The Value of OT Endpoint Security

American Water

, the largest publicly traded water and wastewater utility in the United States, experienced a critical cybersecurity incident in late 2024. While the attack didn’t affect their operations or water quality, American Water temporarily shut down its customer billing platform—affecting more than 14 million people in 14 states.

This incident highlighted the critical need for strong cybersecurity measures across all aspects of critical infrastructure. With downtime, safety hazards, and financial impact at stake, OT security practitioners must think beyond network security and reevaluate their Operational Technology Security Management (OTSM) efforts.

This post dives into one of the most overlooked components of a robust OT security strategy—endpoint security. Read this post to understand endpoint security, how it fits within a holistic approach, success stories, and how to get started.

What is Endpoint Security?

Endpoint security helps protect individual devices and systems within the OT network from cyber threats. Essentially, it’s like having a security guard for every device in your plant, factory, or facility.

A few ways endpoint security protects these devices from cyberattacks include:

Monitoring devices for unusual behavior
Controlling which software can run
Keeping software up to date

Request a Demo

Limitations of Perimeter-Focused Security in OT

Perimeter-focused security is like an M&M. Once the hackers crack the shell, they can intercept a system's critical data or components. Here are a few examples of how attacks can infiltrate the perimeter:

Phishing: An employee receives an email that looks like a legitimate vendor that offers a critical software update for their OT equipment. If the employee clicks the email, they’ll unintentionally install malware on their device—allowing attackers to access the OT network.
Supply chain attacks: A manufacturing plant purchases industrial control systems and programmable logic controllers from a compromised supplier. As a result, the malicious firmware compromises their system.
Insider threats: An engineer at a wastewater facility accidentally downloads malware onto their work computer while browsing personal websites, inadvertently introducing it to the OT network.

Endpoint Management vs. Perimeter Security

The unfortunate reality is many organizations have not taken a robust cyber security approach to manage endpoints within OT environments. Instead, they prioritize perimeter or network-based security tactics, which focus on transactions and completely neglect endpoint configuration, leaving endpoints vulnerable to attacks.

That’s why having layered security is key. Multiple protective layers make it difficult for attackers to reach your organization’s critical data and access your critical infrastructure.

Monitoring Tools vs. Endpoint Security

Many rush to embrace passive anomaly detection tools for OT security because of their ability to monitor inside the network by listening to the day-to-day traffic between operational assets. This approach relies on seeing and hearing endpoint behaviors resulting from risk. By then, it’s usually too late because something dangerous is already happening on your network. Monitoring tools do not reduce risk on endpoints where security needs the most improvement.

The good news is that OT-safe endpoint management solutions significantly reduce your attack surface and help protect the very targets of malware, hackers, and other cyber-related risks. But to benefit from them, we need to change our mindset.

OT Security Management: A Holistic Approach

OT security management provides a holistic view of your organization’s OT assets, systems, and networks. A comprehensive OT security strategy requires a multi-layered approach to protect the infrastructure. Let’s dive into the other layers that make up the whole:

Network segmentation isolates critical systems and networks to limit the impact of potential cyberattacks through firewalls, virtual local area networks (VLANs), and air gaps.
Vulnerability management identifies threats through assessments like penetration testing and reduces them through patching and software updates.
Security policies outline OT security efforts for the organization regarding best practices, acceptable use, and access control.
Incident response plans guide organizations on effectively handling cyberattacks, with outlined procedures for detection and response through strategies like containment, eradication, and recovery.

Endpoint security is integral to OT security management since it helps protect industrial control systems and programmable logic controllers from malware and other cyber threats. The ways endpoint security addresses threats include antivirus software, intrusion detection systems (IDS), and firewalls.

Why Endpoint Protection is Crucial for OT Security Management

Endpoint protection is a cornerstone of OT security management. Securing individual devices within your OT environment significantly reduces the attack surface and improves overall defenses.

There are several ways endpoint protection can reduce the attack surface:

Regular patching: Promptly applying security updates and patches eliminates known vulnerabilities exploited by malware.
Application allowlisting: Restricting the execution of unauthorized software helps prevent the introduction of malicious code.
Device control: Controlling access to removable media (USB drives, etc.) and other external devices minimizes the risk of introducing malware.
Hardening system configurations: Implementing secure default configurations and turning off unnecessary services reduces the potential for exploitation.

Reducing the Attack Surface in OT Environments

Too many OT owners and operators shy away from using agents on endpoints. But here’s the thing—we can significantly reduce our risk profile by connecting directly to those endpoints to patch, tune (where patching can’t be done), and generally track and manage those endpoints.

