Threats exploiting operational technology (OT) vulnerabilities are on the rise and the latest language from across the federal government should grab the attention of every federal technology leader. From explicit National Security Agency warnings regarding Chinese nation-state targeting, to the ever-growing list of OT vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), the concerns are real. With the federal government’s OT and Internet of Things assets across every function from weapons to navigation to patient healthcare to other critical services, the sense of urgency is justified.
The government’s reliance on public utilities for their bases and other facilities is equally concerning. While ostensibly targeting utilities and other critical infrastructure, the Chinese nation-state actor Volt Typhoon acknowledgements followed on the heels of the successful electric utility campaigns against Ukraine in their war with Russia. Adding to these concerns is the recent compromise of CISA’s chemical security assessment tool (CSAT), given federal laboratories’ likely handling of some applicable substances. All of these issues underline apprehension about the number of assets outside of each federal security leader’s direct control.
In light of these concerns, the federal government is using many mechanisms to ensure its leadership prioritizes OT. With explicit language in this year’s National Defense Authorization Act, OT’s inclusion in the Continuous Diagnostics and Mitigation program, and most recently the OT-specific language in the 2025 Homeland Security Appropriations Bill, it appears both Defense and civilian sectors must respond.
Recent researchsurveying federal OT administrators underscored the urgency of heeding these warnings. Sixty-eight percent of these cyber defenders said their agency had experienced an OT security incident in the past year, and only 55% felt fully confident they could detect and mitigate a threat today. In fact, only 20% gave themselves an “A” grade.
The research identified a perhaps obvious but important reality: The federal government has a vast and complex infrastructure of aging, unpatchable cyber-physical assets, frequently not as air-gapped as presumed or hoped. Add to that the likely unaccounted-for assets together with unknown remote access for maintenance by first and third parties, and you start to understand why the focus is so important.
The survey respondents cited several obstacles to advancing their OT security efforts, including the unique geographic distribution of their agency networks, a lack of standardization across OT systems, in addition to the number of internet-facing devices in their networks that have reached end-of-life. Critically, just 39% said the majority of their OT environments are air-gapped (i.e. no direct connection to the internet or other networks.)
Despite these challenges, federal OT administrators have been taking meaningful steps to enhance their security posture. Ninety percent report that they’ve placed greater emphasis on OT security in the past year. Many of their agencies have significantly increased coordination between IT and OT security organizations, and some have even combined their IT and OT teams. This cross-pollination is helpful in understanding the necessarily different approaches to OT security where, for many reasons, traditional IT security controls cannot simply be re-applied.
Such an increase in focus and coordination can enable the federal government to prioritize vulnerability gaps, such as asset and network visibility, secure their remote access with the right controls and ongoing monitoring, ensure threat anomaly and detection for OT-specific threats, and risk and exposure management.
Federal OT leaders recommend resource investments in two key areas to accelerate progress: greater adoption of best practices – especially in visibility enhancement, access control and network segmentation – and prioritizing skill development, training and awareness among their teams.
Other focus areas for agencies aiming to accelerate OT security progress should include:
Implementing continuous asset discovery and mapping these insights with asset-to-asset communication patterns to maintain real-time visibility into any anomalies.
Finding the right exposure management approach to focus on the vulnerabilities most likely to be exploited, especially within agencies’ most critical and exposed assets.
Implementing security tools purpose-built for OT to detect anomalies, exposed vulnerabilities, suspicious activity and policy violations, and integrating these OT-specific capabilities into centralized cybersecurity operations for unified visibility and response.
Tightly controlling remote access by employees, contractors and maintenance personnel via strict role- and policy-based access, multi-factor authentication, continuous monitoring and full audit trails for session replays.
Ensuring effective network segmentation between IT and OT environments, as well as within OT networks based on risk profiles.
Testing the efficacy of OT security strategies via cyber ranges and other testing mechanisms that go beyond standard tabletop exercises, as well as incorporating incident response plans for ongoing readiness and responsibility clarification.
Fostering closer IT/OT collaboration via unified policies, shared tools and dashboards, joint incident response plans, and centralized reporting structures.
