Securing Operational Tech
The Battle for Critical Infrastructure – Defending Operational Technology in a New Cyber Era
In the animated world of Cyber Heroes, evil forces like “Blackout” and his team of Infrastructure Destructors — including Backdoor, Single Point of Failure, and even a rogue squirrel — launch attacks against outdated and vulnerable critical infrastructure. Their aim? To bring down essential services like power, water, and communications. Standing in their way is the Collective Defense League, a team of cybersecurity superheroes like Two-Factor, Segmentation, and Zero Trust. But even they face a new challenge: Blackout’s AI, trained on their every move.
Behind the fun visuals and characters lies a real-world message: defending operational technology (OT) — the systems that keep our physical world running — is hard, messy, and increasingly important. In this episode of Gula Tech Adventures, Ron Gula breaks down the evolving threats and approaches to securing OT, drawing on his experiences at Tenable and insights from funding cybersecurity startups.
What is Operational Technology (OT) and Why Is It So Hard to Secure?
OT encompasses the mission-critical systems that control industrial functions — power grids, water treatment facilities, HVAC systems in malls, oil refineries, and more. Unlike IT systems (Windows servers, mobile phones, cloud platforms), OT systems are designed for stability, longevity, and limited change. Some of these devices have uptimes measured in years, not days, and many are running legacy code that’s decades old.
A decade ago, OT networks might have accounted for just 1% of a company’s infrastructure. Today, in some sectors, OT devices rival or exceed the number of traditional IT endpoints. That’s a huge shift — and it’s exposed these often-overlooked systems to a wave of cyber threats.
Legacy Risks: Brittle Code and Untouchable Devices
One major issue with OT is fragility. Operators know that even a basic port scan or a ping from a vulnerability scanner like Nessus can crash older OT devices. Many of these systems weren’t designed to handle network discovery or traffic analysis.
To help, tools like Tenable’s Passive Vulnerability Scanner (now Nessus Network Monitor) were built to analyze traffic without touching devices directly. This passive approach has become a staple in OT security — and is now standard practice among vendors like Exonius, Claroty, and Dragos.
Why Patching OT is So Hard
Patching OT systems is often next to impossible:
Devices may not support modern update mechanisms.
Vendors may no longer provide updates.
Updates may require physical access across dozens or hundreds of sites.
Systems often can’t be taken offline without halting operations.
That’s why segmentation — not patching — is often the first and most effective step in OT security.
Segmentation Strategies: Keeping the Bad Guys Out
1. Physical Air Gaps
The simplest segmentation strategy is physical separation. Many OT networks are managed using “on-off” methods — literally calling a technician with a walkie-talkie to flip a switch. It’s crude but effective.
2. Captive Gateways & Zero Trust Routing
Modern alternatives include inserting routers between OT devices and the broader network, encrypting traffic and applying access control rules — a kind of “zero trust” network for systems that can’t run agents.
3. Data Diodes
Products like Fend’s one-way data diode allow data to flow out of an OT network — say, temperature readings from a power plant — but block any inbound traffic. This is ideal when remote control isn’t needed, eliminating attack paths while preserving visibility.
4. Retrofitting Existing Infrastructure
Vendors like Elisity offer solutions that use your existing switches and infrastructure to enforce access controls. Rather than installing new firewalls, they apply policies to traffic using what you already have — a cost-effective and scalable approach, especially for older environments.
Modern Tools for Monitoring and Detection
Once segmented, OT networks still need monitoring. Companies like Claroty and Dragos specialize in real-time threat detection, often using passive monitoring and threat intelligence tailored for industrial environments.
With the rise in state-sponsored threats — including backdoors planted in infrastructure by China and others — this continuous monitoring is critical. These tools can detect lateral movement, unusual protocols, and even “living off the land” attacks that mimic legitimate activity.
Investing in Secure by Design
A big part of defending OT also means fixing the code before it ships. That’s why Gula Tech Adventures invested in Start Left Security, which helps developers write secure code earlier in the software development lifecycle. It’s gamified, integrated into existing CI/CD pipelines, and highly relevant to embedded systems running in OT.
Gula points out that even though some devices will never be patched, a secure codebase from the beginning can dramatically reduce the risk of vulnerabilities being exploited down the road.
A Look Ahead: AI, Data Care, and the Future of OT Security
In the Cyber Heroes world, Blackout's AI is the ultimate threat — capable of learning from defenders while hiding its own weaknesses. But the final act introduces a new hope: Data Care. Unlike traditional cybersecurity, which focuses on systems and endpoints, Data Care emphasizes long-term protection, ethics, and governance of the information itself.
From Gula’s perspective, it’s not enough to patch or detect threats — we must also care for the data OT systems produce and rely on. And with increasing adoption of AI and machine learning in both offense and defense, managing how AI interacts with OT will be a crucial next frontier.
Final Thoughts
OT security has come a long way. From brittle devices too fragile to scan, to robust passive monitoring, cryptographic segmentation, and AI-driven threat detection — we’ve made serious progress. But the work is far from over.
The attack surface is growing, the threats are evolving, and our most critical infrastructure remains a top target. Whether you're a startup pitching a new OT solution or a CISO trying to harden your SCADA environment, the message is clear:
It takes more than one superhero. It takes a league.
If you found this helpful, follow Gula Tech Adventures on YouTube or connect with Ron Gula on LinkedIn. And remember: legacy code may be old, but its impact is very much alive. Stay patched. Stay segmented. Stay vigilant.