Is Threat Modeling the Answer to OT Security?

  • 4 September 2023
  • 4 replies
Is Threat Modeling the Answer to OT Security?
  • Anonymous
  • 0 replies

Threat modeling, from its very inception, was envisioned as a solution to information technology (IT) threats. After all, IT is where the data is, which is nominally the fastest and surest path to a ransom for bad actors.

Sometimes, bad actors want something other than money. They want to disrupt (at best) or bring down (at worst) and organization. And while that can certainly be done by “attacking” a company’s data, for some companies, it can also be done by attacking their operations.


The OT Security Problem


What is OT? From RedHat, “OT, or operational technology, is the practice of using hardware and software to control industrial equipment, and it primarily interacts with the physical world. OT includes industrial control systems (ICSs) like programmable logic controllers (PLCs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA) systems.”


What is the OT security problem? Legacy OT hardware and software was never designed to protect itself from threats once thought to only affect IT. And that makes the OT world extremely vulnerable. How vulnerable?


OT security company Waterfall Security Solutions reported 57 OT-related cyberattacks on industrial systems out of 218 incidents in 2022, which caused physical consequences in the real world. Over the past year, there has been a 140 percent increase in the number of cyber-attacks with over 150 industrial operations affected. According to company projections, if this growth rate continues, there could be up to 15,000 industrial sites shut down due to cyber-attacks within the next five years. That’s how vulnerable.


Not just operations, but the operations of critical infrastructure: dams, power generation stations, water treatment plants. If you think losing data is bad, try going without water and electricity for a while. And since the cost of prior breaches has ranged from $10 million to $300 million, no expense should be spared to harden OT. What are the options?


The OT Security Solution?


Where do we look for solutions to the OT security problem? Best practices. There are plenty out there, but the ones that seem most representative are from SCADAfence:


  1. Automatic discovery and full visibility and management of OT asset inventory

  2. Proactive actionable warnings regarding risks and vulnerabilities in the OT network

  3. Network mapping and connectivity analysis

  4. Detection of suspicious activities, exposures, and malware attacks

  5. Full, deep-packet analysis of the network & industrial equipment activities


If you’re at all familiar with threat modeling, you’ll recognize that the first three items in the list above are essentially the three main pillars of modern threat modeling: automatic discovery of asses, map the connectivity and proactively mitigate vulnerabilities.


So, the answer to the question posed in the title above is yes. At least part of the solution to OT security, especially from legacy systems, is threat modeling.


If you are intimidated by the thought of thread modeling your OT infrastructure or think it requires some hard-to-find security expertise, thing again. ThreatModeler was designed from the beginning to be a self-service tool which does not require any special security experience. It is true one-click threat modeling for many use cases, including locking down your operations.


4 replies

Userlevel 4
Badge +2

Threat modeling should be added to the list of best practices to protect OT security. 

Userlevel 4
Badge +2


You know, keeping our digital stuff safe is a big deal, but nowadays, it's not just about data. It's about protecting the machines and systems that run the physical world too. And guess what? Bad actors are targeting those too. So, we've got this thing called threat modeling, which helps us figure out how to stay safe. It's not just about protecting data; it's about safeguarding the stuff that makes our world run, like power plants and water treatment plants. So, if you're wondering if threat modeling can help with this OT (operational technology) security problem, the answer is a definite yes. It's like the bridge between our digital and real worlds to keep things running smoothly and safely.

Threat modeling MUST be a necessary practice, not just for OT security, but from the first step of SDLC to the last product of an organization. 

Userlevel 2
Badge +3

As attacks on OT infrastructure become more prevalent, I imagine that Threat Modeling for regulatory compliance will become obligatory. Just a matter of time before a critical piece of infrastructure is compromised causing untold damage. I just hope that enough mitigations are in place to minimize the impact such an attack.