Apple CEO Tim Cook knows how hard it is to plan for the future. While studying for his MBA at Duke University, Cook was asked to write a 25-year plan. He remarked that “it was reasonably accurate for 18-24 months, and there was not a single thing accurate since then.”
Planning for the future of industrial control systems (ICS) can be equally difficult since operational technology (OT) devices may be deployed for decades. Many of the challenges organizations face today result from decisions made 20 years ago or more. In preparing for the future, organizations need to consider the most trending issues of the times.
As we kick off 2025, these include targeted ransomware in OT environments, the weaponization of IoT devices in critical infrastructure, the exploitation of vulnerabilities in both the supply chain and legacy OT devices, and more. While organizations navigate these unseen threats, the so-called “ghosts in the machine,” they must also contend with the ghosts of OT systems past – the latent vulnerabilities that persist in legacy OT environments.
Latent vulnerabilities exist as a sort of technical debt inherited from a previous generation of solutions. Organizations must not ignore it, as unpaid debt compounds interest. Planning for the future requires reflecting on the past, acknowledging the present and preparing for what may come.
The More Things Change, The More They Stay the Same
IT and OT environments tend to have different missions. IT systems embody an ethos of “move fast and break things,” while OT systems are slow-moving and rigid. Mission-critical operations demand reliability above all else, and avoiding downtime is the highest priority.
In fact, organizations have become so sensitive to the risk of a service outage that many even require an IT change freeze during busy retail seasons. But for OT departments, the concept of a change freeze is not just for the holidays, it is the status year-round.
Repairs and upgrades often require significant downtime, which many operators cannot afford. When vulnerabilities are discovered in legacy OT devices, they may not be able to be patched. Connected devices and IT/OT convergence amplify this risk since these initiatives often prioritize productivity over security.
If organizations cannot address the risk of latent vulnerabilities head-on, they must implement solutions to monitor and identify suspicious behavior so they can mitigate threats as they arise; otherwise, these blind spots create security gaps.
Organizations must begin preparing for the future today. Future-proofing ICS begins by establishing a strong foundation of fundamentals to manage the full lifecycle of cyber threats. Pragmatically, that means first gaining a comprehensive understanding of your network architecture – both the complete visibility of all devices and the context in which they operate, such as their network traffic.
Gaining this visibility and context enables organizations to prioritize which vulnerabilities should be remediated first as well as which critical assets need to be closely monitored for potential threats.
Emerging technologies, particularly AI, are pivotal in bridging the gap between the past and what’s to come. Programmable logic controllers (PLCs) have previously served as a sort of rudimentary form of AI by using predictive capabilities to maintain operational efficiency. Today, AI enables sophisticated cybersecurity monitoring, such as allowing organizations to detect behavioral anomalies so they can respond to threats in real time.
A Failure to Plan …
Tim Cook may not have been able to forecast the future, but his planning was still indispensable (after all, he did become CEO of Apple). “The journey is not predictable. The only thing you can do is prepare. You have to have a North Star,” said Cook.
Cybersecurity is a journey, not a destination. Companies should adopt a comprehensive security strategy that sees, protects and manages critical assets across the entire attack surface. AI-driven solutions further enhance these efforts with actionable insights and automation.
Likewise, regulatory compliance and other common security frameworks can serve as a roadmap for cybersecurity teams. Industry-specific regulations like HIPAA or NERC CIP may be mandated for certain critical infrastructure sectors. For security-conscious organizations that lack a specific compliance mandate, ISA/IEC 62443 provides an excellent framework for mitigating and remediating vulnerabilities in ICS devices.
To future-proof the ICS, organizations must learn from the ghosts of systems past. Decisions made decades ago continue to shape the present. Understanding these decisions and their implications is crucial to charting a path forward.
Organizations must keep an eye on the horizon as the risk of ransomware, advanced persistent threats and supply chain attacks targeting ICS and OT environments will continue to evolve. Preparing for what’s to come means embracing change, adopting new technologies and fostering collaboration between IT and OT teams.
The reality is that it is impossible to fully future-proof any system. While organizations focus on solving yesterday and today’s problems, they must also be ready for whatever comes tomorrow.