Today, industrial control systems operators view real-time telemetry on the status of hundreds, if not thousands, of their devices, regardless of their geographical dispersion. A few years ago, such visibility required traveling to each factory floor or on-site location. Today, cloud-connected sensors and cloud monitoring and management systems provide operators with instant insights into everything from temperature fluctuations to production mishaps and potential security vulnerabilities.
This integration of cloud technologies into operational technology (OT) environments represents one of the most significant shifts in industrial systems management and security. The SANS 2024 ICS/OT Survey found that 26% of organizations now use cloud technologies in some part of their OT/ICS environment. That's up 15% from previous years. Still, the same survey found that 45% of OT/ICS organizations are avoiding cloud adoption due to concerns centered on reliability and security.
Its practical operational demands and increased digital transformation are primarily driving organizations toward OT and cloud convergence. Cloud-based management tools provide more robust remote monitoring capabilities, enhanced data analytics, and centralized control that traditional OT environments cannot match. However, along with this unprecedented remote access comes a rise in security challenges.
This transformation affects nearly all aspects of OT security. However, it particularly affects vulnerability management in ways that are both beneficial and detrimental and in challenging ways that many organizations are still learning to navigate.
Many industrial control systems were engineered decades ago with reliability and uptime in mind, not security. They often run on proprietary protocols and lack the basic protections taken for granted in IT —encryption, modern authentication, or even the ability to patch without taking critical operations offline. When connecting these legacy systems to the cloud, fragile and often mission-critical systems are exposed to new threats that can traverse both the cloud and the plant floor.
Unlike traditional IT systems, where vulnerable systems can be easily replaced and upgraded, legacy systems are often here to stay in OT environments for the long haul.
"When you spend 20-plus million dollars on the equipment that you're using to run your assembly line, you're not going to update that anytime soon," explains Nicholas Carroll, cyber incident response manager at cybersecurity and intelligence provider Nightwing. "You're going to find the same with expensive medical equipment and many OT devices in most environments," Carroll says.
Still, there are benefits derived for OT management teams from incorporating cloud-based monitoring and management capabilities in their environment. By centralizing data collection and analysis, cloud platforms provide real-time visibility across distributed OT assets, enabling the quick identification of vulnerabilities, risk prioritization, and coordination of remediation efforts from a single dashboard. This centralization enhances asset discovery, vulnerability mapping, and incident response, all of which are critical for reducing the attack surface of complex industrial networks. Cloud-based systems can also scale to handle the vast amount of data generated by modern OT and IoT devices, providing actionable intelligence and historical analytics that support proactive vulnerability management and even assist in predictive maintenance efforts.
However, integrating cloud systems with legacy OT infrastructure adds notable complexity. As that aging OT equipment with proprietary protocols makes integration with cloud platforms challenging and sometimes risky.
The disparity in development cycles—where cloud applications are updated frequently while OT systems are updated infrequently—can create synchronization and compatibility issues, increasing the risk of operational disruptions.
The reliance on third-party cloud infrastructure also raises concerns about data security, control, and reliability, particularly for critical functions that require high availability and minimal latency. Security teams must also navigate the intricacies of encrypted OT traffic, access controls, and compliance requirements, all while ensuring that cloud-based monitoring does not inadvertently expose sensitive systems to new attack vectors or operational risks.
Additionally, traditional vulnerability management tools aren't built for OT's unique protocols and can disrupt operations if scans to identify vulnerable devices are conducted carelessly. Many OT devices lack the necessary horsepower to run endpoint security agents, potentially leaving them vulnerable to attacks for months or years. Because cloud platforms often bridge IT and OT networks, attackers who manage to compromise cloud credentials could gain remote access to industrial controls, opening the door to sabotage or ransomware.
The patching can also cause more downtime in OT environments than in IT settings. Whereas traditional IT environments might tolerate brief downtime for patching, OT systems often cannot afford any interruption at all.
The result: persistent, hard-to-close gaps.
To effectively manage vulnerabilities in OT environments that are leveraging cloud infrastructure, organizations must adopt strategies that balance operational continuity with robust security. That includes prioritizing based on an OT-specific risk context and the integration of cloud and OT asset inventories, which ensures visibility across hybrid environments, enabling precise mapping of vulnerabilities to critical infrastructure components. Experts also advise continuous, agentless monitoring tailored for OT constraints—such as legacy systems and uptime requirements—to help detect misconfigurations or unpatched software without disrupting operations. When patching isn't feasible, experts recommend network segmentation and access controls to reduce exposure risks.
Finally, by turning to "OT-enriched threat intelligence," security teams can better "contextualize" how attackers are attempting to exploit systems using attack patterns common against industrial systems, and they can better ensure remediation efforts better align with such active threats. Nigel Gibbons, director and senior adviser of global cloud security services at NCC Group, says enterprises need to ensure that the advancement of cloud systems into their OT/ICS environments aligns with their organization's risk tolerance.
"It's having a proper appreciation of what your true risks are and then driving those risks down by prioritizing the actions that will drive down that risk to within acceptable bounds," he says.
Both Gaeta and Gibbons advise organizations to ensure they have a sturdy grip on the essentials. Both recommend the SANS Five ICS Cybersecurity Critical Controls, which are essentially an ICS-specific incident response plan, a defensible architecture, ICS visibility and monitoring, secure remote access, and risk-based vulnerability management.
Both also agree that many organizations have struggled with these basics for some time, but must focus on establishing the necessary vulnerability management practices that include these five controls.
Gaeta hopes that the patching processes associated with vulnerability management will eventually mature to integrate more tightly into standard OT maintenance procedures. "I think about computerized maintenance management systems—that's what helps OT in production work so well. Why isn't patching part of that annual maintenance plan?"
Great question. Still, technological improvements won't solve all of today's OT vulnerability management challenges. "It's going to be a combination of people, process, and tools to build a successful OT cybersecurity program," says Gaeta. "It's not going to happen overnight," he adds.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.