The OT Industry’s Cybersecurity Crisis: Why Detection Is So Challenging

Operational technology (OT) systems are the foundation of critical infrastructure, including energy grids, water treatment facilities, manufacturing plants, and transportation networks. Historically, these systems operated in isolation, prioritizing reliability and efficiency over security. However, the integration of OT with information technology (IT) and the highly interconnected digital world has expanded the attack surface. OT systems are now increasingly vulnerable to cyber threats. 

Evolution of Operational Technology

Operational Technology Historical Context

The OT industry has undergone significant transformations since the advent of the Industrial Revolution. For millennia, industrial processes were manual, water/wind-powered, and labor-intensive. The introduction of mechanization and steam power marked the first industrial revolution. Production capabilities increased markedly.

The second industrial revolution brought about mass production, the use of electricity, and some primitive automated processes. The third revolution, beginning in the 1940s and 1950s, introduced computers and advanced automation into manufacturing. This era, known as Industry 3.0, saw the deployment of early control systems, programmable logic controllers (PLCs) to monitor and manage industrial operations, and numerical control (NC) machines for computer-controlled manufacturing.

Operational Technology Modern Developments

Today, we are in the midst of the Fourth Industrial Revolution, known as Industry 4.0. Digital advancements are now being integrated into almost every aspect of the physical infrastructure. This includes the rapid proliferation of Industrial Internet of Things (IIoT) devices, the application of digital tools such as artificial intelligence (AI) to traditionally human endeavors, and the use of computer-aided advanced data analytics.

It is almost impossible today for many activities to take place without the support and intercession of computers. Commercial and military airplanes could not fly. Financial institutions could not process transactions. Hospitals could barely function. Many manufacturing plants would shut down. Public utilities, such as power and water, would cease to operate. Et cetera, et cetera. Modern society today is almost totally dependent upon sophisticated cyber systems to function. And as OT systems have permeated their various environments, they have become more and more autonomous and more interconnected. The traditional walls between the IT and OT environments have crumbled.

This new interconnectivity has brought with it many “benefits.” It has enabled real-time monitoring, predictive maintenance, and enhanced operational efficiency. However, increased connectivity has also introduced new and increased vulnerabilities. The convergence of IT and OT networks means that traditional OT security measures are no longer sufficient. Threats can now travel from IT systems into OT environments, putting critical OT operations at risk, and vice versa. Threats can also travel from vulnerable OT systems into traditional IT systems, via OT’s typically poorly guarded backdoor.

Cybersecurity Breaches in OT

There have been quite a few serious OT-focused cyber incidents that underscore the vulnerabilities in OT systems — attacks that should have garnered more attention than they did. Consider these two incidents below. They illustrate that highly destructive attacks against OT are not a new phenomenon.

1. Ukrainian Power Grid Attack (2015)

In December 2015, Ukraine experienced a historic cyberattack, one that disrupted power to hundreds of thousands of people. This marked the first confirmed cyberattack on a power grid. It proved conclusively that hackers could manipulate OT systems to cause real-world (not “only” cyber system) damage.

A Russian-based cyber espionage group, code-named “Sandworm” by western cybersecurity teams, used spear-phishing emails to infiltrate Ukrainian energy distribution companies. Once inside those networks, Sandworm used a two-stage strategy to achieve its nefarious results. Exploiting a serious vulnerability in Microsoft PowerPoint, Sandworm initially stored its malware, executable code known as “BlackEnergy,” inside of a temporary folder in the utilities’ cyber systems. Once BlackEnergy was installed, Sandworm could then execute it at will. Upon launch, BlackEnergy would “phone home,” opening up a communication channel to its handlers and giving those handlers direct remote-control access to the utility companies’ Supervisory Control and Data Acquisition (SCADA) systems. They then used this operational control to manually switch off circuit breakers, cutting off electricity to large regions of Ukraine.

