federal Government must bring to bear the their security systems and practices
full scope of its authorities and resources to protect OT systems operators must revamp their security systems
and secure its computer systems… The scope of and practices to defend against contemporary threats, miti-
protection and security must include systems that gate risk, and comply with emerging legislation. Governments
process data (information technology) and those around the world are strengthening cybersecurity regulations
that run the vital machinery that ensures our safety in the wake of increasingly sophisticated and damaging cy-
berattacks. Recent directives like US Executive Order 14028
(operational technology)”
and EU Network and Information Systems Directive (NIS2)
US Executive Order 14028, May 12, 2021 aim to enhance the security of critical infrastructure and bet-
ter defend essential systems against supply chain vulnerabili-
ties, ransomware attacks, and other cyber threats.

Regulators are Imposing New Security Requirements on

Technology Vendors
Regulators are introducing new legislation to strengthen the inherent security of digital
elements including certain OT devices. The EU Cyber Resiliency Act, for example, will
require hardware manufacturers and software vendors to adhere to certain cybersecurity
standards to receive CE markings for their products. The Act will help OT systems operators
reduce security vulnerabilities and make better-informed purchasing decisions.

Together we succeed ...

Best practices for strengthening ot security and improving cyber rea-
diness
Here are some commonsense actions you can take to improve your OT security posture, reduce risk,
and prepare for emerging cybersecurity regulations like US Executive Order 14028 and EU NIS2.

1. Adopt an OT cybersecurity framework such as NIST SP 800-82 or ISA/IEC 62443. These

standards provide specific guidance for designing, operating, and maintaining operational
technology in a secure fashion. (See callouts below.)

2. Take a defense-in-depth approach to security as guided by the framework. By implementing

multiple layers of security, you can identify and contain threats before adversaries traverse your
OT network and cause extensive damage.

3. Implement an asset management solution to gain a complete picture of your OT environment

and better assess your risk profile. By identifying all of your OT assets you can fully understand
your vulnerabilities and make informed decisions to strengthen your security posture.

4. Fully isolate the OT network using firewalls, unidirectional gateways, and micro segmentation
techniques. By segregating the OT network you can defend against web-borne malware and
internet-originated attacks, and prevent attackers from leveraging internet-based command
and control servers and malware downloaders.

5. Ensure OT user accounts are separate from IT user accounts. Do not share accounts and
passwords across OT and IT domains. Threat actors often use compromised corporate
network and IT system credentials to gain unauthorized access to OT systems.

6. Secure privileged access. Privileged accounts like OT system and application admin accounts are
prime targets for adversaries. Bad actors can exploit privileged accounts to shut down systems
and disrupt critical infrastructure. Use a privileged access management (PAM) solution to isolate,
broker, and audit privileged sessions. Store privileged account credentials in a hardened digital
vault. Rotate credentials on a regular basis to defend against credential leakage and abuse.

Enterprize Zone
Domain Application Enterprise
IT Netwok Controllers Servers Workstations

Management Zone
Cyper Ark Privileged
OT DMZ Access Manager
Gateway

OT Zone Level 3 Network Domain Database

HMI
Operations Controller Server
Engineer
Workstations

Level 2 Network Local HMI

Substation Gateway &
Process Automation Platdorms

Level 1 Network IEDs Remote Terminal

Control Protection Relays Units (RTUs)

Deployed in the OT DMZ, CyberArk Privileged Access Manager Isolates,

­Brokers, and Audits Privileged Sessions

Together we succeed ...

7. Secure privileged access for vendors and contractors. Many OT systems operators rely on
external vendors and contractors for system maintenance and support functions. Use a vendor
PAM solution to isolate, broker, and audit privileged sessions for external users. A vendor PAM
solution can help defend against malware and other risks posed by outside endpoints over which
you have little visibility and control.

8. Secure access for remote employees. Use multifactor authentication (MFA) to secure access for
engineers, technicians, and other employees accessing OT systems remotely. MFA mitigates
phishing attacks and prevents adversaries from exploiting compromised credentials.

9. Diligently track and resolve OT security vulnerabilities. Threat actors routinely exploit OT system
and protocol vulnerabilities to wage attacks. Closely monitor OT vendor and CISA security
advisories. Use OT lifecycle management tools to automate firmware updates and software
patches and quickly address zero-day vulnerabilities.

