Jorge Rubio

This article is part of the series "Evolving OT Cyber Security: from diagnostics to risk anticipation", where we explore how to turn assessments and evaluations into concrete actions. In the previous article, we discussed the importance of a thorough assessment of the current OT cyber security landscape before defining a strategic roadmap aligned with the organisation's actual business risks. In this new article, we focus on how to turn recommendations and findings into a realistic and effective action plan, outlining the steps to design and deploy an OT cyber security roadmap that addresses the real-world challenges of industrial environments. ______ Industrial environments are becoming increasingly connected to external networks, making OT (Operational Technology) cyber security a strategic priority. As systems become more interconnected, threats evolve and risks multiply. This is why organisations must tackle the challenge of moving from paper to practice, translating recommendations from reports, diagnostics and evaluations into actionable plans. Through Telefónica Tech’s services, we help clients define a cyber security roadmap for industrial environments that aligns with frameworks such as ISA/IEC 62443 and NIST CSF, while remaining realistic about the time and cost required to implement each action. Why build a roadmap? A roadmap should not be seen as a simple to-do list, but as a strategic tool with actionable plans aligned with the organisation’s actual business risks. Based on our experience with dozens of clients, a well-structured roadmap serves as the bridge between technical analysis and real transformation, leading to a stronger OT cyber security posture. Before creating the roadmap, a cyber security assessment of the industrial environment is required, covering at least the following key areas: Inventory of industrial assets, including detailed information (firmware, patches, EoL/EoS). OT traffic analysis to identify vulnerabilities, insecure protocols, attack vectors and connectivity issues. Assessment of existing controls, including authentication, usage control, system integrity, communication flows and availability. Based on this data, a draft roadmap can be created, prioritising corrective and preventive actions based on criteria such as impact, cost, implementation time and cost-benefit ratio. This enables measurable milestones to be set and solutions to be adapted to the specific operational context of each facility. Ultimately, a roadmap must not be a generic document, but one that is clear, measurable and tailored to the needs of each industrial environment. That is key to improving OT cyber security. Photo by AbsolutVision / Unsplash. Key phases for designing an OT roadmap Step 1: Technical assessment as a starting point It all starts with a rigorous evaluation of the current situation at the facility. This involves reviewing all available documentation on network architecture (Purdue model), inventories of network equipment and OT devices, physical layouts, policies and operational procedures; conducting meetings and technical interviews with the teams operating industrial systems to understand processes and specific configurations; and assessing the security controls already in place. It is also highly recommended to capture network traffic at multiple points across the industrial environment to identify critical assets and existing gaps. Step 2: Using regulatory frameworks as guidance To build a meaningful OT roadmap, it must be based on regulatory frameworks that act as a compass. We rely on the following, which complement each other: ISA/IEC 62443 helps define security levels (SL), network segmentation, protection of industrial devices like PLCs, and specific controls by zone and asset type. NIST CSF structures the entire risk management lifecycle (identify, protect, detect, respond and recover), supporting the creation of policies, procedures, exercises and continuity plans. NIS2 adds the EU legal layer for incident reporting, executive involvement, supplier security control and governance. Step 3: Risk-based action prioritisation Actions must be prioritised based on the business risk associated with each industrial asset. Not all vulnerabilities carry the same impact depending on the function of the affected asset. In addition, quick wins are identified — quick and easy actions that deliver a high return on investment in OT cyber security. Step 4: Building the roadmap The roadmap can be structured into two major categories, each with examples of potential actions: Technical initiatives: network segmentation, deployment of industrial firewalls, OT probes for monitoring, industrial endpoint protection, vulnerability management, regular scanning, remote access control, backup and restoration processes, etc. Organisational initiatives: policy and procedure development, training and awareness programmes, role and responsibility definition, incident response exercises, internal audits, and more. Each initiative must be assigned an owner, a deadline, a related regulatory framework (ISA/IEC 62443, NIST or NIS2), and of course, KPIs to track progress. Ideally, collaborative tools should be used to build the roadmap and facilitate coordination across all involved departments. It should be a joint effort between OT, IT, security, operations, maintenance and management. Without alignment, the plan will remain just another document. Step 5: Validation and ongoing monitoring A roadmap should not be static. It must be dynamic and subject to periodic validation to reflect newly identified risks, implemented corrective actions, or changes to industrial systems. Progress should be monitored through metrics that clearly show how each action is evolving. This allows for the early detection of deviations and helps reprioritise actions in response to changes in the industrial environment and emerging cyber threats. Photo by Sabri Tuzcu / Unsplash. From PowerPoint to execution We’ve supported clients across sectors like paper manufacturing, food production and transportation in designing and executing OT roadmaps, significantly improving their industrial cyber security posture. This ranges from defining secure network architectures and deploying advanced monitoring solutions to training technical and operational teams, implementing OT network segmentation, ensuring secure remote access and protecting industrial endpoints. It is possible to build a robust and realistic OT cyber security roadmap, but doing so requires a shared methodology, regulatory expertise, business insight and strong commitment from those responsible for implementation. ■ Are you ready to move from paper to practice? Header image: Startaê Team / Unsplash.

