A holistic risk-based approach for IT/OT security

Consumer Packaged Goods Companies (CPGs) are embracing the convergence of Operational Technology (OT) and Information Technology (IT) to take advantage of the promised benefits: reduced costs, enhanced performance, and greater agility. However, the lack of integration between the two systems makes that a monumental challenge for many CPG companies.

Touchpoint

Integrating legacy OT systems with IT is increasing vulnerability in an era of more numerous and sophisticated cyberattacks. A risk-based OT security program with embedded threat intelligence can securely connect your IT and OT networks and protect assets from evolving and complex threats. Implementing proactive security means faster mean time to resolution which limits the impacts and costs of any cybersecurity breach.

 

In production environments, OT systems were traditionally thought to be “protected” by an air gap separating them from the highly connected (and thus highly vulnerable) IT world. This is no longer the case as IT/OT convergence, necessitated by the increasing use of IT technologies in industrial systems, is now a priority for many CPG companies. However, this is easier said than done: in a recent survey (!), 73% of respondents said that IT/OT integration was their biggest challenge in securing OT environments (followed by protecting against ransomware threats –76 percent –and modernizing remote access – 55 percent).
Overall, the Orange CyberDefense Security Navigator 2024 report found that incidents involving attacks against OT systems increased exponentially, peaking in 2023. The increase in incidents involving both IT and OT systems after 2019 suggests that the boundaries between the two are becoming increasingly blurred. The diversity of attacks, ranging from crude to sophisticated, shows us that threat actors are adapting and diversifying their methods of exploiting IoT systems.

It’s also true that the #1 priority in production environments is availability (uptime) and that security is sometimes a secondary consideration. For example, a security leader arguing that a manufacturing system needs to be shut down so that an important patch can be installed may not always get the hearing this deserves. This may contribute to manufacturing companies becoming soft targets for bad actors and might explain why, for example, manufacturing was the industry most targeted by ransomware attacks in 2024 (see box out).

Ransomware and IT/OT integration

Given that these are the two key challenges facing security leaders, it’s easy to assume that there is a close correlation between the two – and, indeed, many vendors make this claim. 
It is undoubtedly true that the manufacturing sector is, unfortunately, an increasingly lucrative target for cybercriminals. A recent report found that 65% of manufacturing and production organizations reported they were hit by ransomware last year. This is a notable increase from the previous two years (56% in 2023 and 55% in 2022) and represents a 41% increase since 2020 (!).
However, it is traditional IT equipment – such as PCs and laptops and the use of USB sticks – that are the chief targets of ransomware – even in OT environments. A connected engineering workstation, or a workstation for initiating or planning production (an operator station, MES, etc.) is likely to be using an operating system susceptible to ransomware. 
Therefore, rather than blaming IT/OT convergence for these attacks, many companies should instead be looking to address the insufficient use of isolation and best of breed security practices. 

At its heart, IT/OT convergence is about making use of IT knowledge within OT environments to put in place standards, processes, and tools that facilitate resilient operations – despite the complex and rapidly evolving threat landscape. By facilitating the extraction of production data and enabling advanced analytics, IT can help create an OT Data Foundation that supports the automation of business and production activities and delivers higher levels of overall company efficiency.

However, while this fusion of these two worlds brings many benefits, it also opens plants, shop floors, and production facilities to the darker world of traditional IT threats.

Integration is crucial

There’s no point in fitting a smoke alarm system that no one can hear. Equally, there is no value in an OT security system if the red flags it throws go unnoticed: so it is critical to ensure that your OT monitoring systems are integrated with the other relevant parts of your security infrastructure – principally the Security Operations Center (SOC), SIEM (Security Information and Event Management) solution, IT Service Management (ITSM) system and Industrial Control System (ICS).

Equally, if your smoke detector goes off every time someone boils a kettle, it will simply be ignored. In an OT environment, there will be many false positives – these need to be filtered out if your OT monitoring system is to have the credibility it needs.

OT monitoring is a passive function whose value is only realized when it is acted upon. If you fail to integrate this into your security infrastructure and minimize the ‘false positives’ that result, then you are likely to see little return on the very significant investments you make into OT security.

