Clearing Up Common Misconceptions in OT Security: Myth vs. Reality

In the world of Operational Technology (OT), many misconceptions can put critical systems at risk. Here, we address five common myths about OT security and reveal the actual facts.

·? Myth #1: "OT Network Air-Gapped and Not Connected to the Internet" Misconception: Many organizations believe their systems are completely separate from the internet and therefore safe from online threats.

Reality: Tools like Shodan OT Radar have shown that many industrial devices are online, often with weak security such as default or absent passwords. This indicates that these systems are not as isolated as many believe, making them vulnerable to cyber-attacks.

·? Myth #2: "We Are Using OEM Firewall, Our Systems Are Behind a Firewall" Misconception: Having a firewall means the systems are fully protected from external threats.

Reality: Past studies show that firewalls are often incorrectly set up. For example, if the first rule in a firewall allows all traffic through, it offers no real protection. Reports up to 2023 predict that most firewall problems will arise from improper settings, not flaws in the firewall itself. Firewalls are crucial but must be part of a broader security strategy. Additionally, traditional IT firewalls can't handle OT traffic, so customers should use next-generation industrial firewalls that understand industrial protocols like MODBUS, S7COMM, Bacnet, etc.

·? Myth #3: "Hackers Don't Understand Control Systems" Misconception: The belief that OT systems are too complex for most hackers to understand.

?Reality: The landscape has changed significantly; hacking is now a professional activity, sometimes even offered as a service. With frequent discussions of control systems at major security conferences and easy access to hacking tools online, hackers are increasingly adept at exploiting weaknesses in these systems. Additionally, hacking services are now available for hire on the dark web, including ransomware-as-a-service to launch attacks.

·? Myth #4: "Our Facility Is Not a Target" Misconception: Only certain types of significant industries or facilities are likely to be attacked.

Reality: OT cyber threats can impact any industry. Every organization, no matter how small or seemingly insignificant, can be a target. This serves as a reminder that cyber risks are ubiquitous and escalating annually.

·? Myth #5: "Our Safety Systems Will Protect Us" Misconception: The belief that built-in safety systems can fend off any cyber threats.

Reality: Many safety systems rely on common computer systems with known security issues and use insecure communication protocols like Modbus. The 2017 TRITON malware attack on safety systems at a petrochemical plant demonstrates that even these systems can be compromised, leading to severe consequences.

·? Conclusion Understanding the difference between myths and reality in OT security is crucial for protecting critical infrastructure. Organizations need to implement multiple layers of security, stay informed about new threats, and regularly review and update their systems. Being proactive about security is the best way to safeguard critical systems from sophisticated cyber threats.

?