10. Remove hard-coded OT device credentials from applications and scripts. Unknowing app
developers sometimes store device passwords in clear text, making life easy for threat actors.
Reduce risks by educating developers and removing passwords from OT apps and automation
scripts. Use a secrets management solution to safely store credentials in a secure, external vault.
Regularly rotate credentials to boost security.

11. Strengthen identity security for IT systems to further defend against external threats. Implement
a comprehensive identity security solution that provides continuous threat prevention, detection,
and response capabilities. Adversaries often target inadequately secured IT systems as an initial
point of attack. The Sandworm group, for example, uses BlackEnergy 3 malware to penetrate
corporate IT networks. Once in, they pivot to SCADA networks to gain access to the distribution
management system of a victim’s power grid.

12. Establish a security-first culture. Conduct regular cybersecurity training to increase awareness
and improve cyber hygiene. Threat actors often carry out phishing campaigns and other
social engineering schemes to trick unsuspecting users into relinquishing passwords or other
confidential information that can be used to orchestrate attacks.

13. Conduct penetration tests and tabletop exercises to assess cyber readiness and identify
vulnerabilities. Be proactive. Not all OT vulnerabilities immediately appear in CISA’s known
exploited vulnerabilities catalog.

Together we succeed ...

Overview of NIST SP 800-82 Revision 3 Guide to OT Security
NIST SP 800-82 Revision 3, Guide to Operational Technology Security, provides guidelines to
improve the security of OT systems while addressing their unique performance, reliability, and
safety requirements. The publication expands upon previous NIST SP 800-82 revisions that
focused more narrowly on industrial control systems.

Revision 3 provides an overview of OT system components and network topologies, reviews

the OT threat landscape, describes common OT vulnerabilities, and recommends security
safeguards and countermeasures to manage risks. The publication aligns with the NIST Cyber-
security Framework, providing OT-specific recommendations and guidance to identify risks,
protect critical services, and detect, respond to, and recover from cybersecurity incidents.

NIST Cybersecurity Framework Version 1.1

NIST SP 800-82 also provides practical guidance to help you build a business case for an OT
cybersecurity program and to help you set up and implement the program.

r I de
ve nt
co i
ty
Re
•

Framework
Respon

tect
Pro
d

Detect

Overview of IEC 62443

IEC 62443 is a series of international standards that outlines a comprehensive framework for
designing, implementing, and maintaining secure industrial automation and control systems
(IACS). The IEC standards take a cohesive approach to cybersecurity, providing technical
guidance for OT systems operators, manufacturers, and systems integrators.

IEC 62443 defines a secure network architecture and functional requirements. It also provide
guidelines to help OT systems operators measure their maturity level for each requirement,
and make continuous improvements to strengthen their security posture over time. The IEC
framework segregates the network into distinct zones to isolate threats and align security con-
trols with risk levels. By segmenting networks, and placing IT assets and OT assets in distinct
zones, operators can defend OT systems against web-borne malware and external attackers.

Together we succeed ...

 Conclusion
Threat actors are increasingly setting their sights on OT systems. Some attacks are politically mo-
tivated and are intended to disrupt essential public services. Others are financially motivated and
aim to extort victims.

Many malicious attackers and cybercriminals have the ways and means to succeed. Some are
backed by rogue nation states with deep pockets and technological expertise. Others take advan-
tage of Ransomware-as-a-Service platforms and open-source tools that make it all too easy to
carry out advanced malware campaigns.

Now is the time to act. OT systems operators must take proactive measures to improve cyber
readiness and mitigate risk. By adopting an OT security framework and following the best practices
described in this paper you can strengthen your security posture and defend OT systems against
supply chain vulnerabilities, ransomware attacks, and other advanced threats.

Next steps
Together, PwC and CyberArk can help you plan, execute, and evolve your OT security strategy. To
learn more contact PwC or CyberArk.

About cyberark About pwc

CyberArk is the global leader in Identity Security. At PwC, our purpose is to build trust in society and sol-
Centered on privileged access management, CyberArk ve important problems. We’re a network of firms in 155
provides the most comprehensive security offering for countries with over 327,000 people who are committed
any identity – human or machine – across business to delivering quality in assurance, advisory and tax ser-
applications, distributed workforces, hybrid cloud vices. Find out more and tell us what matters to you by
workloads and throughout the DevOps lifecycle. To learn visiting us at www.pwc.com.
more about CyberArk, visit www.cyberark.com.

© 2023 PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab. All rights reserved. In this docu-

ment, “PwC” refers to PricewaterhouseCoopers Statsautoriseret Revisionspartnerselskab which is a member
firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Together we succeed ...