As the curtain closes on 2024, the critical infrastructure and OT (operational technology) sectors reflect upon a year of relentless cyber challenges. The intensifying threats have tested industrial organizations’ resilience and have shaped the cyber strategies entering into 2025.
In the last twelve months, industries have seen rampant advanced ransomware attacks and vulnerabilities in their supply chains. The lesson of the past year is to focus more on proactive threat intelligence and very robust incident response plans. Organizations must zero in and adopt zero trust as the essential strategy to safeguard those sensitive industrial and operational environments.
As 2025 draws near, organizations need to tighten up their cybersecurity. It means not just the technology and infrastructure upgrades but also focus on creating awareness among employees on safeguarding and protecting their installations from a cybersecurity perspective. AI-driven defenses and advanced monitoring tools will be essential in identifying emerging threats.
Industrial IoT continues to change the cybersecurity landscape, offering new opportunities and challenges. The answer must present a balance that allows innovation to occur while upholding robust security measures that will not hinder the proper process of innovation but instead offer stronger security. To this day, 2024 represents the importance of adaptability and resilience to cyber adversity. The lessons learned through this will build a stepping stone for evolutionary cybersecurity into a fortified defense against any unknown threats tomorrow.
2024’s top industrial cybersecurity challenges and solutions
Industrial Cyber consulted with cybersecurity experts to identify the most significant industrial cybersecurity challenges faced by organizations in 2024 and to explore how these challenges were addressed.
“Threats from People’s Republic of China (PRC)-affiliated actors such as Volt Typhoon challenged organizations to consider the security of network edge devices and the impact of living-off-the-land in industrial environments,” Matt Rogers, CISA Industrial Control Systems (ICS) Cybersecurity Expert, told Industrial Cyber. “CISA’s ‘Identifying and Mitigating Living Off the Land Techniques’ guidance helps organizations protect against this threat before they reach the industrial network. Going forward the question is where organizations can add resilience into their industrial environments.”
Hamish Hansford, deputy secretary for cyber and infrastructure security in Australia’s Department of Home Affairs told Industrial Cyber that this year, there have been a number of mandatory cyber incident reports for critical infrastructure, for example, that included things like compromised credentials, malware infections, and DDOS attacks. “These occurred alongside other threats to Australian critical infrastructure such as sabotage, physical impacts from natural hazards, and increasing supply chain issues.”
Some of the cybersecurity challenges include risks from legacy systems, the convergence of IT and OT networks, and the rapid evolution of AI-driven cyberattacks, John Lee, managing director of the OT-ISAC (Operational Technology Information Sharing Analysis Centre), assessed. “Legacy systems, with outdated equipment and minimal security features, remained vulnerable to exploitation. AI-enabled threats, such as generative AI phishing and deepfake scams, further complicated the landscape. Additionally, human error and insufficient cybersecurity training exacerbated vulnerabilities. Added to the above is a shortage of cybersecurity resources and talent.”
He added that some measures to tackle these issues include enhanced network segmentation, adopting AI-driven monitoring tools, and integrating threat intelligence frameworks like MITRE ATT&CK for incident response and proactive defense.
Anton Shipulin, an industrial cybersecurity evangelist at Nozomi Networks, stated that in his view, one of the most significant cybersecurity challenges industrial organizations faced in 2024 was the increase in cyber threats associated with global military conflicts. Nation-state actors and hacktivist groups transitioned from espionage to sabotage, directly targeting industrial systems.
“Ransomware attacks were another serious problem, with manufacturing remaining a key target,” Shipulin told Industrial Cyber. “Attackers became more aggressive, we started seeing cases with double extortion to demand payments not only for decryption but also to keep stolen data private.”
Lastly, he pointed to the growing number of cybersecurity regulations, such as the EU’s Cyber Resilience Act and NIS 2 Directive, which added significant pressure. These rules, while necessary, created challenges for organizations by requiring them to meet strict new requirements.
“The Crowdstrike faulty update was a wakeup call that supply chain incidents represent a significant threat to our security defenses and that the products we trust to secure our systems can actually represent significant common-cause vulnerabilities,” John Cusimano, vice president for OT cybersecurity at Armexa, told Industrial Cyber. “In the case of Crowdstrike, the faulty update was accidental, but the consequences were widespread and extremely disruptive to users’ operations. Numerous industrial critical infrastructure operations were impacted including oil and gas pipelines, terminals, airlines, manufacturing, and transportation.”
