NotPetya demonstrated that malware designed for IT systems can cause severe collateral damage in OT networks. Although NotPetya was not designed to attack control systems, its worm-like propagation brought industrial facilities to a standstill. Eight years later, the risk remains largely unmitigated. OT networks connected to IT networks will be affected by IT malware, even if control systems are not direct targets.
Commodity malware—including ransomware, worms, and information stealers—can impact OT networks through several mechanisms. Network-based worms propagate indiscriminately across segmented networks. Shared authentication mechanisms allow malware to pivot from IT to OT. Supply chain compromises deliver malware to both IT and OT systems simultaneously.
Propagation Mechanisms in Mixed Environments
When IT and OT networks are insufficiently segmented, IT-targeted malware reaches OT systems through shared subnets, compromised jump hosts, or integrated management systems. Engineering workstations running commodity antivirus can become vectors if the antivirus itself is compromised or misconfigured.
Some commodity malware includes worm capabilities that exploit known vulnerabilities in SMB, RDP, or other protocols common across both IT and OT networks. Air-gapping and network segmentation are the primary defenses, but most facilities have intentionally blurred these boundaries for operational convenience.
Detection and Isolation Measures
- Network segmentation: Enforce physical and logical separation between IT and OT networks. Use unidirectional gateways and DMZs for necessary communications.
- Shared account isolation: Do not use the same credentials for IT and OT systems. Prevent lateral movement via credential reuse.
- Malware detection on engineering workstations: Maintain endpoint detection and response on systems that bridge IT and OT networks.
- Behavioral isolation: Alert when commodity malware signatures or behaviors are detected, even if they are not OT-specific. Immediate isolation prevents lateral movement.
Strategic Redundancy
Commodity malware impact on OT systems is often unavoidable if networks are integrated. The defense strategy shifts to detection speed and isolation capability. If you'd like to discuss network segmentation, credential isolation, or integration security for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.