Managing OT and IT Risk: What Cybersecurity Leaders Need to Know

Security leaders face the challenge of managing a vast, interconnected attack surface, where traditional approaches to managing cyber risk are no longer sufficient. Modern threats exploit vulnerabilities across domains, requiring a more holistic approach to avoid operational disruption, safety risks and financial losses.

In today’s rapidly evolving digital landscape, security leaders face an unprecedented challenge: managing and mitigating risks across both IT and operational technology (OT) environments. What was once a relatively straightforward task of defending a defined network perimeter has transformed into a complex battle to secure a vast, interconnected web of IT, OT and internet of things (IoT) systems where the lines between each are increasingly blurred. While integrating these systems reduces operational costs and drives efficiency, it also expands the attack surface, leaving organizations vulnerable to cyberthreats. A recent report by ESG showed that 76% of organizations have suffered a cyberattack as a result of an unknown, unmanaged or poorly managed internet-facing asset.

In other words, the attack surface has never been wider — or more difficult to protect.

The convergence of IT and OT has fundamentally shifted the role of security leaders. No longer confined to safeguarding traditional IT environments, cybersecurity leaders are finding themselves responsible for securing OT systems, cloud infrastructures, mobile and IoT devices, smart technologies, advanced AI systems and even shadow IT assets. Every new connection introduces unique vulnerabilities that must be managed to avoid devastating consequences — from operational disruption to safety risks and financial losses from ransomware and compliance failures. This evolving responsibility makes comprehensive cybersecurity increasingly challenging.

Image source: “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk,” Tenable, October 2024

Why you need to think differently about risk

Traditional approaches to managing risk are no longer sufficient. Securing an organization today requires more than basic network defenses and a myriad of siloed security tools that provide an incomplete picture of the attack surface. Today’s threats exploit vulnerabilities across IT, OT and IoT environments, and attackers can move laterally across these domains to maximize the impact of their efforts. An overlooked attack vector or misconfiguration in a single system can lead to operational disruptions, safety risks and significant financial impact. Adapting to the evolving threat landscape means changing how you think about risk in your converged environment.

“76% of organizations have suffered a cyberattack as a result of an unknown, unmanaged, or poorly managed internet-facing asset.”

— Enterprise Strategy Group (ESG), “Elevating Security with Risk-based Vulnerability Management,” June 2024

While OT systems were once isolated and presumed to be “air-gapped” and safe from cyberattacks, they are now often exposed to the internet (whether directly or through laptops, management applications and other IT systems). Legacy OT systems, designed for longevity and reliability, often lack modern cybersecurity controls and are particularly sensitive to disruptions. IoT devices, meanwhile, are frequently insecure by design, creating blind spots in security postures if not properly accounted for.

In the infamous 2017 NotPetya breach, attackers exploited a vulnerability in Ukrainian accounting software M.E.Doc to infiltrate IT systems worldwide, including those at Maersk, the world's largest shipping conglomerate. The malware spread rapidly by combining two potent tools: EternalBlue, which exploited a Windows vulnerability, and Mimikatz, which extracted user credentials to move laterally across networks. This allowed the malware to propagate even on systems that had been patched, infecting thousands of machines in minutes.

At Maersk, the attack initially crippled their IT infrastructure, including essential systems that managed global shipping logistics. As the malware spread unchecked, it impacted OT environments by locking out systems responsible for controlling port logistics, crane operations and container management. The lack of adequate network segmentation between Maersk's IT and OT systems allowed the malware to jump from IT to OT, causing widespread operational paralysis. For days, Maersk's terminals around the world were forced to revert to manual processes, disrupting global shipping routes and creating massive logistical bottlenecks.

Attacks like NotPetya underscore the urgent need for security leaders to adopt a more holistic and integrated approach to managing IT and OT risk. Modern cyberthreats can quickly traverse from the IT network over to OT environments, exploiting vulnerabilities and causing cascading damage. To prevent these attacks, unified security strategies are required that focus on OT-specific defenses and full visibility across both IT and OT environments.

So, what can security leaders do to meet this growing challenge?

Where to start: Future-proof strategies for managing OT and IT risk

Effectively managing the security of your IT, OT and IoT assets requires a tailored approach. Each asset type comes with unique challenges — ranging from traditional OT systems, such as programmable logic controllers (PLCs) and industrial controllers, to the rapidly expanding deployment of IoT devices and sensors. A one-size-fits-all approach can’t provide the level of visibility and control needed to safeguard such a diverse environment.

OT assets are typically highly specialized, designed for longevity and operate in controlled environments in which downtime is costly or dangerous. Traditional IT security tools like endpoint detection and response fall short in such sensitive environments. Ensuring OT systems are secured requires purpose-built solutions that don't disrupt critical processes.

Similarly, IoT devices introduce unique complexities. Many IoT assets are “insecure by design” and evade traditional discovery and assessment techniques. While IoT architectures may share characteristics with both IT and OT environments, they require a dedicated strategy to ensure they don't become blind spots in your security posture.

Download the white paper, Blackbox to blueprint: The security leader’s guidebook for managing OT and IT risk, to learn how to extend your IT vulnerability management program to confidently close the cyber exposure gaps that put your connected operations and cyber-physical systems at risk. In this guide, we explore the key challenges facing today’s security leaders and offer actionable strategies to help minimize risk, protect critical assets, and develop a future-proof security approach.

• Considerations for securing hybrid environments: Dive into proven strategies for gaining visibility into OT and IT assets, even when legacy systems and proprietary protocols are involved.
• Tips to prevent operational disruption: Learn why traditional IT security tools are not sufficient for OT environments and how purpose-built solutions can help ensure both security and operational continuity.
• How to streamline compliance and reporting: Understand the unique compliance challenges of securing converged OT/IT environments and how to streamline and automate audit, reporting and regulatory compliance processes.

These strategies are designed to put OT cybersecurity and resilience at the core of your digital transformation efforts.

#CPS #OTSecurity #ICSSecurity #BMS #DigitalTransformation #CISO

Learn more

• Join an expert discussion on how to unlock Advanced IoT Visibility to secure connected OT/IT environments
• Discover how the latest release of Tenable OT Security redefines discovery and classification of IoT device relationships
• Explore how Tenable helps assess NIS2 risk‑based security measures from three key perspectives across the enterprise
• Find out how Splunk and Tenable together deliver more robust OT/IT security
• Learn how to get started with Tenable OT Security