Cusimano added that the response to this incident in the OT community has varied. Many dismissed it as purely an IT incident and were less alarmed because it was the result of human error and not a malicious attack. However, particularly those that had Crowdstrike deployed in their OT environments viewed it as a significant incident or an alarming near miss.
He recommends conducting OT cyber design reviews and risk assessments to study all security update practices and, particularly, take a critical look at any applications that depend upon frequent updates and persistent communications with supplier’s services.
Evolving cybersecurity strategies in critical infrastructure
The experts analyze how critical infrastructure sectors have adapted their cybersecurity strategies to combat increasingly sophisticated cyberattacks.
Rogers identified that the primary strategy, segmentation, is the same. “The sophisticated threat actors raise the problem of where to invest in defense-in-depth. With limited resources, you may invest in password rotation, continuous monitoring, and other Cross-Sector Cybersecurity Performance Goals. The correct approach will depend on the limitations of the legacy environment and how much the security team can push the envelope for usable security solutions in an operational environment,” he added.
Throughout 2024, Hansford said that relevant owners and operators of critical infrastructure have worked in partnership with the government to implement risk management programs to uplift security practices to prevent, withstand, and recover. “Pleasingly, the most recent advice that the Department has received in trial audits has demonstrated high levels of compliance for critical infrastructure owners and operators implementing cyber protections. The Government also works closely with Systems of National Significance to prioritize cyber incident response, planning, and exercising.”
Lee detailed that governments have introduced stringent cybersecurity regulations mandating that critical infrastructure entities adhere to specific security standards and report cyber incidents promptly. For instance, the UK’s proposed Cyber Security and Resilience Bill aims to strengthen national cyber defenses and ensure the protection of essential services. Singapore has the Cybersecurity Code of Practice (CCOP) version 2.
“Organizations have adopted zero trust models, which require continuous verification of user identities and device integrity, thereby minimizing the risk of unauthorized access,” according to Lee. “The integration of artificial intelligence and machine learning has improved the ability to detect and respond to cyber threats in real time, enabling quicker mitigation of potential attacks.”
He added that there is a heightened emphasis on information sharing and collaboration among government agencies, private sector entities, and international partners to collectively address cyber threats and develop unified defense strategies. “The Operational Technology Information Analysis Centre (OT-ISAC) set up in Singapore in 2019 is an example. It has been part of the Singapore OT Cybersecurity Masterplan since 2019. The second revision of the masterplan was launched in 2024 and OT-ISAC is still part of the plan under key thrust 2.”
Shipulin said that a lot of critical infrastructure companies have taken some important steps to improve their security posture. “One of the key shifts has been the increased focus on network security monitoring. This has become almost mandatory in industrial networks as organizations face more advanced threats. I’ve also noticed a growing interest in cyber insurance as a way to manage risk. While this is a helpful strategy for addressing financial impacts, it sometimes creates a false sense of security if not paired with strong preventative measures.”
He also noted that regulators have also stepped in, requiring sectors to report serious cyber incidents. “This has been a positive development, encouraging transparency and accountability, though, as I said earlier, it adds pressure on organizations with already limited resources. Despite these efforts, many industrial companies and sectors still struggle with low cybersecurity maturity.”
Cusimano said that the persistent threat of ransomware, particularly in critical infrastructure sectors, has forced organizations to rethink how they protect and recover critical OT systems.
He detailed that organizations are adopting 3-2-1 backup strategies in OT (i.e., 3 copies of data, 2 types of media, 1 offsite copy) to protect against hardware failures, accidents, cyberattacks, and local disasters, ensuring data recovery in most situations. Also, regular testing of backups for integrity and reliability is no longer optional—it’s essential for a strong defense, while simulated ransomware attacks and regular drills have become critical in ensuring teams are prepared for rapid response.
Industrial cyber resilience: Lessons from 2024’s top threats
The experts now turn their focus on the key lessons from 2024’s cybersecurity incidents that can help improve resilience in industrial environments.
The willingness of threat actors to go after OT assets along with the increased attack surface from changes in the vendor ecosystem means that operators cannot rely solely on segmentation for resilience from a cyber attack, according to Rogers. “If operators assume a threat actor is in their industrial environment, then they must restrict the threat actor’s ability to create an impact through a mix of physical resilience (backup equipment, alternative communication paths), recovery mechanisms (business continuity plans, training, minimum viable systems), and cyber resilience (limiting lateral movement, modifying networked devices to reduce the impact of misuse).”
