OT Insights CenterBringing Engineering on Board and Resetting IT Expectations

Bringing Engineering on Board and Resetting IT Expectations

Join our webinar for a revealing deep dive into the real causes behind the dysfunctional relationship between IT security and OT engineering teams—and discover actionable strategies to build trust, alignment, and true cooperation.

Join us on January 28, 2026 | 12PM New York Time

Register Now

In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. These teams work in the same organization, support the same mission, and even address many of the same threats, but when they sit down together it sounds like they need relationship counseling. Much has been written about the problem. Most of that writing misses the point, focusing on symptoms, not root causes. In this webinar we dig into causes, solutions and how to ask the right questions to guide the relationship into healthy cooperation.

In this webinar you will learn:

Consequence is one root cause of OT/IT differences – we cannot restore human lives and damaged equipment from backups

Another root cause – we defeat OT sabotage with many of the same tools as we defeat IT espionage, but we must use those tools differently

Who manages OT equipment is less important than how that equipment is managed

We need to avoid common mistakes regarding inertia, criticality, credibility, and consequences

About the Speaker

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Register Now

Share

The post Bringing Engineering on Board and Resetting IT Expectations appeared first on Waterfall Security Solutions.

OT Insights CenterWe can’t – and shouldn’t – fix everything – Episode 147

We can’t – and shouldn’t – fix everything – Episode 147

We know there are problems in our security systems, but we can't and shouldn't fix everything. What do we fix? Who decides? How do we explain what's reasonable to people who do decide? Kayne McGladrey, CISO in Residence at Hyperproof, joins us to explore risk, communication, and a surprising role for insurance.

For more episodes, follow us on:

Share this podcast:

“We have new intel. The threat has changed, the probability has changed, the impact has changed, whatever it might be. Do we still feel good about our previous judgment of this?” – Kayne McGladrey

Trending posts

Bringing Engineering on Board and Resetting IT Expectations

December 25, 2025

We can’t – and shouldn’t – fix everything – Episode 147

December 17, 2025

Medical Device Cybersecurity Is Tricky – Episode 146

December 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post We can’t – and shouldn’t – fix everything – Episode 147 appeared first on Waterfall Security Solutions.

OT Insights CenterMedical Device Cybersecurity Is Tricky – Episode 146

Medical Device Cybersecurity Is Tricky – Episode 146

Yes the device has to be safe to use on patients, and yes it has to produce its results reliably, but patient / data confidentiality is also really important. Naomi Schwartz of Medcrypt joins us to explore the multi-faceted world of medical device cybersecurity - from MRI's to blood sugar testers.

For more episodes, follow us on:

Share this podcast:

“I would estimate that somewhere between 30 and 50% of medical devices that are submitted to FDA today qualify as a cyber device per the Food, Drug and Cosmetic Act.” – Naomi Schwartz

Trending posts

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

November 26, 2025

Top 10 OT Cyber Attacks of 2025

November 24, 2025

Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies

November 11, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Medical Device Cybersecurity Is Tricky – Episode 146 appeared first on Waterfall Security Solutions.

OT Insights CenterHardware Hacking – Essential OT Attack Knowledge – Episode 145

Hardware Hacking – Essential OT Attack Knowledge – Episode 145

If you can touch it, you can hack it, usually. And having hacked it, you can often more easily find exploitable vulnerabilities. Marcel Rick-Cen of Foxgrid walks us through the basics of hacking industrial hardware and software systems.

For more episodes, follow us on:

Share this podcast:

“Security doesn’t stop at the network interface and also the PCB, the hardware level should be taken into consideration. And in general, I think OT security needs more curious minds that are looking under the hood.” – Marcel Rick-Cen

Hardware Hacking – Essential OT Attack Knowledge | Episode 145

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how’s it going?

Andrew Ginter
I’m doing very well. Thank you, Nate. Our guest today is Marcel Rick-Cen. He is the founder and lead instructor at Fox Grid International. And our topic is hardware hacking, picking apart the hardware, finding the vulnerabilities, arguably essential attack knowledge. We need to understand how we’re going to be attacked if we’re going to design effective defenses. So that’s that’s the topic for today.

Nathaniel Nelson
Then without further ado, here’s your conversation with Marcel.

Andrew Ginter
Hello, Marcel, and welcome to the podcast. Before we get started, can I ask you to introduce yourself, please? Tell our listeners a little bit about your background and about the good work that you’re doing at FoxGrid.

Marcel Rick-Cen
Yeah, thank you, Andrew. Hi, everyone. My name is Marcel Rick-Cen, and if I would introduce me in one sentence, I am an automation engineer turned OT security nerd. To my background, I have a master’s in automation engineering.

I have global experience in commissioning automation systems, as well as programming, planning, industrial operations. Now, during my day job, I am an OT and IIoT security consultant and a product owner of our in-house OT remote access solution.

During my nighttime, I am a hacker, or if you want to put it more formal, I am an independent OT security researcher that looks at what makes and breaks OT devices. Coming from that, I also founded FoxGrid, where I want to teach industrial cybersecurity and safety to newcomers.

Andrew Ginter
Thank you for that. And our topic is hardware hacking. Can we start with an example? You’ve got a couple of reports out. Can you pick one? Can you tell us about, a concrete example of what what is that?

Marcel Rick-Cen
Yeah, let’s talk about hardware hacking that led to a CVE that I found last year, where I found hard-coded root credentials hidden deep in the device’s firmware memory.

Andrew Ginter
Okay, so you know can you can you go a little deeper? What was the device? How’s it supposed to work? And you know how important is what you found?

Marcel Rick-Cen
So the device is a remote access gateway that machine builders usually built into the electric cabinet, so which connects the machine to the service provider.

In case there’s an unplanned interruption or any other operational bug or coming up, the service provider can directly connect over the cloud portal to this Edge device and start troubleshooting.

Andrew Ginter
So if I may, this is something that’s used in manufacturing. When you say the manufacturer, you mean someone who’s building a robot, someone who’s building a stamping machine, someone who’s building, I don’t know, a conveyor. Is is is that the use case here?

Marcel Rick-Cen
This basically can be used in any operation, from your maybe water treatment plant to your manufacturing to your building automation. Like there are really no limits. This really a network connection from the service engineer’s laptop directly into the heart of the device or into the heart of the operation.

Andrew Ginter
Okay, so it’s not just used for for like a robot, for a manufacturer of equipment. It might also be used by a service provider, by the know the engineer who’s responsible for for you know occasionally coming in and servicing oh parts of a water treatment system. it’s It’s used to access systems as well as devices is is what I’m hearing.

Marcel Rick-Cen
Yes, correct. So this acts as the gateway tu the machine or operational network.

Andrew Ginter
Okay, and so you found the default credentials. Does that mean that any fool who wants to can connect to the cloud, connect into this thing? Or how would you use those default credentials?

Marcel Rick-Cen
Luckily, the attack vector is really narrow. These default credentials, they grant root access to the device, and you only can get root access when you are physically connected to the device. So luckily, the cloud attack surface or the cloud is not exposed to this vulnerability.

Nathaniel Nelson
Okay. Andrew, I don’t know if I just missed it, but what is the actual device that we’re talking about here?

Andrew Ginter
It is an Ixon device, I-X-O-N. I forget the exact name of it, but its it’s physically it’s a little device about you know six inches square and an inch thick. And in my understanding, it’s a remote access device. You can connect into it from the cloud. Who uses this?

The sense I have is that it’s used in manufacturing. If you’re building a a laser cutter or a stamping machine, you might build one of these into the thing so that when the customer calls you up and says, your machine isn’t working, something is worn out.

You can remote into it, do the diagnostics and say, I think it’s this part, replace this part, see if if if the problem is solved. Because, moving parts wear out. Friction is the is the enemy of moving parts.

Andrew Ginter
But, when I asked the gentleman, Rick, he said, yeah, manufacturers of physical equipment use it so they can maintain the equipment or diagnose the equipment remotely.

But It’s remote access. A service provider, an engineer who’s responsible for keeping the automation running at a dozen small water utilities in the geography, might well buy a half dozen of these and drop one of them into each water system to access the HMI and the automation and whatnot.

So it’s remote access. The sense I have is it is used frequently engineers. manufacturers of equipment that’s used in manufacturing, but it could be used by service providers as well.

Nathaniel Nelson
And I think it’s the remote access thing that has me a little bit confused here. We’re talking about hard-coded credentials as vulnerability, something I’m rather used to in the IT space, right? Like a public repository or a server that’s been incorrectly configured will leak credentials to the web that then hackers could use to get in. And we’re talking about a romantic remote access device And yet, I think he mentioned there that you can only actually exploit this vulnerability if you have local physical access to the machine. So can you help me explain that gap?

Andrew Ginter
We go into this in sort of more detail later in the interview, but let me let people know kind of what’s happening. There are basically two user interfaces to the device.

One is the remote access user interface with users configured and blah, blah, blah. That’s not where the vulnerability is. The other interface is if you touch the device and you connect to it, I don’t know, I was a little weak on the details. If you connect through the USB port or if you connect, pins, you’re to electrically to pins sitting bare on the on the on the circuit board, if you open the device up, you can get access to the operating system of the device.

And it’s the operating system credentials that were leaked. So in order to use those credentials, they don’t work on the remote user interface. They work locally when you’re when you’re able to physically touch the device and plug stuff into it.

The CVE was 2024-577990. It was given 5 or a 5.9 or something like this, not a 10. This is not a remote code execution vulnerability. You can’t do this remotely. You have to be local. It’s a local escalation of privilege for vulnerability.

Nathaniel Nelson
And that explanation makes a lot of sense to me, but why is it that Like, how can you even leak credentials to somebody who’s physically using a computer, right? Like any credentials on my computer that get leaked to me doesn’t matter because I’m the user. So what I suppose I’m asking attack scenarios, are we worried about with this vulnerability?

