A recent survey by the SANS Research Program showed 58% of respondents identified IT compromises as a leading initial attack vector for ICS/OT incidents. This reflects the increasingly interconnected nature of IT and OT environments and highlights the risks associated with this convergence. But while the environments are intertwined, security practices may not be and that’s a serious problem.
Vulnerabilities in IT/OT security practices
The SANS survey highlights several areas where the integration of IT and OT networks has created exploitable gaps in critical infrastructure, a first step to resolving such vulnerabilities. That IT compromises were the most common initial attack vector for ICS/OT environments, indicates that attackers have now learned to abuse IT vulnerabilities and then pivot to access inadequately protected OT environments.
Traditional IT security practitioners often don’t understand the legacy systems in OT, which use proprietary protocols (such as Modbus and DNP3) that lack encryption and authentication. IT security tools (such as active scanners and antivirus tools) often crash these systems or cause false positives, making the direct application of IT controls impossible. Instead, organizations must focus on special OT security strategies and prioritize ICS specific controls. Collaboration between IT security and engineering teams will enable them to prioritize safety and align their practices with engineering-led incident response protocols that prioritize safety-first rollback procedures over standard IT patching.
The next two most common attack vectors were internet accessible devices (33%) and transient devices (27%). The reality is that legacy OT systems were designed for isolation, and thus now face new risks from cloud integrations and remote access tools, which may be misconfigured or unmonitored. At the same time, vendor laptops, USB drives, and maintenance tools can easily bypass air-gapped safeguards, introducing malware or unauthorized access points into OT networks. The more interconnected IT and OT become, the more important it is to put the right security controls in place to protect these environments.
Top 4 cybersecurity controls
The SANS survey identified multiple controls to improve ICS/OT defense, highlighting the first four as essential (and cost effective) ways to address the most common vulnerabilities.
- Control system ICS/OT defensible network architecture is a structured security framework that establishes strict segmentation between IT and OT networks (using demilitarized zones or unidirectional data diodes to block the lateral movement of threats), implements secure remote access (such as zero-trust architectures and virtual private networks), reduces attack surfaces, and ensures operational continuity in industrial environments.
- ICS-specific incident response focuses on engineering-driven recovery within the ICS network, ensuring response plans cover both standard ICS assets and engineering devices.
- Architectures that support visibility, such as passive monitoring and protocol-aware sensors, allow organizations to enable real-time network visibility and prioritize situational awareness within operational technology networks.
- Removable media and transient device security refer to the strategies, tools and practices used to protect critical systems from threats introduced by such devices, which are often used for ICS maintenance and ICS network operations.
Operationalizing controls
Currently, the survey shows ICS/OT cybersecurity budgets broadly align with the importance of network security and secure remote access, while investment in incident response and visibility vary by region. Despite rising attacks on unsecured connections, however, protecting the security of removable media and transient devices continues to lag. Most organizations (91%) do not have a dedicated, full-time OT cybersecurity resource, which begs the question: how can they effectively defend against malicious attacks?
Build a strong ICS/OT defense
To minimize the potential risks introduced by the convergence of IT and OT environments, it is essential to prioritize collaboration between IT security and engineering teams and adopt controls based on current cybersecurity risks, adapted to each organization’s specific risk model. It also requires a hard look at budget allocation—critical infrastructure organizations must find cost effective ways to implement defensible network architecture, ICS-incident response playbooks, architectures that support visibility, and strong security for transient devices. Cross training programs, such as having IT staff shadow OT engineers to understand safety-critical processes and OT teams learning threat-hunting basics across IT and OT environments, also help to build better defenses. It’s time for collaboration, which will both minimize disruption and build a culture of respect.
The path forward
Today, only 9% of the surveyed cybersecurity and automation professionals dedicate full-time efforts to ICS/OT cybersecurity, despite the critical role they play in supporting critical infrastructure. Attackers are weaponizing IT weaknesses to disrupt physical operations, increasing the urgency for organizations to treat ICS/OT security as essential to maintain business continuity. By focusing on implementing key controls and encouraging collaboration, security leaders can leverage IT/OT convergence to better protect the infrastructure that powers, moves, and sustains modern life.