2. Ukrainian Industroyer Attack (2016)

One year later, in December 2016, Ukraine's power grid was attacked again. This time, Sandworm deployed Industroyer — a malware specifically designed to disrupt OT systems. Industroyer targeted SCADA systems and electrical substations, but rather than rely upon human handlers to issue the commands, Industroyer “spoke the language” of the SCADA systems. It could issue SCADA language commands directly to circuit breakers and do so at inhuman speed. Kyiv experienced power outages for over an hour. 

Unlike BlackEnergy, Industroyer was modular and adaptable, capable of exploiting multiple industrial communication protocols and device languages to disrupt operations. Also, in contrast to the manually executed attack in 2015, Industroyer operated independently of human operations — demonstrating how, once launched, malware can autonomously manipulate an OT infrastructure.

The Cost of Complacency and Denial

Both the 2015 and 2016 cyberattacks on Ukrainian power grids should have brought home to cybersecurity experts some of the key vulnerabilities of current OT security worldwide. However, for the most part, these attacks and many others akin to them, were essentially shoved under the rug. There are two main reasons for this “denial”:

1. Most leading cybersecurity experts and vendors of cybersecurity systems have no real ability to rapidly detect and respond to attacks in the OT environment.
2. Industry and governmental leaders prefer their own comfort zone of cybersecurity theater (reliance upon security buzzwords and technobabble) rather than looking to new, truly innovative technologies, even if those new technologies might lead to real cybersecurity.

The repeated disregard for past OT cyberattacks has left critical infrastructure exposed to threats that are not just possible but inevitable. Until industry leaders move beyond security theater and embrace real, rapid detection solutions, these attacks will continue to serve as warnings unheeded. 

Why Is Detection So Challenging in OT Environments?

There is no question that malware attacks, and especially malware attacks against OT systems, will increase. As this happens, malware detection remains one of the most daunting challenges confronting the OT industry. As is true in the world of IT, “If you can’t detect, you can’t protect” ™. However, unlike in IT environments, where cybersecurity and malware detection tools have been honed for years, OT environments have fundamental limitations. Below are some of the key reasons why threat detection in OT is such a major cybersecurity challenge.

Legacy Systems

Many OT environments rely on outdated hardware and software, or “legacy systems.” Most of these are missing modern security features. Legacy systems are often incompatible with contemporary cybersecurity solutions due, in part, to size restraints, limited processing power, and outdated architectures. Since older OT systems were never designed with security in mind, some lack even basic authentication controls. All of these shortcomings make them difficult to monitor and highly susceptible to exploitation through un-patched and often un-patchable vulnerabilities.

Increased Connectivity

The integration of OT systems with IT networks, cloud services, and remote access tools has vastly expanded the attack surface. While this connectivity improves efficiency and remote monitoring, it also introduces new attack vectors. In the Ukrainian power grid attacks, threat actors exploited weaknesses in IT systems to gain access to OT environments and manipulate industrial systems. With increased interconnectivity and poor network segmentation, it is easier than ever for intruders to access a vast variety of systems and cause significant damage.

Inadequate Monitoring and Long Dwell Times

Typically, OT systems prioritize operational continuity over security. As a result, they lack real-time, internal monitoring, and intrusion detection capabilities. This enables cyberattackers to move undetected for extended periods, as seen in cases of advanced persistent threats (APTs). Without active and internal threat detection, OT environments can be compromised for months before an attack is detected — increasing the risks of data theft, system manipulation, and operational disruption.

Physical Security Risks

Physical security gaps — such as remote unprotected physical locations, unattended workstations, and unauthorized physical access to critical systems — allow malware and other threats to bypass traditional physical security defenses. Without detection at the point of injection, these attacks can go unnoticed for long periods of time and extensively compromise operations. 

Lack of Rapid Threat Detection

Traditional cybersecurity tools such as Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems are unable to protect OT environments. They are simply not designed for the majority of OT devices. Most OT devices have minimal processing resources, such as only 8MB or less of memory. In short, the established IT cybersecurity systems are inherently:

• Far too large, requiring tens, if not hundreds of, megabytes of memory
• Far too slow, especially with the limited resources available in OT devices
• Far too ineffective, unable to detect new, previously undocumented malware attacks

Ultimately, these deficiencies leave critical OT systems unprotected from the myriad types of new cyberattacks endangering them.