Andrew Ginter
Actually, we didn’t go into that, but as far as I know, the scenario is that you’re there locally touching the device. Now, normally, you look at the device, it’s got network ports, it’s got one of the ports is is connected out to to the world, you come in remotely, it does its thing.

There is no other supported user interface. But if you touch the device, you can get in there, you can tamper with the the firmware, you can tamper with stuff, you can you could presumably create credentials that you could use remotely. You’d need a little bit of skill to do that, but you could brick the device. So it’s, again, if you’re standing there with a hammer, you could also brick the device.

This is why it was given a lower priority. Yes, technically it’s a vulnerability. It’s not a really alarming one. What’s interesting is how did you find it? Because the way that he found it, the technique is what he teaches at Fox Grid. You can also use to find more interesting stuff.

Andrew Ginter
Okay, so so this is something that is is is a local vulnerability. It’s not a remotely exploitable thing, which, yeah, is is lower priority. But still,

What I wanted to ask you about is, we’ve never had someone one on the show who picks things apart like this, or maybe we did once about three years ago, but it’s been a long time.

You know, can you talk about the process? How did you find this? How does one pick these things apart? What is, what does that mean

Marcel Rick-Cen
Yes, absolutely. If I would just describe it to you maybe in a pub or over coffee, this really is like hardware and digital scavenger hunt because you have to look at so many things. You also go down a rabbit hole, see it’s the wrong way, turn around, and then keep digging.

And to find this, I just needed tools for about 30 euros. So a multimeter screwdriver, prying tools, a USB logic analyzer, and USB U-RAT interface was all I needed to find this vulnerability.

Andrew Ginter
So, I mean, can you give me a little more detail? Those are the parts I’ve never used a logic analyzer. I mean, How technical is that? Do I need to be an engineer to use a logic analyzer? How did, how did you go about this? What, can you, can you tell us a story? what did you start with? What do you do next? What does that mean? And, a blind alley went down. How did, how did it work?

Marcel Rick-Cen
Yeah, I can walk you through the all the six or seven steps that led to root access from opening up to the device until I was greeted with the root banner, okay? And before anyone gets started with hardware hacking and picking a device, or before anyone gets started with taking a device apart, here are four electrical safety rules that you should follow because your own life is more important than your curiosity.

And never ever open wall-plugged devices because if they’re directly plugged into the socket, this means that hazardous voltage is inside the PCB, inside the device, and there’s the risk that you can touch a live wire and that’s you risk well you risk an electric shock. Therefore, use devices that have external power adapters only so that the voltage conversion happens outside the area where you’re working with. Also avoid mixing power sources. This is important, for example, if you really go into firmware extraction and of course preventing short circuits because this will fry your PCB and then you have a very expensive brick.

But if you stick to these rules, you can open up the device and first start with the hardware reconnaissance where you just take a look on what chips are on there. And many industrial embedded devices, they run on a so-called system on chip and they have somewhere close to the system on chip the flash memory firmware chip.

So this is basically where the brains and all information are stored and once a is and once the system is powered on, the system on chip pulls the firmware information from the firmware memory chip. If you identified these, then you take a look around the board, are there any debug interfaces and on this device I found a so-called UART debugging interface.

So with these, we can move to the next steps. And first we do some electrical measurements just to prevent that our USB, USB UART and USB signal analyzers get fried because they are very sensitive to voltage. And first things first, we first confirmed the common electrical ground on the debug interface we identified. Once we identified the common ground, we know where we well connect the ground wire of our USB logic analyzer. Then UART interface usually has two more pins, RX and TX, which stands for receive and transmit.

And then we turn on the power and then measure these pins against the electrical common ground. And in most cases, we will find a voltage range between three volts and five volts, which means these devices are communicating on the so-called transistor-transistor logic level. When this is identified, we can move on with the logic analyzer. Power off the device, connect the logic analyzer, we connect the logic analyzer’s ground to the board’s ground, and then the RX and TX wire.

Although, The Rx and Tx pin are already labeled and we only could connect to the Tx. It’s always good to connect to all pins that we have a full picture of what’s going on. Because, Andrew, at this board, this was easy mode. The pins are already labeled, but that’s not always the case. Sometimes you just have a three, four, five pins sticking out, and you don’t know what they mean.

Then you also do the same procedure. You measure for the electric common ground and then start measuring the voltage levels, and this gives you at an idea if you can find logical signals going on.

Andrew Ginter
So thanks for that. I mean, that’s giving giving us some insight into the the mechanics of of dealing with a device. I mean, I’m um’m a software guy. I never have to worry about electrocuting myself if I bring up a compiler on my laptop. But let me ask, you’ve talked about two sort of devices here that that seem to ring a bell with me. There’s the UART, which – so quick question. Is the UART USB or is it RS-232?

Marcel Rick-Cen
This is an RS232 connection to USB. So this basically converts the signal, converts this logic serial signals to USB so that your machine, your computer can work with that.

Andrew Ginter
Nate, real quick here, I had a a very short sort of interaction with with Rick there asking about the difference between USB and RS-232. For anyone who didn’t quite track that, RS-232 is a very old hardware signaling protocol. I mean, I remember using RS-232 back in the day to to connect, this was 30 years ago, to connect to 300 bits per second modems, okay? Ancient, ancient technology.

Why would there be such an ancient interface on this modern device? Is roughly what I asked him. and He said there isn’t. What there is, is a USB port. It turns out that what he connected to the TX and RX he connected to were signaling USB. And when he looked at the signals, he discovered that the messages coming across the USB were RS-232 over USB.

So he looked around, he said, well, I have a a dongle that can can take USB and gives me RS-232 and he connected to it and there he can see the messages coming across. So that’s what’s going on there. It’s a USB connector on the device that connector on the device but the signaling RS-232 over USB.

Andrew Ginter
The other one that that that struck me, and again, I’m a software guy, you mentioned the flash chip. to me, if I get what’s on the flash, I can start looking at instructions, I can start running my disassembler. Is it possible to to sort of go under the nose of the device and just read the flash chip? Or do you have to go through the front door? Do you have to go through the CPU in order to get access to the flash?

Marcel Rick-Cen
No you don’t, you also can basically perform a chip off of the flash chip and then read out the contents with a programmer. This is also possible, but at but at the time of my research I didn’t have such equipment here, so I went through the front door.

Andrew Ginter
Okay, that’s fair. So please carry on. you’re You’re talking about the UART. I interrupted you finish Finish the story here. how how are we How did you get in?

Marcel Rick-Cen
Okay, the logic analyzer revealed that indeed a logical data is transmitted over the TX pin. So this means we can connect our USB UART interface and open a serial console to that.

Andrew Ginter
That’s fair. I didn’t realize that USB was, I mean, I knew USB was serial. That’s what it means, universal serial bus.

Andrew Ginter
But I guess I never put two and two together that you could just, I don’t know, connect an RS-232 to it.

Marcel Rick-Cen
Well, you always need this interface device that you plug between that you plug into your USB socket and then on the other end of the device you can connect to the target device. So once the USB UART interface is connected and I started the terminal on, and I started the serial console on my Linux machine, then I powered up the device again I and could see the boot log flashing in front of the screen.

You know, it was a basic Linux boot lock, and at the very end, there was a login prompt to log into this device. And this is really where it got interesting, and here my curiosity was really on fire because I really wanted to get into this device and I started to look at the boot lock itself first.

Here I learned that the firmware memory is partitioned into several partitions and if you look at the common IoT hardware hacker courses, then they always tell you to go for the rootfs file system because that’s where all the binaries are stored of this Linux device.

But there was another partition that was interesting for me. This was the so-called factory partition. Scrolling further up in the boot lock, there was also a brief prompt to press space bar to enter the bootloader. But Andrew, the timing for this was so narrow that it was almost impossible to hit the timing right to enter the bootloader.

You you can imagine I was jamming the, I was hammering the space bar like a lunatic. And then maybe at the fourth or fifth time I succeeded to get the timing right and then I was presented with the next option to choose the operation. And here a very interesting option was presented to me by pressing the number four, I would be able to enter the boot command line interface.

And this was something what I was interested in and wanted to go, but with this narrow timing, I turned to chat GPT asking it, it this way is there a way that I can automate the key presses and can send a space bar press and a number four press at rapid speed? The AI gave me a five-line shell script code which uses an onboard tool of Kali Linux to send spacebar and number 4’s.

And this immediately landed me into the boot shell. And the boot shell of this device is based on the uBoot bootloader. And all the hardware hackers out there that are familiar with uBoot would immediately see that this is already a very stripped down and secured restricted version of uBoot. There was almost no way of manipulating the device, but they left in the so-called SPI command, which enabled me to read the content of the factory partition.

So that’s what I did. I issued the command to read the factory partition and then its and then it printed out the content of the factory partition in the hexadecimal format. And here’s something really strange occurred to me that the data was not always represented in two hexadecimal digits. that hexadecimal data always needs to have two digits.

If not, the data gets misaligned and then gets corrupted. So the problem I was facing here is that some digits were, or some data was represented with single digits, missing the second digit. So the data was not usable for me. Then I used another script to align the data and then convert the text hexadecimal data back into binary hexadecimal data.

And then I was able to view the binary data and the ASCII interpretation of that. And here’s something really interesting stood out. There were basically three strings of data that at first made not really sense to me but somehow felt familiar. And suddenly I realized this is the information which is also printed on the device’s label on the side. Suddenly I could see that in this partition of the factory, the version number, the serial number, the device version, and the login password for the web management surface for the web management interface was stored.

But there was another string that also kept me guessing and puzzling for quite a while, but this unknown string had the same characteristics as the web login password. It had 10 characters, capital and lowercase letters, and numbers. And I tell you, this had to be another password. So I restarted the device again, and at the very end of the boot process, I was prompted for the login once more. I entered the username root and entered This data I found inside the memory and this gave me root access to the device.

