Operational technology: when cybercriminals bring machines to a halt
What happens if everything suddenly comes to a standstill? If cybercriminals take control and disrupt the production flow or shut down medical devices? OT and cyber-physical system (CPS) security is becoming increasingly important. For many reasons.
February 2025, Text: Andreas Heer Picture: Swisscom 6 Min.
It’s a scene we’re very familiar with in Switzerland: a production hall with machines whirring, pounding, punching and making noise. Something similar might be seen in the energy supply sector, for example in the control room of a hydropower plant. Or in a hospital. Operations often run around the clock. Outages – especially unplanned ones – are expensive because they may disrupt the whole production and logistics chain or even ruin an entire production batch in the food or chemical sector.
Uninterrupted availability is the name of the game for all related machines. Many of these machines communicate with each other. They control the production flow digitally and receive operating instructions from an ERP system. Visual systems such as computed tomography (CT) in hospitals store images online or in the cloud. In addition, many of these devices are equipped with sensors that monitor operation and production and feed this information back to control systems.
Operational technology (OT) and IoT are thus merging to form cyber-physical systems (CPS) – and inheriting IT security problems. ‘There is far too little consideration of these risks,’ is the assessment of Thomas Dummermuth, Head of Physical Security at Swisscom.
When ransomware disrupts the production flow
The threat of cyberattacks is genuine and has consequences in the real world, not just the digital one. Waterfall’s 2024 Threat Report lists a total of 68 attacks on around 500 production sites and infrastructure that led to production outages and in some cases resulted in damage totalling in the hundreds of millions of US dollars in 2023. In other words: when something happens, there is usually significant physical damage. And human lives may even be at risk, perhaps due to vital systems not functioning in the event of a hospital IT outage or ambulances having to be rerouted to treatment centres located farther away. Of the attacks listed, only a quarter directly targeted CPS. More often than not, a ransomware attack encrypts production systems in IT, forcing systems and networks to be shut down and disrupting production in the process.
A poorly protected and insufficiently isolated industrial control system (ICS) may also be affected. ‘Currently, the number of attacks on CPS is lower than the number of cyber incidents in IT,’ says Dummermuth. ‘But it’s only a matter of time.’ That’s because the volatile global situation and the easy availability of attack tools, such as Ransomware as a Service, are contributing to an increase in such attacks. Hospitals and other healthcare facilities that were previously spared by ransomware gangs due to a kind of code of honour are now no longer off-limits. Heterogeneous, sometimes outdated systems and complex supply chains in which supply chain attacks can be ‘hidden’ make it easier for cybercriminals to operate.
What are the challenges in CPS security?
Industrial machines, from production lines to dockside cranes, have a much longer service life than IT systems. As a result, control systems for which no more patches are being released may still be in use in production facilities. And even where there are patches, these may not be deployed. Perhaps the disruption to operations required for this is not acceptable or the updated software version is not certified for use in production. When new machines, sensors and control systems are added over time, the CPS world is characterised by heterogeneity – and confusion. There is a lack of transparency and an overall view across all the different areas of responsibility.
In addition, the focus when installing the systems is on functionality and not security. ‘Security by obscurity’ is a model that can be found in industry, involving isolated (‘air-gapped’) systems segregated from the rest of the network and thus supposedly invulnerable.Only supposedly, because malware can still get onto machines via a service technician’s laptop.
In general, CPS system architecture is designed for availability and short response times, partly at the expense of security, for example in the case of unencrypted communication. So that service technicians can connect to CPS from anywhere, maintenance is often carried out via remote access – access that, depending on the age of the technology used, is poorly or not at all protected or has long since been ‘forgotten’.
Regulations are tightening
Healthcare and energy providers, financial institutions, manufacturing companies and other organisations need to improve their cybersecurity for regulatory reasons as well. With the advancement of digitalisation and networking, demands on security are also increasing.
The EU is tightening the legal framework with the introduction of the NIS 2 Directive and the Cyber Resilience Act (CRA). The aim is to strengthen organisations’ cyber resilience. These regulations have a direct impact on Swiss companies if, for example, they work as suppliers for EU companies, serve customers in the EU or have subsidiaries in the EU. That’s why many Swiss companies also have to get to grips with these regulations and, if necessary, adapt their security strategies, processes and measures.
In Switzerland itself, the Strategy for Critical Infrastructure Protection (CIP) plays an important role and pursues similar objectives to the EU regulations. Swiss electricity suppliers are also subject to an extension of the Electricity Supply Ordinance (StromVV). Article 5a of the new version that came into force in 2024 sets out requirements for protecting against cyberthreats. In the financial sector, FINMA requirements aim to provide a high level of protection and also cover OT and IoT systems such as ATMs and access control systems.
First steps towards improved CPS cyber resilience
For robust cyber resilience for CPS, there first has to be transparency about the systems, sensors, ICS, programmable logic controllers (PLCs) and access points used. ‘Lack of transparency is one of the reasons why many organisations cannot properly assess their cyber risk exposure,’ emphasises Dummermuth.
A detailed inventory of the systems and components in use should provide the basis for this, allowing organisations to identify vulnerabilities and plan targeted security measures. These measures are derived from a cyber resilience strategy that should cover all aspects of CIS security, from prevention to detection and response to cyber incidents.
Regular emergency drills are an essential part of this strategy. These exercises help to test the effectiveness of the measures and prepare everyone involved for an emergency. Holistic risk management is another key component. ‘This is necessary to identify and evaluate all potential risks, which allows security measures to be prioritised,’ says Dummermuth.
Risk management is an ongoing process involving continuous evaluation and assessment of the threat situation. In a sense, this allows new measures to be taken or existing ones to be adapted ‘on demand’. Adding CPS support to Security Operation Centres (SOC) is key to detecting incidents and responding appropriately. Such SOCs can monitor threats and respond to incidents quickly and effectively. Improving cyber resilience for CPS starts with a structured and systematic approach. A comprehensive inventory, a holistic strategy with regular emergency drills, effective risk management and an expanded SOC are the key components in protecting CPS against increasing cyberthreats. So that the machines continue whirring, pounding, punching and making noise.