Article Details

How strong password policies secure OT systems against cyber threats. Operational technology (OT) interacts with crucial real-world infrastructure, empowering everything from energy plants to manufacturing facilities. Such environments are obvious targets for cyberattacks, but OT security often leaves much to be desired. OT is a broader concept than IT, describing the systems, both software and hardware, that underpin industrial environments. This means OT works directly with the physical world: things like Supervisory Control and Data Acquisition (SCADA) systems or Industrial Control Systems (ICS). While there’s significant overlap with IT, the priorities are very different. As the UK’s National Cyber Security Centre (NCSC) notes: “Where cybersecurity for IT has traditionally been concerned with information confidentiality, integrity and availability, OT priorities are often safety, reliability and availability, as there are clearly physical dangers associated with OT failure or malfunction.” Key password challenges in OT security OT environments aren’t just tempting targets for criminals, they are also uniquely vulnerable. For instance, the hardware and software in these environments is often outdated and resource-constrained, notes the World Economic Forum. And things are growing more complex. IT and OT are increasingly intermingled, creating the potential for a criminal to exploit user credentials or reused passwords and to expand their attacks. The Internet of Things (IoT) introduces a new layer of connected systems that naturally increases the surface area for attack. There are also unique challenges when it comes to passwords. As in the IT space, passwords remain a core function of security, even when users deploy multi-factor authentication (MFA) and other complementary approaches. However, the OT sector faces exacerbated risks and even unique dangers when compared with IT. Interested to know how many of your users have weak or breached passwords? Run a read-only scan of your Active Directory today with our free tool: Specops Password Auditor. Shared accounts and workstations Sometimes, credential-sharing can enable bad actors to expand their threat, even moving from IT systems to OT, physical infrastructure. Likewise, the nature of OT work, for example, in remote infrastructure, could see people sharing workstations, boosting overall vulnerabilities. Risks from remote access Often, vendors and other third parties will need to access the OT environment remotely: this could involve specialists working on support or maintenance contracts, for instance. Such remote access pathways could introduce new vulnerabilities that need to be protected. Outdated OT systems Big infrastructure investments in areas like energy or manufacturing are often made with long-term operations in mind, not necessarily the demands of cybersecurity; indeed, some of the systems used in the OT environment may have been put in place years or even decades ago. This could introduce opportunities for sophisticated, modern cybercriminals. Secure your Active Directory passwords with Specops Password Policy Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.    Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles! Strengthening OT password security So how can operators of OT environments mitigate the risk? It’s vital to build robust foundations by adopting best practices for password policies. Password security is just as important in OT environments as in IT, and in some instances may be even more vital, given the potentially life-threatening consequences that could stem from a shutdown or outage. Core password best practices for OT There are some basic, but vital, priorities to keep in mind: Building a resilient OT security architecture While passwords remain the linchpin of cybersecurity, they should be used in tandem with other security approaches to build a truly robust OT environment. For example, MFA is often viewed as the gold standard in security. This boosts the security of OT environments by adding several other layers of security on top of passwords: this could include message-based methods, challenge-based authenticator apps, or FIDO2 authentication. Some OT environments may also make use of Privileged Access Workstations (PAWs), which essentially separate the infrastructure used for high-risk activities from potentially compromising functions, such as web browsing or email access. However, it’s important to balance security with useability. Likewise, segmentation and network access controls are important, ensuring that only the right devices (and people) can access designated areas, and that any damage is limited should the worst-case scenario become a reality. Continuous password protection in OT Although such security approaches have clear benefits, one thing is clear, poor password security will hugely increase your vulnerability to cyberattack, with potentially serious consequences. This means it is vital to develop a clear picture of the password security landscape across an OT environment. Specops Password Policy provides this capability. The simple-to-use tool continuously scans for over 4.5 billion compromised passwords in Active Directory, while also blocking users from creating weak passwords in the first place. Book a free trial today. OT systems interact with some of the most important infrastructure in industry and society, with serious consequences if things go wrong. Robust password security is the cornerstone of resilient OT environments, protecting people and assets for the long term. Sponsored and written by Specops Software.