SIGNAL Magazine
OT security gaps expose critical infrastructure to exploitation, requiring collaborative efforts and oversight.
https://www.afcea.org/signal-media/cyber-edge/silent-vulnerabilities-operational-technology
By Diego Laje
Jan. 2, 2025
Outdated security practices survive in digital frontiers, where bytes meet metal. And this space receives most attention from the wrong people.
Operational Technology (OT) systems are integrated technologies for controlling complex platforms, such as locomotives, aircraft and large infrastructure. OT is ubiquitous and is integrated into most industries, as a servo articulating a wing surface or a lever controlling a train’s speed. “Each one of those pieces and those firmwares in combination with the hardware, whether we like it or not, is a computer,” said Egon Rinderer, chief technology officer at Shift5, a cybersecurity company.
Nevertheless, these are complex devices, and while akin to a computer, in legal terms, they are not a computer. And cyber marauders have taken good notes.
Malicious actors are exploiting the vulnerabilities. In one year, a survey of specialists worldwide showed a jump from 11% of respondents detecting more than six intrusions in their OT to 31% in 2024, according to Fortinet, a cybersecurity company.
If an actor succeeds, societal impacts could be deep and long-lasting.
“We are not prepared to deal with the physical effects of cyber attacks, such as prolonged power outages, disrupted payment systems or degraded communications networks,” said Tung Ho, director of the Center for Intelligence, Research and Analysis for Exovera, a risk consultancy.
Unlike conventional IT systems, which often have established responsible disclosure practices and security protocols, OT systems lack standardized regulations covering all devices, exposing various threats.
While the law may lag behind innovation, federal agencies are catching up. CISA, the Cybersecurity and Infrastructure Security Agency, is responsible for keeping up with gaps.
“It’s not just about awareness, it’s about aptitude. And so CISA’s mission right now is really focused around enabling people to develop their own aptitude and not just be aware of problems, but to help them solve those problems,” said Danielle Jablanski, OT strategy lead at CISA.
These vulnerabilities arise partly because OT systems were not designed with cybersecurity in mind, given their focus on assured and rapid functionality. Still, these components are essentially “mini-computers” running on firmware, often without an operating system that can communicate over open networks. This design makes them susceptible to firmware-level exploits, which adversarial nation-states or other malicious actors can exploit.
“It’s a very simple computer, but it’s still a computer,” Rinderer said, adding, “It has the ability to communicate over some sort of network.
There is a disconnect in how vulnerabilities are managed across OT systems compared to information technology (IT). While responsible disclosure practices in IT encourage and often reward external findings, OT’s approach limits external research and may collide with legal and contractual barriers.
“There are areas of gaps that aren’t equally applied to sectors. There are sometimes conflicting regulations or duplicative regulations, and that calls out the need for the government, both the executive and legislative branches, to really focus and double down on its efforts to ensure that there’s consistent cybersecurity regulations,” said David Hinchman, senior executive for IT and cybersecurity at the U.S. Government Accountability Office (GAO).
“There are elements of OT in all of the main sector-specific regulations, but they’re not well developed,” said Romaine Marshall, shareholder at Polsinelli, a law firm. Marshall specializes in risk mitigation in the IT and OT space.
This lack of clear legal parameters, combined with the longevity of OT systems, creates a vulnerable ecosystem, as some remain in operation for decades without updates or security enhancements.
Given that OT systems consist of multiple components with different vendors, each one may harbor exploitable vulnerabilities, and cumulative weaknesses can become critical, according to Rinderer.
“We need to find ways to resolve this across the government because we need to come at all this from the same perspective,” said Hinchman, who leads reporting on this topic for his agency and has testified before Congress as well. His work focuses on Internet of Things (IoT) in government and issues actionable recommendations.
Also, those hardening civilian infrastructure against attacks could borrow a page from cutting-edge military IoT.
“Build reliable systems on less reliable components,” said Tarek Abdelzaher, professor of computer science at the University of Illinois’ Grainger College of Engineering. His center develops military-grade devices.
“You assume that the individual components are possibly doing something strange, but by design, the way you put them together and the way you do checks and balances, it will make sure that these individually compromised components aren’t going to bring down the whole system,” Abdelzaher explained.
Nevertheless, in industries where margins are thin, such complexities may be beyond budgets.
A particular concern is the contrast between traditional IT’s proactive vulnerability management and OT’s approach, as Rinderer suggested.
For example, it’s common for OT systems to feature remote connectivity for maintenance or operational efficiency; however, the communication protocols lack encryption or secure authentication, as these may be many years old. Thus, an adversary could manipulate a component remotely, achieving a range of malicious effects.
“What I’m going to do as an adversarial attacker is I’m going to go very broad, and I want to understand the art of the possible on this thing. Where can I gain persistence? How can I live on this thing quietly for as long as possible and just keep discovering new vulnerabilities that I can exploit?” explained Rinderer, who runs simulated attacks on critical U.S. infrastructure as part of his job.
This situation is compounded by the fact that components like those in railway systems are often publicly available for purchase on public e-commerce websites, making it possible for adversaries to acquire and analyze them for vulnerabilities. SIGNAL Media confirmed the availability of these components on popular online platforms. For a well-resourced adversary, this access provides nearly unlimited opportunities to exploit weaknesses without requiring any significant infrastructure investment.
This approach to OT vulnerabilities ultimately places the United States and its allies at a disadvantage, with friendly researchers constrained while adversaries freely analyze and catalog weaknesses.
“Depending on what sector we’re talking about, we’re starting to try to analyze which components might be bought and sold out there to be reverse-engineered by some of those capable threat actors,” CISA’s Jablanski told SIGNAL Media in an interview.
Still, diagnosing is where many fail. When vulnerabilities are exploited in OT systems, such incidents are frequently misattributed to maintenance failures due to inadequate detection mechanisms. And data is rarely comprehensive enough to distinguish between legitimate anomalies and cyber interference, according to Rinderer.
“A lot of folks have claimed for years that their systems are fully isolated, fully air-gapped. We found that that’s not the case, and we really focus on remote access,” Jablanski said.
Resolving these issues requires cooperation between manufacturers, federal regulators and independent researchers. Just as the IT industry developed robust responsible disclosure practices, OT can also establish standards for transparency and proactive security.
For now, it all falls within the remit of one agency.
“We also encourage security to be part of that conversation from the beginning, which, of course, is most familiar as ‘secure by design’ in the IT sector, but for OT and ICS [industrial control systems], we actually call it secure by demand,” Jablanski said.
Given the high costs associated with updating existing infrastructure, such changes will be challenging. Also, Marshall warned that future compensation for vulnerability discoveries should be conscientiously implemented by vendors and analyzed by researchers before announcing a new breakthrough in this space.
And companies can immediately adapt, anticipating the evolution of laws and procedures.
“If we have a bug bounty program, and it doesn’t apply to OT, but if I’m council for the OT company, I’m saying let’s just apply the same but bounty principles,” Marshall told SIGNAL Media.