He added another consideration for cyber resilience is understanding what components have the authority to control the industrial environment (primary controllers, Modbus clients, safety instrumented systems) and working with vendors to reduce the risk of impersonation or compromise.
Hansford said that the key message is that the industry should prepare it is not a matter of if but when as a key posture. “Whilst not a malicious cybersecurity incident, the Crowdstrike outage in July demonstrated what a future cybersecurity incident might look like for Australia. The widespread impacts across the Australian economy and society highlighted the vulnerability that exists within our interconnected systems, noting that this software update issue was relatively small in comparison to what a larger-scale incident could look like. The outage provides Australians with an example to draw on when examining the effectiveness of their business continuity plans and the security of their supply chains.”
“Threat actors like Russia’s Sandworm and Iran-affiliated CyberAv3ngers launched targeted attacks on critical infrastructure, such as energy facilities and water systems,” Lee said. “Cybercriminals used AI to enhance phishing, malware development, and impersonation attacks, complicating detection and response. Outdated software components and vulnerabilities in supply chains allowed attackers to exploit systemic weaknesses.”
He added that this highlights the importance of implementing cybersecurity programs and frameworks. “Regular security assessments and audits are required to test the controls. Crown jewels need to be identified and their protection prioritized. Incident response plans need to be developed, and tabletop exercises conducted regularly to test the readiness of the organization to respond to an attack.”
Shipulin identified a couple of key areas for improvement based on the results of this year. These include ransomware, which remains a significant threat, emphasizing the importance of investing in effective prevention and recovery measures while avoiding the practice of paying ransomware, which can perpetuate the issue. Supply chain vulnerabilities have also emerged as critical factors in modern cyberattacks. This trend emphasizes the need for more robust risk management strategies to secure supply chain channels.
Additionally, he listed the rise of AI/ML-enabled cyberattacks reflects the evolving sophistication of adversaries. The widespread adoption of AI/ML technologies has demonstrated the need for organizations to stay vigilant and adapt to new, advanced attack techniques.
In the wake of high-profile incidents like the Crowdstrike faulty update, organizations are re-evaluating their security update and patch management strategies, Cusimano noted. “While this incident is unlikely to hinder cloud adoption, it has raised flags about cloud connectivity and dependence on OT and highlighted some of the vulnerabilities in many security update processes. Focusing on testing updates in isolated, low-risk OT environments is becoming a best practice, especially in industries reliant on Operational Technology where downtime can have catastrophic consequences.”
He added tools providing greater transparency and customization in the update processes will empower organizations to better control security update risks while staying compliant with cybersecurity mandates. “Inspired by Microsoft’s staged deployment strategy, OT vendors may implement similar methods, starting with low-risk environments before scaling to critical systems.”
Tech trends transforming industrial cybersecurity
The executives look into how technological advancements have impacted both the challenges and solutions in industrial cybersecurity this year.
Rogers assessed that the solutions remain similar in industrial environments – primarily continuous network monitoring and secure remote access and segmentation solutions. “However, with increased threats to the industrial environment, we may see more endpoint solutions designed to provide evidence of intrusion or improve the resilience of the endpoint itself.”
“Advancements in technologies, including artificial intelligence (AI), may introduce new or exacerbate existing national security challenges,” Hansford observed. “As AI-enabled data processing accelerates in scale and complexity, it presents benefits to Australian innovation, business, and individuals. However, it can also exacerbate vulnerabilities such as identity theft and foreign interference and lift the capability of cyber threat actors to conduct attacks at greater speed, scale, and effectiveness.”
Hansford added that through the 2023-2030 Australian Cyber Security Strategy, the Australian Government is exploring practical steps it can take to support the safe development and diffusion of AI technologies across the Australian economy.’
Lee pointed to the rapid adoption of Internet of Things (IoT) devices and increased digitalization have broadened the attack surface, making industrial systems more susceptible to cyber threats. “There will be more digitalization in industrial organization as the economy and industries move towards a converged and interconnected business platform to reap the benefits of technology and increase productivity and efficiency.”
He noted that microservices provided by industry and supply chains are vulnerable to attacks. The economy is moving towards a decentralized model as organizations do not produce all their products and services. Third-party risks are significant as the information security posture of the suppliers is not within the contracting organization’s control.