Nathaniel Nelson
Andrew, it’s not that anything that Marcel said at any point there wasn’t clear, but we’ve now gone a while and he’s expressed a lot of technical steps. Can you just give me the big picture summary, what we’re talking about here, what he achieved and why it’s important?

Andrew Ginter
Absolutely. He, he real quick, managed to connect to the boot shell with the space for script constantly blasting. And he got in and discovered there was almost nothing he could do there, but he could look at this one tiny partition. And he managed to get the data, decode the data. And he looked at it and said, this looks like a serial number.

It looks like a password. And so he said, well, let’s try it. And he reboots the device again. He doesn’t do the space for this time. He lets it completely boot. And it comes up and says, OK, I’m ready. Log in. You want to log in? And he said, yeah, let’s log in as root. And it says, well, what’s the root password? And he says, well, here’s the string that I saw in the partition. He enters it, and he’s in.

And now he’s in as root.

Andrew Ginter
Cool. So it’s not like you looked at the file system and said, oh here’s files. Look, there’s a file with the name password. it It wasn’t nearly that obvious.

Marcel Rick-Cen
No it was very well hidden, but I think also on purpose because there’s nothing written in this memory area before or after this partition. You really just find the version number, the serial number, the web management password, and well, the root password. So somewhere in production when the device gets, so to speak, gets the breath of life and the data for the label, At this moment, the data must be flashed into this firmware memory chip.

Andrew Ginter
Okay, so so this is a very small partition then. We’re not talking tens of megabytes. We’re talking tens of kilobytes.

Marcel Rick-Cen
Yeah, it was very small indeed.

Andrew Ginter
Okay, cool. So you found the vulnerability. And then I assume, there’s something called a responsible disclosure process. I assume you contacted the vendor, you contacted the government.

Marcel Rick-Cen
Right

Andrew Ginter
What was the next step there?

Marcel Rick-Cen
So the next step was to contact the security contact of this company and luckily I was already in contact with him on LinkedIn. So on a Sunday morning I sent him a screenshot of, hey Mr. XYZ, I got root access to your OT gateway.

And within two hours, he replied and said, okay, this is very concerning. Please send your findings and everything you have to our security email address and we will look into this first thing Monday morning.

then I wrote a quick report attached to screenshots and the proof of concept video. And around Monday lunchtime, they replied, said, yes, this root password is uniquely generated per device and inserted here during production. But since everything is uniquely, they kind of hinted at that they are accepting the risk so that the probability of this being exploited is rather low. They also said if machine builders, integrators, operators stick to their security requirements, they do not see really a risk of this being exploited.

Andrew Ginter
Okay, so the vendor said, it’s a low priority because, people are expected to have physical security. No fool off the street can come in take one of these devices, walk away with it, pick it apart, bring it back. That’s not a realistic threat. Do you agree with that?

Marcel Rick-Cen
Yes, totally, I agree with that. From all my experience on the shop floor and in the field, you cannot just walk up to an electric cabinet, take out a device, screw it open, extract the root credentials, in and then put it back in with a backdoor you implanted, right? This would hopefully catch some attention.

Andrew Ginter
Okay. and can you Can you finish the the the thought? I mean, you wound up with a CVE for this. you’ve You’ve interacted with a vendor, then then what? how do you How do you finish the process?

Marcel Rick-Cen
Then I contacted Mitre to file a CVE, also reported the things I found and the implications for this and after two months the CVE was assigned.

Andrew Ginter
And at that point, you’re able to disclose publicly. Is that right?

Marcel Rick-Cen
Yes.

All that being said, there is a tiny, tiny risk that you may receive the backdoor device, but then someone really must be targeting your operations. They need to know that you are operating such device. And if you’re expecting a new shipment, they could intercept the shipment, open up the device, extract the root credentials, implant the backdoor, pack it back up and ship it forward to your operations. So for that, if you are operating something critical, or if you’re operating, or if you’re having critical infrastructure and operations, you should definitely opt for temper detection and protection. You know, some devices, they have this little sticker on there, warranty void if removed.

Andrew Ginter
So fascinating stuff, at least at least to me. I’d always wondered, how some of this this hardware hacking was done. But, as far as I know, you don’t get paid to do the hardware hacking unless, I don’t know, there’s a bounty or something. You know, how does this relate to to making a living for you?

Marcel Rick-Cen
Yeah, no, this is not my day job and I also don’t get paid to find these vulnerabilities. Let’s just say this is a very expensive hobby. I’ve been in the I’ve been in the domain of automation systems for half of my life and after my work, I’m still interested, especially in what makes and breaks these devices.

And that’s also how my trainings got born. I took all the experience I made from, well, breaking these devices and turned them into training.

Andrew Ginter
Okay, and this is what you do at FoxGrid. Can you go a little deeper? I mean, if I if I sign up for one of these courses, what are you going to lead me through?

Marcel Rick-Cen
If we stay with hardware hacking, you could sign up to Industrial Embedded Systems Hardware Penetration Testing, where you will also go through these six or seven steps from investigating the PCB to hopefully getting root access. But this course has a unique approach because if you look at the IoT hardware hacking courses, you usually hack some IoT camera or home router, but it’s almost impossible to hack an industrial device because there is an entry barrier problem.

First of all, this hardware is really expensive. You usually pay $500 or more, and it’s risky because you can brick it and then you wasted $500. To get around this, I built a custom firmware for a cheap ESP8266 microcontroller that mimics the behavior of an industrial device and introduces the student to the same challenges I faced.

Andrew Ginter
Okay, so that’s the hardware hacking. Have you got other courses?

Marcel Rick-Cen
Yes, I have my flagship course, Practical Offensive Industrial Security Essentials, which gives students from diverse backgrounds, whether they’re automation engineers, IT professionals, or total newcomers, an holistic introduction to industrial cybersecurity.

Of course, there are some gaps that needs to be filled, but anyone with so anyone with enough curiosity will get through this course. or will have success with the course and then get a holistic understanding of industrial cybersecurity.

Andrew Ginter
So if I can take you sort of on a side trip real quick here. throughout this interview, I have been surprised by you personally. I mean, I had always had a stereotype in mind for people who found vulnerabilities, who hacked stuff, hardware, software, whatever. the the The stereotype that I had in mind was sort of somebody with a big ego, somebody with an ego saying to themselves, I’m smarter than you are. I can find these problems. You, and you you the vendor, have have messed it up.

I always thought you needed a that kind of attitude to be able to go in and tackle know the vendors defenses in and incorporated the product I always thought you needed attitude but what’s coming across from you is something different can you talk about who what do you need sort of in your brain in your personality to be successful here?

Marcel Rick-Cen
Well, to make it short, you just need curiosity and persistence. I think people with a big ego, they are more successful in finding more vulnerabilities But like I said earlier, this is more an expensive hobby for me, so I do not really have the pressure to find vulnerability after vulnerability. For me, it’s more, well, being on this scavenger hunt to go away that, or find a way to operate the device it was not intended to, and then really find a way in. And to be honest, I also have a whole box of scrap electrical, scrap OT devices where I did not find a vulnerability.

So this is where we come back to the expensive hobby. So I think if someone is, understanding a bit of the domain these devices are operated in and have enough curiosity and then persistence to stick to it, they can definitely find some vulnerabilities or if not, well, they can at least learn a lot about the devices, how they operate and how they interact with other devices in the OT domain.

Nathaniel Nelson
So Andrew, we’ve been talking hardware vulnerabilities.

Nathaniel Nelson
It seems relatively serious, but bring it to a practical level for me. If I’m running industrial site and I discover ah a hard coded issue in one of my gateways, and am I running around red alarms ringing? To patch immediately or am I more focused on the systems and data flows around it that enable sort of legacy technologies to occasionally have vulnerabilities like this? How would you interpret it in the grand scheme of things?

Andrew Ginter
Well, in the grand scheme of things, there’s sort of a couple of different questions. let’s let’s Let’s pick it apart. What we’ve been talking about primarily is how to find these vulnerabilities. Once you’ve found a vulnerability, now you’ve got to ask the question, A, can I patch the system? Because if it’s a vulnerability in your safety system, well, I’m sorry, the testing cost of the new version is going to be prohibitive.

It’s just really hard to patch some things. Other things are easier to patch. So can I patch it? Second question is, do I need urgently to patch it? And that’s sort of a different skill set. It’s one skill set to find the vulnerability. It’s a different skill set to say, well, how would an attacker, so it’s an imagination thing. Imagine how would an attacker use this against me?

And, we talked about two scenarios for this vulnerability. One is physically walking up and stealing the device and taking it apart and putting it back, which seems not a very credible threat because you’re going to be discovered. The second scenario was, someone with much more resources discovers that you’ve just ordered 50 of these, intercepts the shipment, bribes the driver to go take a long coffee break, breaks into, five or 10 or 15 of these devices, inserts malware, packages them all up again. Again, is that a credible threat? It’s a credible threat for some people – very high value targets. Is it a credible threat for a small bakery? probably not. So, first step is find it. Second step is figure out, can I even patch it? Third step is how would a bad guy exploit this?

Are there credible threats? Is there a third scenario that we haven’t imagined? So it’s a, it’s a, a question of imagination and studying what people have done in the past. And then, the the the decision, part part of it is, how easy is this to exploit? So we’re talking about devices generally. We’re also talking about cloud connected devices, because a lot of the devices that Marcel is focused on, that he teaches you about is industrial internet devices. They’re connected out to the cloud.

So that’s more internet internet connected, more internet exposed. But really what he looked at here was an OT, cloud remote access device. It’s arguably the most exposed piece of technology in the OT network. It’s the technology that gives internet-based users access to the OT system. So normally you would set these things on automatic update. Why? What if they blue screen? Well, nobody cares if they blue screen. It’s inconvenient if they blue screen. If the bad guys get in, they can work whatever they want, sabotage on your OT network. So, um, normally people pay a lot of attention to defects in their, to, to vulnerabilities in their OT remote access.