The opportunities and challenges of IT/OT convergence

Successful IT/OT convergence provides data flow and process optimization between production, automation, and information systems across manufacturing plants and the entire value chain. It can streamline processes and bring significant operational efficiencies to production businesses – and is a foundational capability for successful Industry 4.0 implementation. By creating an OT Data Foundation, IT can put in place the systems and tools for data collection and analysis that will enable Operations (OT teams) to eliminate bottlenecks and more rapidly understand and respond to problems in real time.

However, many OT systems use legacy hardware that may be several decades old and without security engineered in. These may feature software such as Windows XP, embedded Windows, or Windows CE, support for all of which was discontinued some years ago. In this instance, you can reduce the attack surface of these systems through modernized communications approaches such as a Unified Name Space (UNS), which uses a protocol such as MQTT to safely extract the data.) A UNS will also enable the isolation of legacy systems while simultaneously increasing the availability of data and information for analytics and data-driven manufacturing.

As IT becomes a bigger part of the IT/OT scenario, air gaps can no longer provide the required level of security necessary for communication and OT data. The CPG industry therefore needs to urgently step up its attempts to address IT/OT security.

Despite being on a convergence path, OT and IT still speak very different languages. Security teams must break down silos and find ways of working together to protect their manufacturing facilities where sophisticated attacks could result in the collapse of their infrastructures. It is vital that when enterprises are planning OT/IT integration, security is central to their strategy and not an afterthought, or they are simply storing up problems for the future.

A risk-based approach to IT/OT security

Beyond technologies and systems, your people are central to an efficient cybersecurity strategy. You should outline precisely how OT and IT teams should work together while ensuring you are upskilling and reskilling your security teams to support IT/OT in the long term. You might also want to consider managed services to overcome the issue of the ongoing skills drought.

Most importantly, you should have a long-term vision of your business goals and how you are going to operationalize the convergence of OT and IT. You should also evaluate these goals against any implied risk; for example, deploying the wrong security solutions can end up restraining your business ambitions. Overall, although full IT/OT convergence is still some way off, you should already be embracing processes that support its integration into your operations and build them into future planning.

By implementing proper security mechanisms for industrial networks, CPG companies can increase their competitive edge and realize the efficiencies of interconnecting these environments. Effective OT security protects business-critical processes, systems, and people, and reduces security vulnerabilities and incidents and there are several key factors that underpin the success (or otherwise) of this project.

1. Understand your environment

You can’t protect what you don’t know about, so extending your security program to OT environments starts with a complete and comprehensive asset inventory based on an understanding of your assets, networks, threat landscape, and attack surface. Many organizations have significant blind spots in their OT environment: they may still be relying on an outdated spreadsheet of their assets or have simply forgotten about some elements of their OT estate. Manual processes are not sufficient for this task – asset discovery tools are necessary to automate this procedure.

By using an OT monitoring tool for this task, you will not only carry out the inventory and discover the vulnerabilities attached to devices in your network but also gain visibility into flow data. By capturing the communication flows between your devices in this way, you can, in the event of a breach, visualize all compromised devices and their dependencies – this will help you to quickly understand the nature and impact of the breach and remediate any problems.)

Once you have a clear picture of the assets that need to be protected, you can begin the assessment process, based on a clear understanding of the risks you are willing to accept – and the countermeasures that are in place to mitigate any threats. Any risks you deem unacceptable must be mitigated before the IT/OT integration process begins – this can be a very significant piece of work that is often underestimated by CPG companies.

2. Secure your networks, assets, and production processes

Increasing connectivity between IT and OT networks requires secure network design and segmentation to protect and access assets in your network. Based on the insights resulting from the inventory, you can secure the critical endpoints across your entire infrastructure. Having carried out this piece of work, you will also have gained a greater degree of visibility into your OT/IT estate which will enhance your overall risk mitigation capabilities.