Shipulin identified two key areas. The first is the application of AI/ML is expanding into nearly every area imaginable. While AI/ML-enabled cyberattacks mentioned earlier are on the rise, industrial automation vendors are also leveraging AI/ML to enhance automation capabilities. However, these systems may themselves become targets of AI/ML-driven cyberattacks. Fortunately, cybersecurity solutions are also adopting AI/ML technologies to process large volumes of data, enabling more effective detection and prevention of advanced cyber threats.
Secondly, Shipulin mentioned the adoption of cloud platforms in industrial environments is part of the broader trend of OT/IT convergence. “This shift provides industrial businesses with enhanced capabilities, including access to vast computational resources and simplified management. However, it also increases the sensitivity of OT systems to vulnerabilities, requiring greater attention to cybersecurity.”
Cusimano observed that AI technology is currently being applied for ICS anomaly detection, backup validation, and scenario generation for tabletop exercises, but its broader role in OT cybersecurity will undoubtedly expand but at a slower pace than the general IT space.
Regulatory shifts reshape industrial cybersecurity
The executives focus on how regulatory changes and government initiatives have influenced industrial cybersecurity practices in 2024.
“CISA put more of a focus on urging critical infrastructure to remove control systems from the public internet in 2024. CISA is collaborating with vendors to find control systems and reduce exposure as well as providing free external vulnerability scanning services to 9,000+ critical infrastructure entities,” Rogers said. “More than three thousand private infrastructure entities signed on to the vulnerability scanning service over the past 18 months, a 53 percent growth for this service. Additionally, CISA’s regional cybersecurity advisors conducted hundreds of Cyber Performance Goal assessments to help critical infrastructure organizations achieve a baseline of security.”
Hansford commented that the Department engages with more than 2,100 members via the Trusted Information Sharing Network to work together with owners and operators of critical infrastructure to enhance the security and resilience of their assets.
“In regards to regulatory change, on 25 November 2024, the Parliament passed Australia’s first Cyber Security Act 2024 and reforms under the Security of Critical Infrastructure Act 2018,” according to Hansford. “These complementary measures continue to enhance Australia’s collective cybersecurity and our resilience to emerging cyber threats.”
Hansford added that the Cyber Security Legislative Package will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy, addressing legislative gaps to bring Australia in line with international best practices and take the next step to ensure Australia is on track to become a global leader in cybersecurity. These measures will address gaps in current legislation to:
- mandate minimum cyber security standards for smart devices;
- introduce mandatory ransomware reporting for certain businesses to report ransom payments;
- introduce a ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate (ASD); and
- establish a Cyber Incident Review Board.
Lee said that regulations have become important due to the increasing sophistication and frequency of cyber-attacks. Ransomware is a form of attack that is popular among nation-states and cybercriminals. It has remained high in 2024 according to the GRF Ransomware Report. Global Resilience Federation (GRF) is a non-profit based in the USA and supports Information Sharing Analysis Centres (ISACs).
“There is a spillover impact on non-critical infrastructure organizations, often indirectly enhancing their cybersecurity posture. Supply Chain Security is improved as Critical Infrastructure organizations often require their suppliers and partners, which include non-critical infrastructure companies, to comply with stringent cybersecurity standards,” according to Lee. “Non-CI organizations improve their cybersecurity to remain competitive, especially when dealing with CI sectors that demand compliance with regulations like secure-by-design principles or robust incident response capabilities.”
He added that the tools, techniques, and frameworks developed under CI regulations—such as vulnerability disclosure processes, threat intelligence sharing platforms, and secure supply chain protocols—are often made accessible to other sectors. “Non-CI entities increasingly adopt frameworks like ISO 27001, IEC 62443, NIST CSF, etc., influenced by the need to align with partners or CI clients.”
“One key trend has been the focus on supply chain risk management, particularly through SBOM (Software Bill of Materials) initiatives,” Shipulin said. “The EU’s Cyber Resilience Act (CRA) stands out as a strong example, emphasizing better vulnerability management and increased transparency across supply chains. Incident reporting requirements have also been reshaping practices for critical infrastructure. The NIS2 Directive stands out as a leading framework, setting an example for reporting processes.”
He highlighted a growing emphasis on Security Operations Centers (SOCs) for threat detection and response. Saudi Arabia’s new framework for managed SOCs demonstrates how governments are driving more centralized and effective security operations. Lastly, the ongoing evolution of ISA/IEC 62443 standards has been incredibly helpful. Updates, new certification schemes, and wider national adoption of these standards provide a stronger, more consistent foundation for securing industrial systems worldwide.