This one, we just, we couldn’t imagine a credible attack scenario for mere mortals. Um, it might not be that worry that that big to worry about, but generally speaking, this is the kind of device you want people like Marcel picking apart the most thoroughly, because this is the device that has to be the most thoroughly protected.

Andrew Ginter
Well, thank you so much. I mean, I learned something this episode. Before we let you go, can I ask you to sum up for our listeners? What should we take away from this? what What’s important to to to know about this stuff and and how do we use it going forward?

Marcel Rick-Cen
Okay, looking at the vulnerability I found, this was a prime example that just one part of security was completely overlooked. When you look at the device from a network perspective, you see a very fortified device.

But security doesn’t stop at the network interface and also the PCB, the hardware level should be taken into consideration. And in general, I think OT security needs more curious minds that are looking under the hood. For example, if you’re an engineer, you already understand the industrial processes.

And here I just can recommend you to level up your cybersecurity skills. And this this is exactly what I’m doing with FoxGrid. This platform exists to teach industrial security in an affordable and practical way. The flagship course, practical offensive and Practical Offensive Industrial Security Essentials, comes with an open source lab where you not only learn about penetration testing tools, but also how you can use them on simulated industrial controllers. And that way, you also can understand how your real devices would behave under such conditions. So for the next steps, if you’re curious, check out Fox Grid for resources and connect with me on LinkedIn. And of course, keep pushing OT security forward.

Nathaniel Nelson
So that seems to just about do it for your interview, Andrew, with Marcel Richtsen. Do you have any final thoughts that you’d like to share before we leave today?

Andrew Ginter
I guess so. I mean, I had always been curious, how people do this stuff. What surprised me about the the interview here was that I actually followed what he did. I kind of understood it. I thought it’d be harder than that. And I suppose it could be if you have to, if you don’t have a small amount of information to look at, it if you got to look at the entire firmware and start, I don’t know, disassembling megabytes of firmware looking for vulnerabilities.

That would strike me as harder. This seemed really straightforward. I don’t know if I don’t know if I’m curious enough about how this stuff works that I would do the work myself, but I sure wouldn’t mind another two or three guests like this to to walk us through how they did the hard work so that we can satisfy our curiosity.
-14:48

<insert bit from the end of the commentary>

Andrew Ginter
And beyond my curiosity, I agree with Marcel, we need people tracking down vulnerabilities. That’s, it’s because that’s the good way to persuade vendors to invest more in security, to, make these devices more secure to begin with is to point out afterwards, they’ve got problems. And, the next time around, hopefully they will be more careful. The bad way is to wait for the bad guys to find the vulnerabilities and exploit them and take advantage of us. So, we need more of the good guys. we need more more technical, curious people out there fighting the fight. So, thank you to Marcel.

Nathaniel Nelson
Well, thanks to Marcel for satisfying our curiosity. And Andrew, as always, thank you for speaking with me.

Andrew Ginter
It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.

Trending posts

Top Oil and Gas Security Challenges and Best Practices for Protection

November 11, 2025

Data Diode vs Firewall: Understanding the Key Differences in OT Security

November 4, 2025

Security by Design- The New Imperative for Rail Systems

November 4, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Hardware Hacking – Essential OT Attack Knowledge – Episode 145 appeared first on Waterfall Security Solutions.

OT Insights CenterTop 10 OT Cyber Attacks of 2025

Top 10 OT Cyber Attacks of 2025

In this webinar Andrew Ginter takes us through the most unusual and most consequential cyber attacks thus far in 2025 targeting critical infrastructures around the globe.

Watch the webinar for a comprehensive review of the cyber incidents that shaped the industrial landscape in 2025. We will analyze the year’s most disruptive attacks, breaking down the operational downtime, financial costs, and impacts on public safety. Beyond the damage reports, we will explore the specific targeting methods used by adversaries as documented in the public record. The session concludes with a first look at the preliminary findings from Waterfall’s highly anticipated 2026 OT Threat Report.

In the fading days of 2025, we look back at cyber attacks that impaired operations in heavy industry and critical industrial infrastructures in the year thus far. We look at:

The most consequential incidents in terms of downtime and dollar cost

Incidents affecting public safety and infrastructures

What is in the public record about how these systems were targeted

About the Speaker

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Share

Trending posts

Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

October 30, 2025

Managing Risk with Digital Twins – What Do We Do Next? – Episode 144

October 20, 2025

IT & OT Relationship Management

October 20, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Top 10 OT Cyber Attacks of 2025 appeared first on Waterfall Security Solutions.

 Digital Transformation Exposes Manufacturing to New Cyber Risks

The Fourth Industrial Revolution has fundamentally transformed manufacturing through the integration of digital technologies like Industrial IoT, artificial intelligence, cloud computing, and advanced automation. These innovations enable data-driven decision making, predictive maintenance, and flexible production capabilities that provide competitive advantages. However, this digital transformation simultaneously exposes manufacturing operations to cybersecurity risks that traditional industrial environments never had to confront.

Smart Factory Vulnerabilities: Where Digital Meets Physical

The modern smart factory contains numerous potential entry points for cyber attackers that simply didn’t exist in previous generations of manufacturing facilities. Programmable Logic Controllers (PLCs) that directly control machinery were once isolated systems but now often connect to enterprise networks for performance monitoring and remote management. These critical control devices frequently run proprietary firmware with minimal built-in security controls, creating significant vulnerabilities when exposed to network access.
Human-Machine Interfaces (HMIs),the touchscreens and operator panels that control production equipment,represent another substantial vulnerability point. Often running outdated operating systems like Windows XP or Windows 7, these interfaces typically lack endpoint protection, are rarely patched, and frequently use default passwords. Despite their critical role in production operations, HMIs have become favorite targets for attackers seeking to manipulate manufacturing processes.

 Manufacturing-Specific Cyber Attack Patterns and Techniques

Cyber attacks against manufacturing targets have evolved into specialized techniques designed to exploit the unique characteristics of industrial environments. Understanding these manufacturing-specific attack patterns is essential for developing effective defense strategies.

Ransomware’s Evolution to Target Production Systems

Ransomware attacks against manufacturers have evolved dramatically from early variants that primarily targeted IT systems. Modern manufacturing-focused ransomware specifically targets operational technology, with attackers demonstrating sophisticated knowledge of industrial control systems. Recent campaigns have included specific capabilities for encrypting engineering workstations, PLC project files, and SCADA databases, elements that are unique to industrial environments.
These specialized attacks often begin with reconnaissance phases where attackers map OT networks and identify critical production chokepoints. By targeting systems like manufacturing execution systems (MES) or production scheduling databases, attackers can maximize operational disruption while encrypting a relatively small number of systems. This strategic approach increases pressure on victims to pay ransoms quickly to restore production.

Industrial Espionage: Stealing Manufacturing Secrets and Intellectual Property

Manufacturing environments contain valuable intellectual property that makes them prime targets for espionage operations. These attacks focus on exfiltrating data rather than causing disruption and often maintain persistence for extended periods to capture evolving proprietary information.
Sophisticated threat actors target manufacturing process data including machine parameters, formulations, production sequences, and quality control methodologies. This information can allow competitors to replicate manufacturing capabilities without the substantial R&D investment required to develop them. In highly competitive sectors like pharmaceutical manufacturing or advanced materials production, these trade secrets often represent the company’s most valuable assets.

Sabotage Attacks: When Adversaries Target Production Quality and Safety

Perhaps the most concerning attack pattern involves sabotage operations designed to manipulate manufacturing processes to degrade product quality, damage equipment, or create safety incidents. These attacks specifically target the integrity of production systems rather than their availability or confidentiality.
Sabotage attacks often focus on manipulating process parameters to introduce subtle defects that may go undetected until products reach customers. By changing temperature settings, timing parameters, or ingredient proportions by small amounts, attackers can cause quality issues that damage a manufacturer’s reputation and potentially create product liability concerns. These attacks are particularly dangerous because they don’t immediately announce themselves through system outages.
 

The Real-World Consequences of Manufacturing Cybersecurity Failures

The business impact of cyber incidents in manufacturing environments extends far beyond immediate IT recovery costs. Manufacturing-specific effects can damage competitive positioning, compromise product quality, and even create physical safety risks. Understanding these real-world consequences is essential for properly evaluating security investments and prioritizing protection measures.

Production Line Cybersecurity Incidents: Analyzing Recovery Time and Costs

Manufacturing cyber incidents impose immediate financial penalties through production downtime that directly impacts revenue and customer commitments. The average manufacturing cyber incident now results in 8.2 days of production disruption, with full recovery taking significantly longer. At average downtime costs of $1.1 million per day for large manufacturers, these incidents create immediate financial damage that far exceeds typical recovery expenses.
Recovery from manufacturing cyber incidents involves unique challenges not present in other sectors. Production equipment often requires precise calibration and validation before operations can safely resume. Quality control procedures must verify that affected systems will produce conforming products once restored. These manufacturing-specific recovery requirements significantly extend the impact period beyond initial containment.
Case studies illustrate the substantial operational impact these incidents create. A 2023 ransomware attack against a major automotive parts supplier resulted in production stoppage at three manufacturing facilities for 11 days. Beyond the immediate $12 million in lost production value, the company incurred significant overtime costs during recovery and faced contractual penalties from OEM customers whose production lines were affected by component shortages. 

When Cyber Attacks Become Safety Incidents in Manufacturing

The potential for cyber attacks to compromise safety systems represents a unique risk in manufacturing environments where physical processes can create hazardous conditions if improperly controlled. Unlike purely digital environments, manufacturing cyber incidents can directly threaten human safety and environmental protection.
Several documented cases illustrate this dangerous convergence. In 2019, a safety incident at a chemical manufacturing facility was linked to a cyber intrusion that had disabled certain alarm functions, preventing operators from receiving early warnings about an abnormal reaction. While no injuries occurred, the incident resulted in a product batch destruction and a regulatory investigation.
More concerning are targeted attacks against safety instrumented systems (SIS) that provide critical protection against hazardous conditions. The TRITON/TRISIS malware specifically designed to compromise Schneider Electric safety controllers, demonstrates that threat actors are actively developing capabilities to undermine these critical protections. By disabling or manipulating safety systems, attackers could create conditions for serious incidents while simultaneously removing the safeguards designed to prevent them.

