purposes but also to streamline operational diagnostics. With effective monitoring in place, organizations can detect issues early and mitigate potential consequences before significant damage occurs. As organizations deal with IT/OT convergence, this process can benefit both IT and OT teams to ensure that systems are running securely and smoothly as required for business operations to minimize any potential downtime that can be costly.

3. Take a Risk Based-Approach, Focusing on Most at Risk Areas and Critical Exploitable Vulnerabilities First

Resource limitations are a growing challenge in securing OT and IoT devices. For most organizations that operate critical infrastructure, there is not enough security staff or talent with specialized skill sets and knowledge to investigate new cyber risks and effectively manage the amount of data coming from security tools. This is why organizations need to take a risk-based approach by focusing on most at-risk areas and exploitable vulnerabilities first, allocating resources strategically, and leveraging consolidated security platforms that have automation capabilities to provide real-time insights and correlated alerts.

4. Improve Security Hygiene of OT and ICS

While this starts with increased visibility and monitoring, organizations also need to take immediate action to improve security hygiene. Among the immediate steps organizations can take to secure OT/ICS are:

• Upgrade, replace, or isolate OT and IoT devices that use legacy operating systems with known critical vulnerabilities.
• Change default credentials and disable unused services.
• Deploy automated compliance verification and enforcement tools to prevent non-compliant devices from connecting to the network or to limit their access.
• Strengthen network security measures, such as segmentation, to isolate commonly exposed devices like IP cameras and close high-risk open ports.

OT/ICS Security Global Progress

Across the world, we are seeing countries take steps like reducing the number exposed devices with internet connectivity and critical vulnerabilities to protect critical infrastructure.

North America: From June 2017 to January 2024, the US and Canada significantly reduced the number of exposed devices by 47 percent and 45 percent, respectively. Whereas Spain (82 percent), Italy (58 percent), France (26 percent), Germany (13 percent), and Russia (10 percent) saw an increase in the number of exposed devices.

This progress in the U.S. and Canada is likely the result of significant investment in cybersecurity and technological advancements in the last decade. Many organizations are following the NIST Cyber Security Framework as they embark on their cybersecurity journey. In addition, North America has enacted numerous regulations that require critical infrastructure organizations to invest in security to maintain compliance. This includes, for example, the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) standard that applies to bulk electric power systems and is being extended with requirements for Internal Network Security Monitoring (INSM). These standards and frameworks require maintaining an asset inventory, protecting the security perimeter and systems, monitoring and detecting suspicious network activities and communications, and managing incident responses.

Europe: Countries like Spain (82 percent), Italy (58 percent), and France (26 percent) saw increases in exposed devices over the same period, highlighting a slower adoption of comprehensive security measures.  The NIS2 Directive, i.e., the second version of the European Union’s Network and Information Security Directive, provides additional legal measures to boost the overall level of cybersecurity in the EU by setting a standard for organizations in essential and important sectors, such as energy, healthcare, transport, finance, but also digital infrastructure, to strengthen cyber resilience and incident handling and take a risk-based approach to mitigate cyber threats effectively. It requires 24-hour incident reporting and a level of corporate accountability with management boards.

Despite progress in some regions, there remain nearly 110,000 internet-facing OT/ICS devices worldwide as of January 2024. The evolving compliance landscape emphasizes proactive risk monitoring and remediation, but more work remains to secure critical systems globally.

The Path Forward to Secure the Future of Critical Infrastructure

It’s evident that securing managed and unmanaged OT and IoT devices is a global issue. It’s not a matter of if, but when, device vulnerabilities will be exploited to attack critical infrastructure. Organizations across the world need to take proactive measures to safeguard critical infrastructure before it’s too late. By prioritizing these measures, critical infrastructure operators can not only protect their systems from emerging threats but also build a resilient foundation that ensures operational continuity and public trust in an increasingly connected world.