We often assume that factories or industrial environments don't require as much cyber security as office settings. Nothing could be further from the truth... A single production line can be shut down for days. The impact? Millions in losses... and even risks to people's physical safety. That’s why we’ve spent years reviewing and analysing cyber security across industrial environments in all sectors: from energy and transportation to manufacturing, chemical industry, healthcare and retail. Over this time, we’ve helped various companies achieve better protection of their OT (Operational Technology) environments through numerous assessments, diagnostics, designs and service deployments. This allows us to offer a clear snapshot of the current state of industrial cyber security. What are we seeing on the ground? Thanks to the various Industrial Cyber Security Assessments (ICSA) we conduct diagnostics, analysis and architecture evaluations, and the services we provide, we’ve been able to build an accurate picture of the state of OT cyber security. Over time, we’ve observed that most organisations are still in the early or intermediate stages of maturity when it comes to industrial cyber security. That said, we’re also seeing a growing awareness and recognition of the importance of protecting OT environments. Even so, we continue to find major gaps that are recurring across different sectors: Incomplete inventories of OT assets. Flat networks with no proper segmentation or IT/OT separation. Use of default passwords, shared credentials, or no password rotation policies. One of the most critical issues we detect is the lack of real-time visibility into what’s happening in OT networks. This is despite the fact that specialised technologies in this area are gaining traction, although their deployment is still limited in many companies. This type of OT monitoring is essential for strengthening cyber security posture. In fact, during our lab demonstrations for clients, we’ve shown how active monitoring enables early detection, before they become incidents, of real-time attacks, behavioural anomalies and insecure configurations in industrial devices. This, in turn, enables a rapid response to any threat. Photo: Ugi K. on Unsplash. The data speaks for itself In recent years, we’ve come across various scenarios: Assuming the OT network is isolated; for example, we recently found a control PC directly connected to the Internet. Not knowing how many industrial devices are connected or what firmware they’re running. In one case, a client believed they had 50 OT devices, it turned out to be over 100. Finding shared passwords between several people, or written on post-its stuck to monitors or control cabinets, posing a serious risk to critical systems. From this, we’ve gathered the following statistics: Default credentials were found in over 80% of cases. More than 70% of OT networks lack proper segmentation between operations and supervisory zones. Over 60% of environments analysed had devices running outdated firmware or without security patches. This data paints a worrying picture, but also points to a huge opportunity for improvement. It can serve as a starting point for building a roadmap of corrective measures and technology proposals to help strengthen industrial cyber security. Photo by Kimberly Nguyen on Unsplash. The human factor While technology solutions are important, they’re only one part of the equation. Staff training and awareness are key to preventing cyber security incidents. Initiatives such as workshops, training courses and incident response simulations are helping to close this gap. In short, industrial cyber security is no longer optional. The threats are real, but so are the opportunities: every assessment, every training session and every project helps us to learn, improve and build a more resilient ecosystem. You don’t have to implement every change overnight, but you do need an action plan, which can be carried out internally or through professional services. ■ MORE FROM THIS SERIES Cyber Security From paper to practice: how to build an effective OT cybersecurity roadmap November 5, 2025 Photo: American Public Power Association / Unsplash.