Supply Chain Ripple Effects from Manufacturing Cyber Disruptions

The interconnected nature of modern manufacturing magnifies the impact of cyber incidents far beyond the initially affected organization. When a manufacturer experiences operational disruption, the effects propagate through supply chains in both directions, creating cascading impacts across multiple companies.
Downstream impacts affect customers who rely on the manufacturer’s output as inputs to their own processes. In tightly coordinated supply chains, even short disruptions can halt downstream production lines when critical components become unavailable. The 2021 ransomware attack on a major automotive supplier forced five OEM assembly plants to temporarily suspend operations due to component shortages, illustrating how manufacturing cyber incidents can create multiplier effects that far exceed the direct impact on the targeted company.

Building Manufacturing-Optimized Security Architecture

Effective manufacturing cybersecurity requires architectural approaches specifically designed for industrial environments. Generic IT security solutions often fail to address the unique operational requirements, legacy systems, and specialized protocols found in manufacturing facilities. A manufacturing-optimized security architecture acknowledges these differences while providing robust protection.

Securing Manufacturing Zones: The Industrial DMZ Approach

Zone-based security architecture provides the foundation for effective manufacturing protection by establishing clear boundaries between networks with different security requirements and operational purposes. This approach implements the Purdue Enterprise Reference Architecture’s concept of hierarchical security zones to control communication between business systems and operational technology.
The industrial demilitarized zone (DMZ) serves as a critical security boundary between IT and OT environments. This intermediary network segment hosts systems that need to communicate with both business and manufacturing networks while preventing direct connections between these environments. Properly implemented industrial DMZs include data historians, OPC servers, and middleware applications that facilitate necessary data flows while limiting potential attack paths.
Within manufacturing environments, further segmentation creates protection zones based on operational function and criticality. Critical safety systems receive the highest protection levels, while monitoring systems may operate in less restricted zones. This functional segmentation prevents an attack that compromises one manufacturing area from spreading throughout the entire operational environment

OT Visibility: You Can’t Secure Manufacturing Systems You Can’t See

Comprehensive asset visibility represents a fundamental challenge in manufacturing environments where diverse equipment from multiple vendors often operates with minimal network monitoring. Many manufacturing organizations lack complete inventories of their operational technology assets, creating significant security blind spots.
Effective manufacturing security requires specialized OT asset discovery tools that can safely identify industrial control systems without disrupting their operation. Unlike IT scanning tools that might crash sensitive OT systems, these solutions use passive monitoring and protocol analysis to build comprehensive asset inventories without sending potentially disruptive active probes.
Beyond basic inventory, manufacturing security requires visibility into system configurations, connections, and communications patterns. Baseline documentation should include PLC programming, HMI configurations, and control system parameters to enable effective change detection. Deviations from these documented baselines often provide the first indication of potential compromise.
Continuous monitoring of industrial network traffic enables early threat detection while providing operational benefits through improved troubleshooting capabilities. Modern OT monitoring solutions use protocol-specific decoders to analyze industrial communications, identifying both security and operational anomalies. These systems can detect unauthorized command sequences, unusual data transfers, or configuration changes that might indicate compromise while helping identify operational issues before they impact production.
The visibility challenge extends to understanding the complex interdependencies between manufacturing systems. Documentation should capture which systems depend on others for normal operation, which safety systems protect specific processes, and what communication paths are necessary for production. This mapping of dependencies enables both more effective security controls and more resilient recovery plans.

Authentication and Access Control in Shared Manufacturing Environments

Manufacturing environments present unique identity and access management challenges due to shift operations, shared workstations, and the frequent need for vendor access to specialized equipment. Traditional IT access controls often fail to address these operational realities, leading to either security compromises or workflow disruptions.
Effective manufacturing access control begins with role-based approaches that align permissions with operational responsibilities. Rather than managing access for individual users, this approach defines permission sets for roles like machine operator, maintenance technician, or process engineer. This simplifies administration in environments with rotating staff while ensuring consistent security controls.
Shared workstation environments require authentication solutions that balance security with operational efficiency. Manufacturing-optimized approaches include badge-based authentication systems that allow quick user switching without disrupting operations. Some facilities implement proximity-based authentication that automatically locks HMI screens when operators move away and grants access when authorized personnel approach with appropriate credentials.

Manufacturing Cybersecurity Without Disrupting Production

The imperative to maintain continuous operations creates unique constraints for security implementation in manufacturing environments. Effective manufacturing security strategies must work within these constraints, enhancing protection without compromising production excellence.

Testing Manufacturing Security Without Risking Operational Disruption

Validating security effectiveness poses particular challenges in manufacturing environments where testing on production systems risks operational disruption. However, leaving security controls unverified creates risks of either inadequate protection or unexpected operational impacts when security systems respond to actual threats.
Digital twin approaches provide a sophisticated testing methodology for manufacturing security. By creating virtual replicas of production environments, organizations can conduct realistic security testing without risking impact to operational systems. These environments allow red team exercises, vulnerability assessments, and security control validation using the same configurations present in production.
Test labs with physical equipment matching production systems provide another validation path, particularly for testing security controls on older equipment that might not be accurately represented in virtualized environments. These test environments should replicate network configurations, control system versions, and communication patterns found in production to ensure realistic testing results.
When direct testing on production systems becomes necessary, careful test scoping and scheduling minimizes risks. Tests should be limited to specific network segments, conducted during periods of lower production criticality, and include explicit backout plans to quickly restore normal operations if unexpected impacts occur. Manufacturing security testing should always include operations personnel who understand production requirements and can immediately identify potential production impacts.

Security Patches and Updates: Managing Risk in Production Environments

Patch management represents one of the most challenging aspects of manufacturing cybersecurity. Critical security updates often cannot be applied immediately due to production continuity requirements, vendor qualification processes, or concerns about potential compatibility issues with specialized equipment.
Effective manufacturing patch management begins with comprehensive risk assessment processes that evaluate both the security risk of delaying patches and the operational risk of applying them. This balanced approach acknowledges that both actions and inactions carry potential consequences in manufacturing environments. Critical vulnerabilities with active exploitation in similar environments typically justify expedited patching, while less severe vulnerabilities might be addressed during scheduled maintenance periods.
When patching must be delayed, compensating controls provide interim protection. These might include enhanced network monitoring around vulnerable systems, implementing additional access restrictions, or deploying virtual patching through intrusion prevention systems that can block exploitation attempts without modifying vulnerable systems.
Vendor management plays a critical role in effective manufacturing patch processes. Organizations should establish clear security expectations with equipment vendors, including response timeframes for critical vulnerabilities and testing processes for security updates. Leading manufacturers implement vendor security requirements during procurement processes, ensuring that new equipment includes appropriate update capabilities and security support commitments.
For legacy systems that cannot be patched, lifecycle management becomes an essential security strategy. Organizations must develop clear criteria for when security risks justify equipment replacement, incorporating security considerations into capital planning processes. This approach acknowledges that some systems simply cannot be adequately secured through updates alone and must eventually be replaced to maintain appropriate security postures.

How Waterfall Security Solutions Safeguards Manufacturing Excellence

Manufacturing organizations face the dual imperative of enhancing cybersecurity while maintaining the operational reliability that enables production excellence. Waterfall Security Solutions has developed specialized technology that addresses this challenge, enabling robust protection without compromising the performance, availability, and reliability requirements of industrial environments.
Unidirectional Security Technology: Protecting Manufacturing Without Performance Penalties
Waterfall’s unidirectional security gateway technology provides a fundamentally different approach to manufacturing protection compared to traditional IT security solutions. Rather than relying on software-based controls that can be misconfigured or compromised, these gateways use hardware-enforced security to physically prevent attacks from reaching sensitive manufacturing systems.

Conclusion

As manufacturing evolves toward increasingly connected and data-driven operations, cybersecurity becomes an essential element of production excellence rather than a separate consideration. The threats targeting manufacturing environments continue to grow in both frequency and sophistication, requiring specialized protection approaches that address the unique characteristics of industrial operations.

The post Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies appeared first on Waterfall Security Solutions.

The Evolving Threat Landscape in Oil and Gas Operations

The widespread digitalization of oil and gas operations has given rise to a sophisticated security environment where cyber threats increasingly zero in on critical infrastructure systems. Modern drilling platforms, refineries, and extensive pipeline networks now depend on advanced automation systems, Industrial Internet of Things devices, and cloud computing technologies to optimize their operations. While these technological advances have dramatically improved efficiency, they have also expanded the potential attack surface exponentially.

Recent Security Incidents in the Oil and Gas Sector

The industry has experienced several devastating high-profile security incidents that underscore just how severe these threats have become. The 2021 Colonial Pipeline ransomware attack stands as perhaps the most prominent example, forcing the complete shutdown of a massive 5,500-mile pipeline system that typically supplies 45% of the East Coast’s fuel supply. This single incident caused widespread disruption and fuel shortages across multiple states, demonstrating how vulnerable these critical systems can be to determined attackers.

Saudi Aramco has also faced numerous cyberattacks over the years, including the notorious 2012 Shamoon malware incident that destroyed over 30,000 computers throughout its network. More recently, the company has dealt with cloud-based attacks specifically targeting their valuable operational data, showing how threat actors continue to adapt their tactics to exploit new vulnerabilities.

