Ten tips for OT security

As we move forward in industrial automation and Industry 4.0, cybersecurity of industrial control systems becomes ever so important too.

The Stuxnet computer worm, manipulating the feedback data of an Iranian nuclear enrichment facility’s centrifuge units, was in many ways an eye-opener.

Cybercriminals are capable of manipulating your building management systems, your operational equipment for factories, sluices, steel mills, power grids or oil rigs. More and more organizations understand the potential operational, economic and environmental impact of cyber incidents.

In a 2015 survey, 40% of the respondents indicated the breakdown of an industrial system would mainly result in material damage. 30% said it would also contain safety and health risks.

How can you make a difference?

Operational Technology teams understand what’s at stake. Their biggest security objective is preventing unauthorized access. If you only secure your outer perimeter, then cybercriminals have free access to everything once they are in: control rooms, server racks, etcetera. How many organisations leave the key and spare key hanging on the server rack locks?

The most frequent security issues we see are physical security breaches, missing patches and password issues.


Here are ten tips to take better security measures in ICS environments:

  1. Define a security strategy and include as much people as possible. Understand the risk at every level, and make every management level aware of the need for cybersecurity.
  2. Build a comprehensive inventory of both your IT and OT environment. This allows you to find your network’s weaknesses: rogue access points, wireless routers with free access SSIDs, embedded systems that are still running Windows XP or even NT, old cabling, and so on.
  3. Perform security testing. Penetration tests indicate potential breaches. They aren’t without risk though, so I would advise to start with a vulnerability scan.
  4. Start a bug bounty programme, allowing white hackers to find bugs in your environment.
  5. Organize governance for OT. You still need to foresee back-up and patch management, you still need to draw your responsibility assignment matrix (RACI). There are responsibilities for OT staff too, yet they are often not defined.
  6. Create awareness within your OT teams. Explain why security is important.
  7. Collaborate with IT. Sometimes small IT interventions can help prevent security breaches.
  8. Include vendors. OT hardware is often a black box and the vendors need to give you approval for modifications for patching and maintenance or your SLAs or even warranty can change.
  9. Pay attention to authentication. A lot of vendors use the same standard passwords at multiple sites.
  10. Define network zoning with specific hardware in different zones, different security levels and access matrixes: a standard in IT but not yet in OT.
Traditionally organizations focus on malware and cyber-attacks, but these account for only 30 and 20 percent of cyber incidents respectively.

Half of the cyber incidents or breaches are of accidental nature, leading to unauthorized access too. Hence the importance of awareness.


Content gathered during our CIO Speaker’s Café on CYBER SECURITY
– keynote by Dieter Sarrazyn, Toreon