Vigilance, deterrence and preparedness are critical to our nation’s federal infrastructure as threats and emerging technologies evolve, and it is equally vital that we follow these principles to defend OT networks across the entirety of the federal government.
Heather Young is vice president of U.S. Federal for Claroty, a leading cyber-physical systems protection company.
The time is now to up the federal OT security game
Threats exploiting operational technology (OT) vulnerabilities are on the rise.
Threats exploiting operational technology (OT) vulnerabilities are on the rise and the latest language from across the federal government should grab the attention of every federal technology leader. From explicit National Security Agency warnings regarding Chinese nation-state targeting, to the ever-growing list of OT vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), the concerns are real. With the federal government’s OT and Internet of Things assets across every function from weapons to navigation to patient healthcare to other critical services, the sense of urgency is justified.
The government’s reliance on public utilities for their bases and other facilities is equally concerning. While ostensibly targeting utilities and other critical infrastructure, the Chinese nation-state actor Volt Typhoon acknowledgements followed on the heels of the successful electric utility campaigns against Ukraine in their war with Russia. Adding to these concerns is the recent compromise of CISA’s chemical security assessment tool (CSAT), given federal laboratories’ likely handling of some applicable substances. All of these issues underline apprehension about the number of assets outside of each federal security leader’s direct control.
In light of these concerns, the federal government is using many mechanisms to ensure its leadership prioritizes OT. With explicit language in this year’s National Defense Authorization Act, OT’s inclusion in the Continuous Diagnostics and Mitigation program, and most recently the OT-specific language in the 2025 Homeland Security Appropriations Bill, it appears both Defense and civilian sectors must respond.
Recent research surveying federal OT administrators underscored the urgency of heeding these warnings. Sixty-eight percent of these cyber defenders said their agency had experienced an OT security incident in the past year, and only 55% felt fully confident they could detect and mitigate a threat today. In fact, only 20% gave themselves an “A” grade.
Join WTOP Nov. 21 for an exclusive conversation with congressional and health care industry leaders about what is on the nation's health care policy agenda right now. Register today!
The research identified a perhaps obvious but important reality: The federal government has a vast and complex infrastructure of aging, unpatchable cyber-physical assets, frequently not as air-gapped as presumed or hoped. Add to that the likely unaccounted-for assets together with unknown remote access for maintenance by first and third parties, and you start to understand why the focus is so important.
The survey respondents cited several obstacles to advancing their OT security efforts, including the unique geographic distribution of their agency networks, a lack of standardization across OT systems, in addition to the number of internet-facing devices in their networks that have reached end-of-life. Critically, just 39% said the majority of their OT environments are air-gapped (i.e. no direct connection to the internet or other networks.)
Despite these challenges, federal OT administrators have been taking meaningful steps to enhance their security posture. Ninety percent report that they’ve placed greater emphasis on OT security in the past year. Many of their agencies have significantly increased coordination between IT and OT security organizations, and some have even combined their IT and OT teams. This cross-pollination is helpful in understanding the necessarily different approaches to OT security where, for many reasons, traditional IT security controls cannot simply be re-applied.
Such an increase in focus and coordination can enable the federal government to prioritize vulnerability gaps, such as asset and network visibility, secure their remote access with the right controls and ongoing monitoring, ensure threat anomaly and detection for OT-specific threats, and risk and exposure management.
Federal OT leaders recommend resource investments in two key areas to accelerate progress: greater adoption of best practices – especially in visibility enhancement, access control and network segmentation – and prioritizing skill development, training and awareness among their teams.
Other focus areas for agencies aiming to accelerate OT security progress should include:
Vigilance, deterrence and preparedness are critical to our nation’s federal infrastructure as threats and emerging technologies evolve, and it is equally vital that we follow these principles to defend OT networks across the entirety of the federal government.
Heather Young is vice president of U.S. Federal for Claroty, a leading cyber-physical systems protection company.
Read more: Commentary
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Army’s $15M TMF award bolsters new strategy for securing operational technology
CISA, industry expanding effort to secure operational technology
Time to unite operational, information technology