Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Breaking the Grid: Automating Offensive Strategies in OT Security with CALDERA

Given the increased need for proactive, consistent testing, how do we adopt a structured approach in OT environments?

Authored byJeroen Vandeleur
Jeroen Vandeleur

Securing Operational Technology (OT) environments is a unique challenge. These systems power critical industries like manufacturing, energy, and transportation, where operational availability is paramount. Furthermore, the evolving threat landscape demands continuous improvement in security practices. Given the increased need for proactive, consistent testing, how do we adopt a structured approach in OT environments, which are inherently more complex?

As a co-author of SANS SEC598TM: Security Automation for Offense, Defense, and CloudTM and a senior cybersecurity expert specializing in automation, I am continually seeking new challenges. One of the most pressing challenges today is securing OT environments. These systems are integral to industries such as manufacturing, energy, and transportation, where disruption can have significant consequences. The primary concern in OT security is finding a balance between implementing robust security measures and maintaining the operational availability that these systems demand.

My experience in adversary emulation has shown me the importance of proactive security measures. However, the question remains: how can we leverage automation to conduct structured offensive testing in OT environments effectively? This blog post seeks to answer that by clarifying some common misconceptions about OT security, discussing the challenges these environments present, and outlining potential approaches for continuous security testing in OT environments by using tools such as CALDERA.

Understanding OT Security

From a cybersecurity expert’s perspective, protecting OT systems is about far more than just securing networks. It’s about ensuring the continuity and safety of the physical processes that underpin critical industries.

The increasing convergence of IT and OT systems has exposed OT environments to a wave of new vulnerabilities. While IT security focuses on protecting data, OT security must safeguard physical assets and human safety, often without disrupting operations.

In general, we see that OT systems frequently lack comprehensive asset management, patch management, and vulnerability management processes. This absence can make it feel as though one is stepping back in time regarding cybersecurity practices. Many OT infrastructures rely on legacy systems that were not designed with modern security considerations in mind, complicating the implementation of effective security measures. The critical nature of these systems means that downtime for updates or security assessments is often not feasible, leaving vulnerabilities unaddressed.

From a monitoring perspective, OT environments typically focus on operational failures, ensuring that processes run smoothly and efficiently. However, this does not equate to security monitoring. This reactive approach means that potential security breaches may go undetected until they cause substantial harm. The convergence of IT and OT systems further complicates security, introducing new vulnerabilities and attack vectors. With the help of AI, targeting complex environments has become even easier.

Common Misunderstandings in OT Security

OT environments often operate under long-held assumptions that can hinder the implementation of robust cybersecurity measures. These misconceptions are not only widespread but also leave critical systems vulnerable to threats. Let’s explore the key myths and why they can be dangerous.

“OT Is Isolated!”

Many believe OT networks are air-gapped—completely disconnected from IT systems and the internet. In reality, this is rarely the case. Modern OT environments increasingly integrate with IT for operational efficiency and remote access, which erodes this isolation and introduces potential vulnerabilities. Yet, the “never assume breach” mindset persists, leading to complacency and a lack of proactive measures.

“Updates and Testing Are Unnecessary!”

Another misconception is that since OT systems are functioning smoothly, updates and testing are not required. However, many OT environments rely on legacy systems that are no longer supported or patched, leaving them susceptible to known exploits. The operational risk of downtime often outweighs the perceived need for security improvements, allowing vulnerabilities to persist unchecked.

“Security Measures Will Interrupt Operations!”

It is often assumed that implementing robust security measures will cause disruptions to critical operations. While downtime is a valid concern, this belief discourages organizations from adopting even minimally invasive security solutions, leaving their OT systems open to attacks.

When a Patch Exposes a Vulnerability

Imagine a scenario where an external contractor is called in to patch a Programmable Logic Controller (PLC). Believing the system is isolated and secure, the organization overlooks the contractor’s access methods. To complete the patch, the contractor connects a personal laptop to the PLC and uses a mobile hotspot for internet access.

This action, though seemingly harmless, creates multiple risks:

  • Internet Exposure: The PLC, now indirectly connected to the internet, is vulnerable to malware or unauthorized access.
  • Lack of Monitoring: OT environments typically lack visibility into ad-hoc external connections, meaning this exposure remains undetected.
  • Policy Gap: Without clear third-party access policies, the contractor’s actions bypass organizational security protocols.

Such scenarios are not uncommon and highlight the challenges of relying on outdated assumptions about OT security.

Moving Forward: IT vs OT or IT and OT?

The following breakdown illustrates key differences between IT and OT environments in terms of incidents, impacts, and response. It underscores why a unified approach to monitoring and incident detection across IT and OT systems is critical for modern organizations.

Nature of Incidents

  • IT: Incidents typically revolve around data breaches, malware infections, phishing attacks, and system outages. The primary focus here is on protecting sensitive data and maintaining system availability.
  • OT: Incidents are more operational in nature, including failures, unauthorized access to control systems, safety violations, and regulatory compliance issues. These incidents can disrupt physical operations and pose significant safety risks.

Primary Impact

  • IT: The main concerns are financial losses, maintaining data confidentiality and integrity, and minimizing disruptions to business operations.
  • OT: The impact extends beyond financial implications to physical safety, operational continuity, and preventing environmental damage. A single OT security incident can have catastrophic real-world consequences.

Response Focus

  • IT: Incident response aims to protect data, restore systems, and ensure regulatory compliance.
  • OT: The primary focus is on ensuring physical safety, restoring operational functionality quickly, and maintaining compliance without causing prolonged interruptions to critical processes.

While IT and OT operate with distinct priorities, their interconnected nature has blurred the boundaries. The initial attack vector in many incidents often originates from IT systems, making it vital to integrate IT and OT monitoring. Such integration enables early threat detection and coordinated responses, reducing the risk of cascading impacts across both environments.

By combining IT monitoring with OT monitoring, organizations can achieve comprehensive visibility across their infrastructure. This approach ensures that threats, regardless of their entry point, are identified and addressed, minimizing potential blind spots. A coordinated response ensures both IT and OT are aligned, reducing delays and enabling faster detection, containment, and remediation.

Automating OT Security with CALDERA

Understanding OT security challenges is just the beginning. To truly safeguard critical systems, you need hands-on expertise in automating offensive and defensive strategies. SANS SEC598: Security Automation for Offense, Defense, and Cloud equips you with the skills to proactively test, detect, and respond to threats in complex OT environments—without disrupting operations.

Join industry experts and take your cybersecurity automation skills to the next level. Register for SEC598 today!

Meet the expert

Jeroen Vandeleur
Jeroen Vandeleur

Jeroen Vandeleur

Associate Instructor

Jeroen is the security architecture team lead and incident manager at NVISO where he specializes in security architecture, cloud security, and continuous security monitoring.

Read more about Jeroen Vandeleur
Breaking the Grid: Automating Offensive Strategies in OT Security with CALDERA | SANS Institute