OT cybersecurity saw significant challenges and advancements this year, from addressing high-profile incidents to maturing risk management. These learnings from 2024 will shape how industries tackle cybersecurity threats in 2025 and beyond.
More Visibility and Control Over the Deployment of Updates
In the wake of high-profile incidents like the Crowdstrike faulty update, organizations are re-evaluating their security update and patch management strategies. While this incident is unlikely to hinder cloud adoption, it has raised flags about cloud connectivity and dependence in OT and highlighted some of the vulnerabilities in many security update processes.
- Security Update and Patch Testing: Focusing on testing updates in isolated, low-risk OT environments is becoming a best practice, especially in industries reliant on Operational Technology where downtime can have catastrophic consequences.
- User-Driven Tools: Tools providing greater transparency and customization in the update processes will empower organizations to better control security update risks while staying compliant with cybersecurity mandates.
- Adopting Ring-Based Models: Inspired by Microsoft’s staged deployment strategy, OT vendors may implement similar methods, starting with low-risk environments before scaling to critical systems.
Industry Response to Ransomware
According to ICS-STRIVE[1], an OT security incident database, ransomware accounts for 80% of attacks where the threat actor is known. The persistent threat of ransomware, particularly in critical infrastructure sectors, has forced organizations to rethink how they protect and recover critical OT systems.
- Robust Backup Strategy: Organizations are adopting 3-2-1 backup strategies in OT (i.e., 3 copies of data, 2 types of media, 1 offsite copy) to protect against hardware failures, accidents, cyberattacks, and local disasters, ensuring data recovery in most situations.
- Backup Validation: Regular testing of backups for integrity and reliability is no longer optional—it’s essential for a strong defense.
- Tabletop Drills: Simulated ransomware attacks and regular drills have become critical in ensuring teams are prepared for rapid response.
Centralizing OT Cybersecurity Functions
One of the most notable shifts in 2024 has been the centralization of OT cybersecurity as a core function within organizations.
- Defined Ownership: Companies are formalizing roles, with dedicated corporate OT cybersecurity leaders, teams, and site representatives emerging as a standard practice.
- IT-OT Collaboration: Effective OT cybersecurity requires close collaboration between IT teams, who bring security technology expertise, and OT teams, who provide critical context about potential impacts to operations that could impact the practicality and feasibility of proposed technical solutions.
- Integrated Oversight: Establishing a centralized OT security function ensures that vulnerabilities across both IT and OT systems, that could impact safety and continuity of operations, are identified and addressed cohesively.
Shifting to Risk-Based OT Cybersecurity Assessments
Industries are moving away from solely performing compliance-focused assessment to incorporating risk-based assessments.
- Mainstream Techniques: Consequence-based risk assessment methodologies such as CyberPHA[2], CyberHAZOP, and CyberBowtie have gained traction, enabling organizations to model realistic risks that could have operational, environmental, or safety impacts.
- Dynamic Risk Modelling: By integrating real-time and historical data with OT cyber risk models, companies can obtain up-to-date visualization of their risk profile.
Supply Chain Risk Recognition
In the wake of high-profile supply chain cyber incidents such as Solarwinds, Log4j, and CrowdStrike, inclusion of supply chain threats in risk assessment and management has become critical.
- Device Security: Organizations are scrutinizing the security of devices and systems they procure, ensuring that third-party vendors follow Secure by Design practices and are certified to standards such as ISA/IEC 62443-2-4, 3-3, 4-1, and 4-2.
- Third-party Risk Management: Supply chain threats are now being incorporated into OT risk assessments to identify and address third-party cyber risks.
Proliferation of IP-Connected Devices
Digital Transformation programs are driving a surge in IP-connected devices in OT and are redefining the attack surface in these environments.
- Industrial Internet of Things (IIoT); The ongoing deployment of connected sensors, devices, and advanced analytics into industrial processes with connectivity to cloud-based analytics necessitates revisiting risk assessments.
- Smart Devices: Technologies enabling IP (e.g., Ethernet-APL) over traditional 4–20 mA circuits offer exciting possibilities but introduces new vulnerabilities at Level 0 of the Purdue model that must be accounted for.
Additional Predictions for 2025 and Beyond:
- Regional and Sector Specific Regulatory Directives: While the US regulatory environment may relax, other regions (i.e., EU) and nations will likely continue to strengthen cybersecurity regulations with specific requirements for OT security. Additionally, sector-specific security directives will likely expand beyond energy and transportation to other industrial sectors such as water, food, and pharmaceuticals.
- Practical AI Applications: AI technology is currently being applied for ICS anomaly detection, backup validation, and scenario generation for tabletop exercises, but its broader role in OT cybersecurity will undoubtedly expand but at a slower pace than the general IT space.
Conclusion
OT cybersecurity will continue to demand proactive and reactive risk management strategies in the coming years. We are already seeing innovative new tools and closer collaboration across disciplines within organizations.
From addressing ransomware threats to embracing risk-based assessments and integrating new technologies, organizations must prepare for a future where the stakes, and the opportunities, have never been higher.
[1] https://icsstrive.com/
[2] https://en.wikipedia.org/wiki/Cyber_PHA