By adopting this type of robust endpoint management solution, OT security practitioners significantly reduce risk and save considerable time and money. In fact, a recent post-project analysis showed that a large pharmaceutical corporation was on track to save over $600K in labor on their security efforts while doubling the efficacy of their security maturity.

The promise of this approach lies in the willingness to stretch our status quo to include agents and agentless profiling on the target assets. We need to embrace automation of asset inventory and creatively apply compensating controls in the absence of patching. We also need to leverage corporate HQ or even leased cloud visibility to extend scarce skilled resources to a broader scope of industrial assets. By taking this asset-centric approach, OT context is driven into our day-to-day decisions and accurately directs our risk reduction efforts to those assets that need it most.

Here are a few recommended best practices for reducing the attack surfaces in OT environments:

Implement a layered defense strategy: Combine endpoint protection with security measures like firewalls, intrusion detection systems, and network segmentation.
Conduct regular security assessments: Continuously evaluate the effectiveness of your endpoint security measures and identify areas for improvement.
Stay informed about the latest threats: Keep up-to-date on attack vectors and vulnerabilities to help your defenses remain effective.

By prioritizing endpoint protection and adopting a comprehensive approach to OT security, organizations can significantly reduce their cyberattack risk and maintain their operations' safety and reliability.

OT Endpoint Security in Action: Success Stories

A real-world example of endpoint security is a pharmaceutical company that significantly improved its cybersecurity posture by prioritizing endpoint management. By gaining asset-specific visibility and control, they uncovered critical vulnerabilities that could have led to a major cyberattack.

Endpoint management helped them:

Discover hundreds of assets not patched for critical vulnerabilities like NotPetya and WannaCry.
Identify over 100 PLCs with firmware revisions containing known exploits.
Reduce their overall cyber risk by half within two weeks.
Achieve a nearly two-thirds reduction in real risk (impact of critical vulnerabilities on high-impact assets).

By prioritizing endpoint management, the company identified and addressed these critical risks before they were exploited. This proactive approach significantly improved their security and helped prevent a potentially devastating cyber event.

Example: Top Energy Company

A top five oil and gas producer in North America enlisted our help securing their wide range of ICS and DCS vendor systems. Senior leadership realized how vulnerable they were, and they needed a vendor-agnostic solution to help them:

Gain more visibility into their OT environment
Manage their diverse vendor systems
Implement policies and procedures with limited personnel

Through a comprehensive 360-assessment and a “Think Global: Act Local” approach, the energy company significantly benefited from endpoint security by:

Gaining deep visibility into their OT environment
Identifying and mitigating vulnerabilities
Enabling rapid response to threats

This enhanced visibility and automated remediation capabilities improved their overall security posture, reduced operational risks, and strengthened their defenses against cyberattacks.

Getting Started With Endpoint Protection in OT Environments

The job of the OT security defender is to minimize disruptions in frequency, duration, and impact, and the only way to do that is to minimize the attack surface across all your assets.

Simply stated, you need to lock down your OT systems to least privilege, patch them as often as possible, add best-in-class cyber security tools like anti-virus and allowlisting, and include a backup plan.

You should accompany these actions with standard security processes such as user/account management, monitoring, and detection. These five steps will guide you through initial assessment to ongoing management.

Create an asset inventory and identify the vulnerabilities and security gaps.
Develop a protection strategy that prioritizes critical systems.
Deploy the strategy into these environments. Complete this in phases to minimize disruptions.
Consistently manage these critical assets to help keepyour defenses up-to-date and effective.
Train your employees and personnel on best practices so they can spot suspicious activity.

Patching and Hardening OT Endpoints

New technology is exciting and intriguing, but we must be realistic in knowing the OT cyber world has significant technical debt from many years of failing to patch and harden endpoints.

The only way to adequately protect our assets is to address them directly. Managing endpoints directly provides report system-level details about least privilege to lock it down and remove unwanted or unnecessary software, so your weakest link gets considerably stronger. The more you protect OT assets this way, the less likely you will be to have a significant outage or impact.

Conclusion

Endpoint security is a critical element of a holistic OT Security Management plan. By securing individual devices within your OT environment, you can significantly reduce the attack surface and improve overall defenses.

Bolster your defenses by thoroughly assessing your current endpoint security posture, identifying vulnerabilities, and implementing appropriate countermeasures.

Published February 13, 2025