Every time you update an OT network your cyber risk increases

Claroty

By Leon Poggioli, Regional Vice President – ANZ, Claroty
Friday, 28 March, 2025

Modern OT networks aren’t built and left static. Periodic updates are being constantly applied to them — and with any update comes additional cyber risk. For example, the update itself could contain a malicious payload, or malware may be delivered via an infected portable data source like a USB stick.

Unfortunately, OT network owners often don’t have the required visibility on these updates to be able to manage them effectively and restrict the way network changes can be applied. As a result, insecure file-sharing practices become commonplace in organisations, which causes a range of cybersecurity risks to emerge.

Consider the common scenario where an OT environment consists of terminals without any direct internet connection. Operators are required to transfer files including updates, projects and software from a remote source, such as a shared server or by copying and pasting from another device. With no direct connection to IT available, operators often resort to insecure removable media to transfer data, such as USB flash drives which are proven to be risky as they frequently carry malware.

This issue is driving the need for more secure file transfers into OT networks, coupled with stricter organisational governance policies that dictate who can deploy these updates, and ensure that any updates are scanned for potential malware before they make their way into OT networks.

To date, many organisations have also relied on solutions like VPNs, which pose considerable cybersecurity risks as they provide direct access to the entire OT network. This is precisely the opposite effect of what organisations should be trying to achieve.

Best-practice cybersecurity policies are specifically designed to prevent direct communication between certain levels in the network, ensuring a layered defence. However, VPNs bypass these layers, breaking the segmentation, exposing crucial control systems, and creating potential pathways for cyber attacks. This direct, unsegmented connectivity extends the organisation’s attack surface, allowing potentially less secure or compromised devices to connect to sensitive OT systems. If an attacker were to gain access through a VPN, this could give them free rein to move laterally within the OT network and disrupt critical processes such as energy supply, water treatment and more.

On the other hand, alternative solutions like jump servers are extremely inefficient, costly to manage and time-consuming, further amplifying the challenges of secure remote access.

The best practice when deploying OT network updates is to utilise a secure access mechanism with no direct connectivity into OT network devices — whether they are pure OT devices like PLCs, or IT devices running inside OT networks, like engineering workstations.

Having a corporate-sanctioned mechanism for these file transfers allows all other less secure methods to be eliminated. Furthermore, it allows organisations to monitor who is accessing OT systems and making updates, what exactly is being uploaded into OT networks, and to scan every file uploaded to ensure it does not contain malicious code.

By deploying an OT-specific tool to upload files, OT network operators can have greater control over every file entering their network and ensure they are uploaded without any malicious code. Furthermore, operators can accurately log and monitor every connection, allowing their networks to remain up to date, with minimal complexity and great cyber safety.