The problem extends well beyond major corporations and affects smaller operators too. Throughout 2022, several midsize oil and gas operators reported ransomware attacks that specifically targeted their industrial control systems, with attackers displaying remarkably sophisticated knowledge of operational technology environments. These incidents resulted in production shutdowns lasting several days and, in some particularly concerning cases, compromised safety systems that could have led to catastrophic accidents.

Key Threat Actors Targeting Oil and Gas Infrastructure

Oil and gas facilities face threats from a diverse range of adversaries, each with its own distinct motivations and capabilities. Nation-state actors frequently target these facilities to gain geopolitical advantage, conduct economic espionage, or establish persistent access to critical infrastructure that could potentially be weaponized during future conflicts. Several countries with advanced cyber capabilities have been linked to extensive reconnaissance operations designed to map vulnerabilities in energy infrastructure worldwide.

Criminal organizations have increasingly recognized the significant profit potential in targeting oil and gas companies, particularly because these organizations face tremendous pressure to restore operations quickly during any outage. This business reality has led to the emergence of specialized ransomware operations that explicitly target industrial control systems, with ransom demands frequently exceeding $10 million for larger operations.

Additionally, hacktivists and environmental extremists represent a growing and unpredictable threat vector, with some groups motivated primarily by ideological opposition to fossil fuel operations. These actors typically focus on service disruption or data theft to embarrass companies and generate negative publicity rather than seeking direct financial gain, making their attack patterns significantly less predictable than profit-motivated criminals.

Critical Security Challenges Facing Oil and Gas Companies

The oil and gas industry confronts several unique security challenges that significantly complicate protection efforts across its operations. Understanding these specific challenges becomes crucial for developing effective security strategies that are properly tailored to address the sector’s particular operational requirements and constraints.

Convergence of IT and OT Security

Perhaps the most significant challenge facing the industry today involves the rapidly accelerating convergence of information technology and operational technology systems. Traditionally, industrial control systems operated in complete isolation from corporate networks, but ongoing digital transformation initiatives have increasingly connected these previously separate environments to enhance operational efficiency, enable remote monitoring and operations, and facilitate advanced data analytics capabilities.

This convergence creates dangerous security gaps where traditional information technology security approaches prove completely inadequate for operational technology environments. Operational technology systems prioritize availability and safety above all other considerations, making common IT security practices like regular patching schedules and frequent system updates highly problematic for continuous operations. Many security teams currently lack personnel with the specialized expertise spanning both domains, which inevitably leads to significant protection gaps in the critical interfaces between IT and OT networks.

The risks become even more magnified by the expanding use of Industrial Internet of Things devices that frequently lack built-in security controls yet connect directly to critical operational systems throughout the facility. Each new smart sensor or networked controller potentially introduces fresh vulnerabilities that could provide determined attackers with valuable access to essential production systems and processes.

Legacy System Vulnerabilities

The oil and gas industry operates extensive legacy infrastructure that was originally designed and deployed decades before cybersecurity became a significant operational concern. Many production facilities continue to use industrial control systems and SCADA equipment that have been in continuous operation for twenty years or more, running outdated operating systems that vendors no longer actively support with security updates.

These aging legacy systems present substantial and ongoing security challenges throughout the industry. They often cannot be patched with security updates, rely on obsolete communication protocols that completely lack modern authentication mechanisms, and were originally designed with the fundamental assumption of complete air-gapping rather than any network connectivity whatsoever. Replacing these systems involves prohibitive costs that can reach millions of dollars per facility, along with potential production disruptions that could last weeks or months, forcing companies to develop creative compensating security controls instead.

The challenge extends beyond just the technical aspects to include significant documentation gaps, with many organizations lacking complete and accurate network diagrams or comprehensive asset inventories for their older systems. This makes it extremely difficult to identify potential vulnerabilities or detect unauthorized changes to these critical environments during routine security assessments.

Remote Site Security Management

The vast geographical dispersion of oil and gas assets creates substantial security management challenges that are unique to the industry. Remote facilities such as offshore drilling platforms, pipeline compressor stations, and isolated production sites often operate with extremely limited on-site IT support, making comprehensive security implementation and continuous monitoring exceptionally difficult to maintain.

These remote sites frequently depend on satellite or cellular connections that come with significant bandwidth constraints, severely limiting the effectiveness of traditional security monitoring capabilities. Physical security at these remote locations may also be considerably less robust than at major facilities, substantially increasing the risk of both insider threats and physical tampering with critical control systems.

Secure remote access remains one of the most critical challenges for the industry, as maintenance personnel, third-party vendors, and operations teams require reliable access to these systems for ongoing monitoring, troubleshooting, and maintenance activities. Each remote access pathway represents a potential attack vector that must be properly secured and continuously monitored, yet operational requirements often conflict with strict security controls.

Essential Oil and Gas Cybersecurity Best Practices

Protecting oil and gas infrastructure effectively requires a comprehensive approach that incorporates advanced technical controls, well-defined organizational policies, and proven industry best practices. The following strategies provide a solid foundation for enhancing security posture across all types of operations, from small independent operators to major integrated companies.

Implementing Defense-in-Depth Security Architecture

Defense-in-depth architecture continues to serve as the fundamental cornerstone of effective protection for oil and gas infrastructure operations. This proven approach implements multiple layers of complementary security controls throughout the organization, ensuring that if one protective layer fails or is bypassed, additional layers remain in place to protect the most critical assets and operations.

For oil and gas operations specifically, effective defense-in-depth implementation begins with conducting a comprehensive asset inventory and detailed risk assessment to properly identify the critical systems that require the highest levels of protection. Security zones should be carefully established based on operational function and criticality levels, with appropriate controls implemented at each zone boundary to manage and monitor all communications between different areas.

The architecture should incorporate robust physical security measures protecting control hardware and infrastructure, comprehensive network security controls managing all data flows between different zones, application security measures ensuring system integrity at the software level, and detailed procedural controls governing human interactions with all systems throughout the facility.

Advanced monitoring capabilities spanning both IT and OT environments enable early detection of potential threats and suspicious activities, with security information and event management solutions providing correlation across all environments to identify anomalous behavior patterns that might indicate system compromise. Increasingly, artificial intelligence and machine learning technologies enhance these capabilities by automatically establishing normal operational baselines and flagging significant deviations that warrant investigation.

Regular tabletop exercises and comprehensive incident response drills help organizations thoroughly test their defense-in-depth implementation, ensuring security teams understand how layered controls work together effectively during an actual attack scenario and identify potential gaps before they can be exploited by malicious actors.

OT Network Segmentation Strategies

Network segmentation represents one of the most effective security controls available for oil and gas environments, significantly limiting an attacker’s ability to move laterally throughout the network after gaining initial access to any system. However, effective segmentation strategies for OT environments differ significantly from traditional IT approaches and require specialized knowledge of industrial systems and protocols.

The Purdue Enterprise Reference Architecture provides an excellent framework for industrial network segmentation, logically dividing systems into distinct levels ranging from field devices at Level 0, through various control systems at Levels 1 and 2, operations management systems at Level 3, and business systems at Levels 4 and 5. Each boundary between these levels represents a valuable opportunity to implement security controls that carefully restrict and monitor communications between different zones.

Implementing properly configured demilitarized zones at the critical IT/OT boundary allows necessary data exchange for business operations while minimizing direct connections between environments that could be exploited. Within the OT environment itself, micro-segmentation based on operational function, process area, or safety criticality further limits potential attack propagation and contains any successful intrusions.

Unidirectional security gateways provide particularly strong protection at the most critical boundaries, physically enforcing one-way information flow from OT networks to IT networks while completely preventing any control signals or potential malware from traveling in the reverse direction. This hardware-enforced protection effectively eliminates entire classes of network-based attacks while still enabling essential operational data to flow to business systems for analysis and reporting.

Regulatory Compliance in Oil and Gas Security

The oil and gas industry operates within a complex and continuously evolving regulatory landscape that increasingly addresses specific cybersecurity requirements for critical infrastructure protection. Understanding and maintaining compliance with these various requirements has become essential for operational continuity and legal protection.

International Standards and Industry Guidelines

Several key frameworks provide comprehensive guidance for cybersecurity practices specifically tailored to oil and gas operations. IEC 62443 offers detailed standards for industrial automation and control systems security, providing guidance that is specifically designed to address the unique needs and constraints of operational technology environments. This framework addresses technical security requirements, organizational processes, and complete system lifecycle security considerations.

The NIST Cybersecurity Framework provides a proven risk-based approach that applies across all industries but has become increasingly referenced in energy sector regulations worldwide. For pipeline operators specifically, the American Petroleum Institute’s Standard 1164 provides detailed and practical guidance on SCADA security practices, including recent updates that address modern threat landscapes and attack vectors.

Regional regulations increasingly impact even global operators who must comply with local requirements in each jurisdiction where they operate. The European Union’s comprehensive NIS2 Directive imposes strict security requirements on essential service providers, including all energy companies, while the U.S. Transportation Security Administration has implemented mandatory security directives for pipeline operators following lessons learned from the Colonial Pipeline incident.

Building a Compliance-Oriented Security Program

Rather than treating compliance as merely a checkbox exercise to be completed annually, leading oil and gas companies successfully integrate regulatory requirements into comprehensive security programs that genuinely enhance overall protection levels. This strategic approach begins with carefully mapping regulatory controls across different frameworks to identify common requirements and streamline implementation efforts across the organization.

Successful compliance programs place emphasis on ongoing risk management activities rather than relying solely on point-in-time assessments that may quickly become outdated. They incorporate regular evaluation of security controls against evolving threat landscapes and changing operational requirements. Documentation and evidence collection become integrated into standard operational processes rather than being conducted as separate, burdensome activities that interfere with daily operations.

Third-party risk management has become an absolutely essential element of compliance programs as regulations increasingly hold operators directly responsible for maintaining security throughout their entire supply chain ecosystem. Leading organizations implement comprehensive vendor security assessment programs and detailed contractual security requirements for all partners with any level of access to operational systems.