Cyber Security in industrial or OT (Operational Technology) environments is crucial to protect critical infrastructures such as energy, transport and communication and has become an increasing concern as they become more interconnected and dependent on IT (Information Technology). Different companies and organisations in various industrial environments have suffered from both technical and social engineering attacks over the years, which have become increasingly sophisticated and in greater volume. Therefore, Artificial Intelligence (AI) could be the key to improving the ability of organisations to detect and prevent cyber-attacks in this type of industry, i.e., to make a qualitative leap in terms of the Cyber Security of OT systems. How can Artificial Intelligence help improve industrial Cyber Security? These new AI technologies may be able to detect and respond to security threats more effectively than traditional Cyber Security methods. The following are some of the applications that Artificial Intelligence can have in the present and future of industrial systems: The use of machine learning that can analyse large volumes of data (millions of security events) and detect patterns (behavioural analysis) to prevent cyber-attacks and improve response times compared to current Cyber Security solutions. Monitoring and optimisation of industrial processes to predict maintenance needs and avoid future equipment problems, which would lead to unscheduled production downtime and, in turn, large losses for companies. The automation of security tasks, such as network monitoring, security patching, creating and updating firewall rules, helping security analysts to focus on more complex tasks. Operator using new technologies in a factory. Shalom de León / Unsplash Industrial Cyber Security event monitoring tools already have capabilities for learning the behaviour of network communications, and it is foreseeable that these capabilities will be integrated with those provided by Artificial Intelligence. Staff workloads also mean that they are unable to comprehensively examine all incidents reported over time. It is therefore difficult to envisage a future in which Artificial Intelligence does not play a key role in responding to industrial cyber-attacks and improving operational efficiency. Cyber Security Cybersecurity: “black swan“ events in a connected world March 21, 2023 The challenges of applying Artificial Intelligence in Cyber Security OT One of the biggest challenges today is to create safe, sustainable and responsible Artificial Intelligence for all, but it is not the only challenge. The following are some of the challenges that can be created by the application of AI in industrial Cyber Security solutions: The quality of the training data needed by Artificial Intelligence (e.g., network traffic files or PCAP) due to the need for privacy and security of each company's internal information. The difficulty of interpreting and integrating Artificial Intelligence models into Cyber Security applications. The possible overload of alerts or lack of threat detection due to the generation of a large number of false positives or negatives due to the misapplication of Artificial Intelligence. Difficulty in identifying changes in industrial processes without the intervention of the people in charge (operators). The possibility that algorithms can be fooled or manipulated by attackers. The high market cost of AI-driven tools. Concerns about the possible misuse of Artificial Intelligence and machine learning in this field of industrial Cyber Security would also require appropriate regulation. Jeshoots / Unsplash On the other hand, it is possible that attempts could be made to use AI to defeat industrial Cyber Security defences by complementing the current knowledge of hackers. Two researchers won a Zero Day Initiative hackathon by taking control of industrial systems through the use of ChatGPT. There is a well-known example in a Zero Day Initiative hackathon in which two researchers won by disrupting and taking control of industrial systems through the use of ChatGPT. In this case, the researchers found several weaknesses in their systems and used this Artificial Intelligence to help them write the code to concatenate the vulnerabilities found, which saved them hours of development time. While it is true that OpenAI and other companies with AI bots are adding controls and filters to prevent such malicious use, there is still some way to go before these technologies are considered completely safe from malicious actors. CYBER SECURITY Artificial Intelligence, ChatGPT, and Cyber Security February 15, 2023 The relevance of AI in industrial Cyber Security As information and communication technologies continue to evolve and become even more integrated into critical infrastructures, the risk of cyber-attacks will continue to increase and therefore the solutions currently in use in the OT world need to be improved. The future of Artificial Intelligence applied to industrial Cyber Security could be very promising, as these solutions could significantly improve the ability of organisations to detect patterns of abnormal behaviour and alert operators to potential threats. The future of Artificial Intelligence applied to industrial Cyber Security is very promising. In addition, Artificial Intelligence could also be used to predict the risk of an attack and provide recommendations to mitigate the risk before it occurs. AI can also strengthen authentication and authorisation of access to critical systems, as well as identify vulnerabilities in OT systems before they are exploited by attackers. In conclusion, the use of Artificial Intelligence in industrial Cyber Security may be the key to protecting our critical infrastructures in an increasingly connected world. Featured photo: DeepMind / Unsplash. Published 04.25.2023 Updated 03.25.2024