Cusimano noted that several new cybersecurity regulations were ratified or expanded in 2024, reflecting growing concerns about protecting critical infrastructure, data, and businesses from cyber threats. Many of them apply to both IT and OT cybersecurity, such as SEC Cybersecurity Disclosure Rules (U.S.); NIS2 and DORA (EU); and CRA (EU).
“Looking forward, the U.S. regulatory environment may relax.,” Cusimano expects. “However, other regions (i.e., EU) and nations will likely continue to strengthen cybersecurity regulations with specific requirements for OT security. Additionally, sector-specific security directives will likely expand beyond energy and transportation to other industrial sectors such as water, food, and pharmaceuticals.”
2025 and beyond: Emerging threats in industrial cybersecurity
As we approach 2025, the executives identify emerging threats that industrial organizations should prioritize and implement measures to enhance their cybersecurity posture.
Rogers urges industrial organizations to prioritize the threat from PRC actors going into 2025. Specifically, understanding that defense-in-depth is necessary in the industrial environment because threat actors are compromising network edge devices (gateways, firewalls), stealing credentials that rarely change in industrial settings, and using living-off-the-land techniques to disguise themselves as normal operators.
He also called upon industrial organizations to strongly consider using a jump-host architecture to segment their network and require MFA access through the jump-host for any remote access. “This mitigates the risk of lateral movement and the common challenges of shared or default passwords in industrial settings. As operators procure new equipment, they should explore moving off legacy protocols and EOL software where possible to establish a more secure foundation that supports identity and access management, continuous monitoring, and logging.”
Hansford noted that the Department of Home Affairs has released the second edition of the Critical Infrastructure Annual Risk Review. The review addresses current and emerging risks to Australia’s critical infrastructure including cyber and information security risks.
The emerging risks he pointed to include the convergence and interconnectivity of the use of OT, IoT, and information technology systems; the incorporation of business AI tools and a rapid increase of automation into workflows; and the shortages of skilled cyber professionals and levels of cyber literacy, while ensuring appropriate upskilling of existing cyber security personnel to meet these new technology challenges.
Lee said that emerging cybersecurity threats pose significant challenges to industrial organizations. The complexity of the threat landscape will increase as new technologies such as AI, IoT, and quantum computing expand the attack surface, making it harder for organizations to secure their systems. “The sophistication of threat adversaries has become more advanced as they have adopted advanced tactics, techniques, and procedures (TTPs), often leveraging automation and artificial intelligence to conduct precise and large-scale attacks. Malware like ‘Fuxnet’ and ‘FrostyGoop/BUSTLEBERM’ targeted ICS and OT systems, posing threats to essential services like energy, water, and heating.”
He added that emerging threats challenge organizations to rethink their cybersecurity strategies, emphasizing proactive measures such as adopting zero trust architectures, enhancing employee training, investing in advanced threat detection tools, and ensuring supply chain security. By staying informed about these threats and implementing robust defenses, organizations can significantly reduce their risk exposure in an evolving cyber landscape.
Shipulin called for keeping an eye on the expansion of AI/ML technologies; understanding their vulnerabilities and how attackers might use them, while also exploring how these technologies can enhance security capabilities; and staying ahead in this area is essential to dealing with the risks effectively. He also suggests not overlooking the increasing volume and sophistication of attacks; working on improving comprehensive OT security monitoring, covering host activities, network communications, and emerging wireless technologies in industrial applications; and focusing on automating OT security incident analysis and integrating it into your SOC processes to handle threats faster and more efficiently.
Lastly, Shipulin said never stop learning. “Stay updated with the changing threat landscape and the latest technologies. Continuous improvement and awareness are key to staying prepared for what’s coming!”
Cusimano identified that digital transformation programs are driving a surge in IP-connected devices in OT and are redefining the attack surface in these environments. “The ongoing deployment of connected sensors, devices, and advanced analytics into industrial processes with connectivity to cloud-based analytics necessitates revisiting risk assessments. Technologies enabling IP (e.g., Ethernet-APL) over traditional 4–20 mA circuits offer exciting possibilities but introduce new vulnerabilities at Level 0 of the Purdue Model that must be accounted for,” he concluded.
Comments
Post a Comment