How Waterfall Security Solutions Protects Critical Oil and Gas Infrastructure

As threats to oil and gas infrastructure continue to grow in sophistication and frequency, traditional security approaches based solely on firewalls and software-based controls have proven inadequate for protecting critical operational systems. Waterfall Security Solutions addresses these complex challenges through innovative technology specifically designed to meet the unique protection needs of industrial environments where safety and availability cannot be compromised.

Unidirectional Security Gateway Technology for OT Protection

Waterfall’s flagship Unidirectional Security Gateway technology represents a fundamental paradigm shift in operational technology security, physically enforcing strict one-way information flow to protect critical infrastructure from external cyber threats. Unlike traditional firewalls that can be misconfigured, bypassed, or compromised through software vulnerabilities, Waterfall’s hardware-based approach creates an absolutely impassable barrier against any inbound attacks or unauthorized commands.

The technology utilizes a unique and innovative architecture featuring a transmitter component on the operational technology side connected to a receiver component on the information technology side through dedicated optical fiber connections. This physical configuration enables essential operational data to flow seamlessly to business systems for monitoring, analysis, and reporting purposes while making it physically impossible for malware, attack commands, or any unauthorized communications to travel in the reverse direction. This effectively creates a modern, highly functional implementation of traditional air gap protection while maintaining complete operational visibility and business intelligence capabilities.

For oil and gas operators, this approach successfully resolves the fundamental tension that has long existed between operational connectivity requirements and security imperatives. Critical production data, equipment status information, and performance metrics can flow freely to corporate networks for essential business intelligence purposes while critical control systems remain completely protected from any network-based attacks. The technology provides comprehensive support for all standard industrial protocols, including Modbus, OPC, and OSIsoft PI systems, enabling seamless integration with existing infrastructure investments without requiring costly system replacements.

Beyond the core gateway technology, Waterfall’s comprehensive solution suite includes specialized secure remote access options designed specifically for industrial environments, allowing authorized vendors and remote workers to access necessary systems when required without compromising overall security posture. The company’s industrial security monitoring solutions provide detailed visibility into operational technology network activity to detect potential insider threats or anomalous behavior patterns that might indicate compromise.

Conclusion

The security challenges facing the oil and gas industry will undoubtedly continue to evolve and become more complex as digital transformation initiatives reshape operations and threat actors develop increasingly sophisticated attack capabilities and techniques. Organizations that proactively implement comprehensive security strategies combining advanced technology, robust processes, and well-trained personnel will be best positioned to protect their critical infrastructure while still enabling the significant operational benefits that modernization can provide.

By carefully applying the proven best practices outlined throughout this article and leveraging specialized security technologies like those provided by Waterfall Security Solutions, oil and gas operators can substantially enhance their overall security posture while ensuring the reliable and safe delivery of essential energy resources to communities and industries worldwide. The investment in robust cybersecurity measures today will prove essential for maintaining operational continuity and protecting both business assets and public safety in an increasingly connected and threatened world.

The post Top Oil and Gas Security Challenges and Best Practices for Protection appeared first on Waterfall Security Solutions.

OT security isn’t your typical IT problem. We’re talking about systems that run power plants, manage water treatment facilities, control manufacturing lines, and keep transportation networks moving. When these systems fail, you’re not dealing with stolen passwords or leaked documents. You’re looking at potential physical damage, environmental disasters, or genuine public safety threats. Understanding your security options has never been more critical.

Two technologies dominate the conversation when it comes to creating secure boundaries between OT networks and external threats: data diodes and firewalls. Both handle security, but their approaches are worlds apart. This choice shapes everything: immediate protection, operational flexibility, compliance posture, and how well you’ll handle whatever new threats emerge.

TLDR: Data Diode vs Firewall key differences: 

What is a Data Diode? Core Technology and Functionality Explained

A data diode is a cybersecurity device that enforces one-way data transfer between two networks. It allows information to flow out of a secure system without allowing external data to flow back in. Organizations use data diodes to protect critical infrastructure, defense systems, and industrial control networks from cyberattacks.

The technology works by physically severing the return path that network communications typically need. Regular network connections require two-way communication for protocols like TCP/IP to work properly. Data diodes break this requirement at the hardware level, making it physically impossible for external systems to establish connections or push data back into protected networks.

What is The Technical Architecture of Data Diodes?

The hardware creates what’s essentially an air gap with controlled, one-way data transmission. Inside these devices, fiber optic connections carry data from OT networks to external monitoring systems, but the physical design prevents signals from traveling backward. The transmit fiber literally can’t receive signals, and the receive side can’t transmit anything. This isn’t a software setting that could accidentally get changed; it’s baked into the hardware design.

Your OT systems still provide all the data needed for monitoring, reporting, and analytics. Historians keep collecting process data, SCADA systems continue displaying real-time information, and operators maintain full operational visibility. The key difference? This visibility never creates a pathway for attackers to reach critical systems.

Data diodes also eliminate concerns about network protocols being exploited. Since there’s no return communication path, traditional network-based attacks simply can’t function. Malware that depends on command and control communications finds itself cut off from its handlers. Remote access trojans lose their ability to communicate back to attackers.

Security Guarantees Provided by Hardware Enforcement

Hardware enforcement gives you security guarantees that software simply can’t match. With a data diode, protection doesn’t depend on perfect configuration, timely updates, or hoping that nobody’s found an undiscovered vulnerability. The security model is binary: data goes out, nothing comes back.

This approach eliminates entire categories of cyberattacks that need two-way communication to succeed. Advanced persistent threats, remote access trojans, and command-and-control communications all need bidirectional connectivity. By physically preventing this connectivity, data diodes create an impenetrable barrier.

The reliability extends beyond just cybersecurity threats. Data diodes also protect against insider threats who might attempt to establish unauthorized network connections. Even with administrative access to systems, an insider can’t override the physical limitations of the hardware.

Firewall Technology in OT Security Contexts

Firewalls have evolved considerably since their early days, particularly for operational technology environments. Modern OT firewalls include deep packet inspection, protocol-aware filtering, and specialized capabilities for industrial communication protocols. They act as intelligent gatekeepers, examining traffic and deciding what gets through based on predefined rules and policies.

Unlike data diodes, firewalls keep bidirectional connectivity alive while trying to filter out malicious traffic. They analyze packet contents, addresses, protocol types, and application behaviors to determine whether communications should pass or get blocked.

Evolution of Firewall Technology for Industrial Networks

Firewalls were originally built for IT networks, where the main job was to keep malicious traffic out of corporate systems while still allowing employees, servers, and applications to connect to the internet. These early firewalls were not designed with operational technology (OT) in mind. Industrial networks have very different requirements-24/7 uptime, specialized communication protocols, and devices that often remain in service for decades. Applying traditional IT firewalls directly to OT environments often caused disruptions, latency, or outright failures because the firewalls simply didn’t “understand” how industrial equipment communicated.

To meet these unique demands, firewalls for industrial use evolved in several key ways.

First, they became protocol-aware. Industrial control systems rely on communication protocols such as Modbus, DNP3, IEC 61850, OPC, and PROFINET. Unlike typical IT protocols, these are highly specialized and often lack built-in security features. Modern OT firewalls now include deep packet inspection (DPI) for these protocols, meaning they can read and interpret the actual commands and values being exchanged between devices. This allows the firewall not only to block generic suspicious traffic, but also to detect anomalies such as unauthorized control commands or malformed data packets that could indicate tampering.

Second, OT firewalls added segmentation capabilities tailored to industrial environments. In IT, segmentation often means dividing a corporate network into different security zones. In OT, segmentation is even more critical because it can stop a compromise in one part of a plant or facility from spreading to safety-critical or production-critical systems. Modern industrial firewalls enable very granular control, ensuring that only specific devices or applications can talk to each other, and only in very specific ways.

Third, these firewalls evolved to perform application-layer filtering. Instead of just looking at IP addresses and ports, they can analyze the actual applications running on top of communication protocols. This provides deeper security by distinguishing between normal operational commands and malicious activity that might be hidden inside legitimate-looking traffic. For example, a command to “read data” might be allowed, while a command to “change setpoint” from an unauthorized source would be blocked immediately.

Finally, OT firewalls now support high availability and redundancy features designed for industrial use. In environments like power grids, oil refineries, or manufacturing lines, even a momentary network disruption can have costly or dangerous consequences. Industrial firewalls are engineered to handle continuous uptime, support redundant hardware configurations, and tolerate the challenging physical conditions of plant environments, such as electrical noise, temperature extremes, or vibration.

In short, firewalls for industrial networks have matured far beyond their IT ancestors. They are now specialized security devices that combine traditional packet filtering with deep industrial protocol awareness, network segmentation, and resilience features. This evolution reflects the growing recognition that OT environments face distinct threats, and that protecting them requires tools specifically designed for the realities of industrial operations.

Configuration and Management Challenges in OT Environments

Managing firewalls in OT environments creates challenges. Industrial systems often need 24/7 availability, which means maintenance windows are scarce. Configuration changes require careful planning and testing. Firewall rule sets can become incredibly complex, and mistakes can block legitimate traffic or allow malicious activity through.

Another challenge involves keeping up with security updates and threat intelligence. Firewall effectiveness depends heavily on current threat signatures and properly configured rules. This ongoing maintenance requirement can strain resources.

Key Differences: Data Diode vs Firewall Security Capabilities

Data diodes operate on a deterministic security model where the hardware design makes certain attacks physically impossible. Firewalls implement rule-based protection requiring constant management.

The deterministic nature of data diodes means your security posture doesn’t deteriorate over time.  Firewalls, on the other hand, rely on constant vigilance, updates, and adjustments.

Maintenance and Operational Requirements

Firewalls need regular updates, rule changes, and monitoring. Data diodes need minimal maintenance once deployed. Firewall management requires cybersecurity expertise; data diodes require more upfront network design work.

