There are three common mistakes building owners are making including no network segmentation, unmaintained hosts within networks and mixed use of the OT network.
The first step – segmenting the network is critical in reducing overall risk and reduces the blast radius in the event something does happen. Depending on how the system is segmented, building owners may mitigate the risk of a ransomware attack from their entire network down to only a small slice of it.
Second is maintenance of hosts operating on OT networks. Often, a contractor will supply and install a server or workstation for their system to run. What is rarely discussed is who is responsible for the ongoing maintenance of this machine? Building owners will assume the contractor, and the contractor will assume the building owner. This results in a grey area with nobody applying updates, ensuring anti-malware protection is installed etc. The previously referenced WannaCry attack could not affect hosts that had the most current Windows updates applied.
Finally, a common mistake is the mixture of use cases for an OT network. Not only should the network be segmented into chunks, but users should not be allowed to perform functions outside of what is necessary to operate the OT in that building. The most common entry points for infections stem from personal email use on the OT networks. Users often don’t have the luxury of email filters that corporates install. Without any anti-malware or software updates installed, a single click on a phishing link can quickly result in a total network takeover.