Crytica’s Rapid Detection and Alert (RDA) System

OT environments were not originally designed for cybersecurity. The rapid pace of the digital transformation now seriously threatens the industry’s ability to secure the OT-based critical infrastructure. Taking advantage of the inherent security gaps in the OT environment, cyberattackers are now actively targeting OT networks with ransomware, espionage, and disruptive attacks.

In response to these vulnerabilities, OT cybersecurity must transition from almost non-existent protection, or even reactive defenses, to real-time threat detection and alerts. The OT industry needs a new and effective solution for cybersecurity: Rapid Detection and Alert (RDA). 

Top Features of RDA

• Rapid threat detection: Traditional OT security tools struggle against new, unknown, and fast-moving threats. The Crytica RDA system detects malware the moment it enters the system, before it executes. Detection upon injection eliminates the dangers of prolonged dwell times (APTs) and prevents cyberattackers from establishing a foothold and propagating throughout OT and IT networks. Take the 2015 Ukrainian power grid attack for example. RDA would have identified BlackEnergy as soon as it was injected into its target systems, long before it could disrupt operations. By catching threats at the point of entry, Crytica’s security model stops cyberattacks before they can compromise critical infrastructure.
• Lightweight protection for OT systems: Many OT environments operate on legacy systems that have limited processing power. They are incompatible with IT security tools that require bloated memory resources, demand constant updates, and consume significant computing resources. Crytica’s RDA is 100KB or less and utilizes highly efficient code. It can run efficiently on resource-constrained OT devices without negatively disrupting normal operations or requiring drastic (and often impossible) system resource upgrades.
• Built for always-on industrial environments: OT systems are designed for continuous uptime, meaning cybersecurity solutions must integrate into them without slowing performance or requiring downtime for updates. Unlike many conventional security tools, RDA functions in the background with minimal system impact. This ensures security remains active at all times, without interfering with operational processes.
• Resilient security that cannot be disabled: Many OT attacks target the security infrastructure itself, attempting to disable detection mechanisms before deploying malware or ransomware. Crytica RDA’s mutually monitoring mesh of components autonomously redeploy if tampered with or removed. That way, detection and protection absorb attacks and remain viable even during an attack.
• Designed for disconnected and semi-isolated environments: Cloud-dependent security tools are often impractical for OT systems that operate in semi-isolated, remote, or bandwidth-limited environments. RDA provides the same level of rapid detection whether deployed in a semi-isolated industrial network or an IT-integrated infrastructure. 

Key Takeaways

Over time, the OT industry has evolved, but cybersecurity has not kept pace. Increased interconnectivity and digital transformations have expanded the attack surface, exposing OT systems to modern cyber threats. Here are the key takeaways for the OT industry’s cybersecurity crisis: 

• Recent catastrophic breaches have exposed some of many potential security gaps in OT environments, including lack of rapid threat detection, inadequate monitoring and response, and increased connectivity between the IT and OT worlds. 
• Traditional security approaches fail to protect OT environments. Many rely on signature-based detection and resource-heavy monitoring, which do not work efficiently, or at all, in resource-constrained OT devices — leaving critical systems exposed.
• Rapid threat detection is critical to mitigating OT cybersecurity risks. Without the ability to detect threats at injection, cyberattackers will continue to exploit vulnerabilities in OT systems. 
• The Crytica Rapid Detection and Alert (RDA) system is the solution for OT cybersecurity. Unlike traditional security tools, RDA provides continuous, lightweight protection, ensuring threats are identified before execution — without compromising system performance.

Crytica Security is driving the future of cybersecurity for OT and other industries. Reach out to our team to learn more about our revolutionary RDA system and how we can help transform your cybersecurity. 

‍