Performance and Operational Considerations

Data diodes excel in high-throughput scenarios and handle any IP-based protocol without modification. Firewalls introduce latency due to inspection and require protocol-specific support.

Operationally, firewalls enable remote access while data diodes eliminate it. Organizations must balance between absolute security and operational flexibility.

Data Diodes Regulatory Compliance

Data diodes align closely with critical infrastructure protection standards, offering simple, verifiable compliance. Firewalls can support compliance, too, but require continuous updates and detailed documentation.

Implementation Scenarios

Use data diodes for critical systems that can’t tolerate compromise, such as power generation or chemical processing. Use firewalls when bidirectional communication and remote access are essential, such as in manufacturing. A layered approach using both often makes the most sense.

Waterfall Security’s Unidirectional Security Gateway

Waterfall Security Solutions pioneered hardware-enforced unidirectional protection. Their Unidirectional Security Gateway advances data diode concepts with support for industrial protocols, secure file transfers, and solutions like HERA (Hardware-Enforced Remote Access).

Waterfall Security’s technology provides deterministic security guarantees while addressing practical deployment challenges in industrial networks. With proven deployments in power, oil and gas, water treatment, transportation, and more, Waterfall offers a reliable approach to OT cybersecurity.

Conclusion

When it comes to protecting Critical infrastructure, your choice between data diodes and firewalls does not have to be an either/or decision. While data diodes provide absolute protection through unidirectional communication and firewalls offer flexible, bidirectional connectivity with rule-based security, the most robust OT security strategies often combine both. 

By adding hardware-enforced protection to segment critical networks, organizations can dramatically strengthen their security posture. This layered approach ensures that even if a firewall is compromised, the physical barrier provided by a data diode prevents threats from reaching your most sensitive systems. As cyber threats against OT continue to evolve, combining these technologies delivers resilience and safety for the future.

As cyber threats against OT continue to evolve, understanding these differences ensures resilience and safety for the future.

The post Data Diode vs Firewall: Understanding the Key Differences in OT Security appeared first on Waterfall Security Solutions.

OT Insights CenterTransportationSecurity by Design- The New Imperative for Rail Systems

Security by Design- The New Imperative for Rail Systems

An introduction to the UITP Report & Real-World Applications

Watch the webinar for an in-depth exploration of the UITP “Design for Security of Safety-Critical Systems” report — a groundbreaking framework for integrating cybersecurity into rail Safety Instrumented Systems (SIL 1–SIL 4) across their entire lifecycle. Aligned with the soon-to-be-published IEC 63452 and other key safety standards, this session will provide rail operators, suppliers, and cybersecurity professionals with practical insights on applying security-by-design principles to real-world challenges. Discover how industry leaders are addressing the intersection of safety and cybersecurity, the growing impact of AI-driven threats, and the new engineering principles shaping the future of secure rail systems.

In the webinar, attendees will come away understanding:

Key findings from the UITP report and their impact on rail safety and cybersecurity

Real-world insights from Waterfall Security, MTA and Alstom on implementing recommendations

Open discussion on challenges, solutions, and best practices for embedding cybersecurity in safety-critical systems.

About the Speakers

Serge Van Themsche

Senior Consultant for Waterfall Security,
Co-Leader of the UITP Report

Eddy Thésée

Vice President Digital & Cyber Platform at Alstom

Shea McKinney

Deputy Chief Information Security Officer OT at MTA,
Contributor to the UITP Report

Michael J. Wong

Cybersecurity Director at MTA,
Contributor to the UITP Report

Share

Trending posts

Analyzing Recent NIS2 Regulations – OT security is changing

October 5, 2025

Doing the Math – Remote Access at Wind Farms

September 22, 2025

I don’t sign s**t – Episode 143

September 10, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Security by Design- The New Imperative for Rail Systems appeared first on Waterfall Security Solutions.

OT Insights CenterTransportationCybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide

Discover how rail operators can strengthen cybersecurity in OT environments. This blog explores the UITP framework, helping transport leaders assess risks, set protection goals, and build resilience across critical rail systems. A must-read for anyone securing modern public transport.

Serge Van themsche

Waterfall team

• October 30, 2025

Why OT Cybersecurity Requires a Specialized Approach

Unlike IT systems, OT environments prioritize safety, reliability, and real-time operations. A cyber incident in an OT system, such as a signaling failure or a train control breach, can have immediate physical consequences, including service disruptions or safety hazards. 

The UITP framework outlines two models: Track A for small PTOs and Track B for mid- to large-sized operators. In addition to offering corporate and IT risk assessment guidelines, the report introduces a comprehensive model specifically tailored for OT environments, where customized protections are essential to address unique risks. 

Key Insights: Risk Assessment for OT Environments:

The Role of Track B in OT Cybersecurity 

Track B is designed for larger operators with intermediate to advanced cybersecurity maturity. It provides detailed risk and vulnerability assessment, aligning with international standards such as IEC 62443, ISO 27005, and TS 50701/IEC 63452. 

Practical Steps: From Risk Scoring to Security Level Targets 

Step 1: Identify the System under Consideration (SuC) 

Define the scope of the OT system to be assessed, by identifying the SuC’s boundaries and document the system’s architecture. 

 

Step 2: Identify Assets 

Create an inventory of OT assets within the SuC, by listing the physical and logical assets and group these assets into zones, based on their criticality and function. 

 

Step 3: Define Risk Criteria 

Establish scales for impact and likelihood to evaluate risks. Assess consequences in terms of safety, operational availability, and financial impact. Evaluate the Likelihood of a cyber incident based on threat actor capability (e.g., skill level, resources) and vulnerability exposure. 

 

Step 4: Identify Threats and Vulnerabilities 

Define the threat landscape for the OT system, by identifying threat actors (e.g., hacktivists, nation-states, insiders) and document vulnerabilities in the SuC. 

 

Step 5: Conduct an Initial Risk Assessment 

Security Level	Level of protection
SL1	Protection against casual violations
SL2	Protection against intentional violations
SL3	Protection against sophisticated attacks
SL4	Protection against high-resource attacks

 Evaluate the inherent risks in the SuC, by assigning risk scores based on impact and likelihood. To help you determine the risk level (Low: 1; Medium: 2, High: 3, Critical: 4) use UITP’s risk matrix.  

 

Step 6: Translate Risk Scores into Security Level Target (SL-T) 

The SL-T is transformed into a 7-dimension matrix based on the 7 Foundational Requirements (FRs) defined in IEC 62443’s / EN 50701. 

FR	Description	Details
FR1	Identification and Authentication Control	Ensure only authorized personnel and devices access OT systems.
FR2	Use Control	Restrict system access based on roles (e.g., operators vs. maintenance).
FR3	System Integrity	Protect OT systems from unauthorized modifications or malware.
FR4	Data Confidentiality	Secure sensitive operational data within OT networks.
FR5	Restricted Data Flow	Segment OT networks to limit unnecessary communication.
FR6	Timely Response to Events	Implement real-time monitoring and incident response.
FR7	Resource Availability	Ensure OT systems remain operational during cyber incidents.

 

Step 7: Perform Zoning and Define Zone Criticality 

Group assets into security zones that should reflect common security requirements (e.g., safety-critical vs. business-critical) and assign Zone Criticality Levels (ZC-L) based on the worst-case impact of a breach. 

 

Step 8: Implement Mitigation Strategies 

Apply controls to meet SL targets, for each of the 7 Foundational Requirements. In order to do so, each defined Security Requirement must be addressed.   

For example, if a signaling system is assessed with a risk score of 3 translated into a SL-T3, the Security Requirements in red in the following table must be met for FR5 (Restricted data flow). The same process applies to the 6 additional Foundational Requirements. 

This is where cyber technologies play an active part in the process. For example, a network architecture based on firewalls could achieve SL1 for FR5 but would require additional means to meet SL2 (SR 5.1.(1): physical network segmentation), whereas a unidirectional gateway would inherently meet SL1, SL2, and SL3 for FR5. 

 

Step 9: Address Tail Risks 

Modern risk management introduces the concept of “tail risk”. The notion that some risks could bring down organizations or even entire industries has now entered the sphere of best cybersecurity practices. Even with robust risk mitigation, tail risks—low-probability, high-impact events—pose a real challenge. For instance, abusing a fail-safe mechanism to generate the derailment of a passenger train or of a freight convoy carrying dangerous goods could be considered a tail risk. Mitigation Strategies may include increasing the security Level target (e.g.: from SL-T3 to SL-T4) or beefing up the resilience planning (by implementing backup systems and manual overrides) and the incident response plans by preparing for worst-case scenarios. 

Applying UITP’s Risk Assessment Tools for OT

Tool 2 is specifically designed for OT systems, helping operators:  

• Assess risks based on SL targets. 

• Implement mitigation strategies aligned with the 7 Foundational Requirements. 

• Address tail risks through resilience and contingency planning. 

 

Next Steps: 

• For guidance on OT risk assessment, contact us or members can download here 

• Apply Tool 2 to assess and mitigate risks in your OT environment. 

• Consult OT cybersecurity experts to tailor protections to your specific needs. 

 

Conclusion: Proactive OT Cybersecurity 

Cybersecurity in OT environments is not a one-time effort—it’s an ongoing process. By adopting UITP’s Track B methodology, operators can: 

• Proactively protect their OT systems against evolving threats. 

• Ensure safety, reliability, and resilience in public transport operations. 

• Start the compliance process with standard EN 50701/IEC 63452. 

Final Thought: OT cybersecurity requires a specialized approach that balances safety, reliability, and security. Which methodology, if any, does your company use?

Share

Trending posts

Secure Industrial Remote Access Solutions

August 28, 2025

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

• industrial cyber attacks
• NERC CIP
• IEC 62443
• NIST
• OT security Standards

The post Cybersecurity Risk Assessment for Public Transport OT Environments: A Practical Guide appeared first on Waterfall Security Solutions.