3. Detect threats from your IT and OT networks

The threat landscape changes at the same accelerated pace as digital transformation: detecting complex threats in increasingly connected IT and OT environments therefore requires integrated threat detection capabilities that can monitor your entire estate to detect and mitigate industrial threats in real time. This can be achieved by combining and analyzing data from different OT and IT estate resources. (See embedded threat intelligence below.)

4. Be prepared to respond to security incidents

Cyberattacks are inevitable and can impact your operations, so be prepared to limit the impacts (operational and financial) resulting from any disruption. Core to this will be a comprehensive Incident Response Plan (IRP) that outlines roles, responsibilities, and procedures for handling various types of attacks. This should be regularly tested and updated. (Orange Cyberdefense offers an Incident Response service to CPG companies that helps you to assess the situation, and if necessary to contain the attack, evict the attacker, and restore your operations.)

Embedded Threat Intelligence (ETI)

Embedded threat intelligence is a security architecture that uses AI to protect organizations from malicious traffic. It can help to detect and mitigate attacks, including DDoS attacks, known attacks, and zero-day attacks. It is a data-driven practice that helps organizations understand and respond to cyber threats and involves collecting, organizing, and using information about cyber threats to make informed security decisions.

Threat intelligence can be automatically integrated into your security tools, while contextual threat intelligence can help security staff to analyze or prepare for security incidents. Threat intelligence can include:

• Indicators of compromise (IOCs): technical indicators that can be used to identify threats
• Threat actor profiles: in-depth profiles of cyber threat actors and groups
• Malware association: associating threats with specific malware. 
   

Conclusion

Many enterprises are at the very beginning of their IT/OT convergence journey, but it is happening faster than many realize.  Enterprises need to put a combined OT/IT strategy in place to ensure they don’t make themselves even more vulnerable to cyberattacks.

Now is the time for you to start securing your OT environments with the latest technologies and integrating them into the bigger security framework. This requires careful planning if you are to achieve a unified OT/IT security strategy that underscores confidentiality, availability, efficiency, and performance.
 

Orange CyberDefense’s ETI solution

Orange Cyberdefense (OCD) works with CPG companies facing challenges relating to industrial control systems and Supervisory Control and Data Acquisition (SCADA) environments. Security solutions must be applied across OT and IT environments to enable efficient operations and management. Our Industrial Security Services are designed to meet all compliance requirements with regulations such as standards such as NIST 800, IEC 62443, NIS 2
Our ETI solution his draws on information from OCD's 9,000 global customers, across our 18 SOCs & 14 CyberSOCs. It provides an early warning system that enables organizations to rapidly identify, prioritize and respond to cybersecurity risks, thereby minimizing the resulting damage and encompasses four elements
1. Managed Threat Intelligence – threat intelligence for security technology enrichment

• Boost your in-house SOC with our proprietary Cyber Threat Intelligence Datalake
• Obtain qualified and actionable data about threats to better anticipate.

2. Threat Intelligence feeds - Better understand your enemies

• Our service World Watch collects, analyzes, prioritizes, contextualizes and summarizes the essential threat and vulnerability data you need to make informed decisions.

3. Vulnerability Management - reduce your attack surface with a cyberdefense portfolio that enables holistic vulnerability management, incorporating:

• Managed Vulnerability Intelligence [watch] (vulnerability intelligence feed)
• Managed Vulnerability Intelligence [identify] (vulnerability scan)
• Ethical hacking (including penetration testing).

4. Managed Cybercrime Monitoring - Mitigate digital risks beyond the enterprise perimeter

• Monitor data leaks and take down fraudulent websites, apps, social media accounts and phishing sites
• Quickly identify and remediate any tampering of your digital assets by cyber criminals and hacktivists
• Protect your organization from attack with our IP reputation intelligence service.

Orange Business partners with many of the leaders in OT security, including Microsoft (Defender for IoT), Claroty, Nozomi and Tenable. We also recently announced a partnership with Cisco Cybervision to create an upgraded security architecture for IT/OT environments. Our extensive suite incorporates new, customized services aimed at safeguarding digital assets across all operational tiers—from production facilities to corporate systems. Our partnership ensures your operations benefit from cutting-edge technology customized to your specific business requirements.