Industrial environments can be found in any type of sector we can imagine, whether in water treatment, transport, pharmaceutical, machinery manufacturing, electrical, food or automotive companies, among others. The differences between an industrial environment and the typical corporate or IT (Information Technology) environment is that industrial communication networks or OT (Operational Technology) are designed for a specific task and use equipment and systems that do not change over time, i.e., the same communications between the same devices are produced continuously, in a cyclical manner, unlike the corporate world in which a multitude of different equipment is connected at different times, such as laptops or corporate mobiles, for example. Another major difference is that these industrial devices are more likely to have vulnerabilities in their firmware or software because they are outdated equipment that is not usually updated or patched, as they are not compatible with the latest operating systems on the market or because replacing them could be very costly for the company. In addition, it is common to use unencrypted network communications or insecure protocols that allow vulnerabilities to be exploited or passwords to be obtained in clear text. The most serious implications of an industrial system being breached are the impact on the physical safety of people. This state of industrial environments, coupled with the increasingly pressing need to connect industrial processes and factories to the corporate world, the cloud or the internet, increases the risks of a cyber-attack on such facilities. The most serious implications of an industrial system being breached are the impact on the physical security (safety) of people, as well as economic losses or damage to the company's image, which is why it is vitally important to try to protect this equipment against any cyber-attack. CYBER SECURITY Wireless attacks on OT September 5, 2022 Cyber-attacks that have occurred in the past in industrial environments Over the years, various companies and organisations in all types of industrial environments have been attacked, both through technical and social engineering attacks, as well as through carelessness, laziness or lack of employee awareness, such as the use of USB keys between OT equipment and IT systems. The following are some examples of the different types of cyber-attacks used to attack companies in a variety of sectors with industrial environments: Malware in industrial or field devices. Communication hijacking and man-in-the-middle attacks. Denial of service. Spear phishing. Database espionage. Supply chain attacks. Improper or malicious device updates. Photo: Greg Rosenke / Unsplash And these are not isolated cases - attacks on industrial infrastructures are in the news all the time! Some of the most relevant are the following: Worcester Airport in the United States (1997): A hacker hacked into the communications of the air traffic control system and caused a system failure that rendered the telephone system completely useless, affecting the control tower and different areas of the airport (fire brigade, meteorology, etc.), which had a major economic impact. Saudi Aramco (2012): An attacker gained access to the industrial network through one of the employees and deleted the content of all computers. This resulted in the management of supplies, oil transportation, contracts with governments and business partners being done on paper. If it had been a smaller company, this attack would probably have bankrupted it. Maersk (2017): A cyber-attack using the "NotPetya" malware caused outages in all of the shipping company's business units, bringing its container shipping operations around the world to a standstill for weeks. The losses generated by this attack are estimated to be as high as $300 million. Oldsmar water treatment plant (2021): A group of attackers gained access to the SCADA (Supervisory Control and Data Acquisition) systems used to control the chemical treatment of Florida's water and altered the levels of caustic soda in the drinking water. Thanks to an operator who identified the unauthorised access and was able to detect the manipulation, this did not have serious adverse effects on the population. These are just some of the examples that have been reported in the media, but there are many others that we will never know about. AI of Things New business opportunities using Internet of Things (IoT) November 29, 2022 How to avoid or mitigate the consequences of an industrial cyber-attack To minimise the risks of suffering a cyber-attack in an industrial environment, network visibility must be minimised to reduce the attack surface, increase staff training to avoid social engineering attacks, generate new cyber security procedures and policies, and deploy technologies appropriate to the environment to prevent or mitigate the effects that could occur. One of the key aspects is the monitoring of industrial networks using dedicated tools specialised in OT communications protocols that analyse anomalous behaviour once they have learned the normal or baseline behaviour of the network, such as Nozomi Networks' probes Visualisation of the network through an industrial monitoring tool. Source: Nozomi Networks. As well as generating alerts when malicious action is found, these tools also provide great visibility into the industrial network by providing an inventory of connected devices, which can help companies discover unidentified equipment that could be a gateway for future cybercriminals. But what should be done with all the information obtained by these industrial monitoring probes? One of the options could be to integrate them with a SIEM (Security Information and Event Management), so that all alerts are aggregated in the same place and can be correlated with each other. In addition, it is necessary to establish an incident response procedure that determines what actions to take according to the type, severity and location of each of the alerts. But all of this cannot be done without dedicated personnel specialised in these monitoring and industrial incident response tasks. The importance of cyber security in industrial environments Industrial cyber security risks continue to grow over time as industrial networks become increasingly connected and exposed to IT networks or even the internet, and the number of threats grows exponentially. Cyber threats can have a major impact on personal and corporate reputation (loss of customer confidence), financial operations (fines for non-compliance) and business (unscheduled production downtime), as well as potential legal liabilities (legal consequences for non-compliance with laws and physical and environmental security standards). This is why it is crucial to implement, manage and improve cyber security measures in industrial environments in order to maintain and increase their effectiveness against any cyber attack. Featured photo: Umit Yildirim / Unsplash