This is an issue because many OT networks and devices are rarely if ever, updated/patched – security is an afterthought if a consideration at all. Patching is a big concern for a few reasons. As above, they don’t often get patches available because they are either custom systems or too difficult to patch. Manufacturing plants cannot be put offline for administrators or security engineers to resolve security concerns. These systems in many cases are 24/7 and going offline would cost too much money in lost production time and reduction in processing throughput.
As the two networks blur together, the problem will not go away anytime soon. This means we need to ensure due considerations are given to all access requests/approvals via any external source; minimise the attack surface as best we can; remove unnecessary traffic flow or access to the OT network from the IT network. This flow control and access control will make it harder for unauthorised access by any party to the OT network. It won’t stop it completely but it will help slow the lateral movement through your systems.
To resolve these issues long-term OT systems will need to be better designed with security and patching as part of the product design and development process. In the short term, it is important to do what we can to get back to security basics and secure your networks for in and outflow. We need to know what data is flowing both ways so that we can detect any anomalies quickly.