The convergence of information technology (IT) and operational technology (OT) is accelerating, but its implementation is still fraught with fundamental security flaws. Claroty’s analysis, based on data from more than 125,000 industrial assets, shows that 36% of them contain at least one known and actively exploited vulnerability (KEV) by hackers. Furthermore, 13% of all OT assets surveyed have an unsecured connection to the internet, creating easily accessible entry points into corporate and industrial networks.
The industrial world has been balancing at the intersection of two realities for years. On one side is a hermetic, specialised operational technology (OT) ecosystem designed for stability and continuity of physical processes. On the other is the dynamic and connected world of IT, driving analytics, remote working and business efficiency. Their combination is inevitable and desirable, but generates risks whose scale is only beginning to be fully understood.
Analysis by the Team82 research team at Clarota sheds new and worrying light on this challenge. The finding that more than one in three OT assets has a known and exploitable vulnerability is alarming. These are not theoretical vulnerabilities, but vulnerabilities listed on the Known Exploited Vulnerabilities (KEV) list, meaning that there are ready-made tools and methods to exploit them in real-world attacks.
Even more problematic is the fact that 13% of these devices are fully visible from the public internet. This is not one-way communication or limited to the manufacturer’s servers. It is full exposure that allows attackers to freely scan IP address ranges for potential targets.
Crown jewels at your fingertips
The analysis goes even deeper, focusing on the most critical elements of industrial infrastructure: engineering workstations (EWS) and human-machine interfaces (HMIs). These are the digital command centres from which engineers and operators monitor, control and update production processes. Compromising such a system is an ideal scenario for an attacker.
Data shows that 13% of these critical assets also have an unsecured connection to the global network. The combination of high criticality, exposure to attack and vulnerability makes them a prime target for cybercriminals. To make matters worse, 36% of these unsecured EWS and HMI systems also contain at least one known vulnerability.
Taking control of an engineering station or HMI opens the way to move deep into an industrial architecture, often organised according to the Purdue Model. An attacker can escalate privileges and move laterally from the company’s IT network into the heart of the OT network, where the potential damage – from production shutdown to physical destruction – can be catastrophic.
Remote access: a double-edged sword
The increased exposure of OT networks is not the result of negligence, but of a conscious business strategy. The pandemic has entrenched the remote working model, and globalisation is forcing the use of third-party suppliers and service providers who need access to industrial systems. This remote access, while crucial for operational efficiency, dramatically increases the attack surface.
The challenge, therefore, is not to cut off production facilities from the internet – that is no longer possible. It is about striking a balance between providing the necessary access while implementing granular and secure control over every interaction with cyber-physical systems (CPS).
From perimeter defence to Zero Trust
The traditional approach to security, based on perimeter defence (the so-called ‘castle and moat’), is no longer effective in a world where network boundaries are blurring and threats can also come from within. The answer to these challenges is the Zero Trust architecture, which is based on the principle of ‘never trust, always verify’. It enforces strict identity-based access control, granting the minimum necessary permissions and continuous session monitoring.
The adaptation of such models is being driven not only by increasing risks, but also by new regulations such as the EU’s NIS2 directive. It imposes strict risk management and incident reporting requirements on critical infrastructure operators, which in practice forces the implementation of modern security mechanisms.
