Fortinet

Why the Unseen Risks in Operational Technology Are No Longer Theoretical

Operational technology (OT) environments are under growing pressure. As critical infrastructure modernizes, organizations are connecting legacy systems, adopting cloud services, and integrating new platforms to improve efficiency and resilience. This shift is necessary; however, it also exposes a new class of risks that many organizations still cannot fully manage.

Michael Murphy, Director of Operational Technology, APAC, Fortinet, said, “Critical infrastructure organizations often focus on software vulnerabilities and network threats; however, some of the most critical risks now sit much earlier in the lifecycle before a device is even powered on. Supply chain compromise, hardware tampering, and counterfeit components are becoming more relevant as environments become more connected.”

Michael Murphy at Fortinet

However, these risks are not limited to a single deployment model. Whether infrastructure is on-premises, converged across IT and OT, or delivered through cloud services, the same questions apply: where did the technology come from, who built it, and can you trust it?

Supply Chain Compromise: Risk at the Source

Modern OT environments rely on highly interconnected supply chains. Vendors and intermediaries source hardware, software, and services globally, and as a result, this creates risk. If any part of that chain becomes compromised, the impact can cascade across operations.

Murphy said, “As organizations adopt cloud and platform-based services, they gain efficiency yet lose visibility. They no longer inspect what arrives on-site. They trust that the provider has done the right checks across their supply chain.”

This risk is now real, not theoretical. Organizations increasingly encounter substituted, modified, or unverified components entering their supply chains. As a result, even a minor compromise in critical infrastructure can affect operations and safety.

This aligns with broader industry concerns about interconnected supply chains amplifying disruption, where a single compromised node can affect entire production and distribution networks.

Hardware Tampering: Trust Cannot Stop at the Perimeter

Traditional security models assume hardware remains trustworthy once deployed. However, that assumption no longer holds. Tampering can occur during manufacturing, transit, or installation. In some cases, actors may modify devices to introduce hidden functionality or vulnerabilities before the devices ever reach the customer.

Murphy said, “There are controls like tamper-evident seals for physical equipment; however, they don’t exist for cloud or service-based environments in the same way. As soon as organizations move away from physical ownership, they lose another layer of assurance.”

Because of this, organizations face a visibility gap. Organizations may have strong network monitoring and detection capabilities, yet still lack confidence in the integrity of the underlying infrastructure. The challenge compounds in OT, where manufacturers often build systems for longevity, not for easy replacement or updates. As a result, a compromised device can remain embedded in operations for years.

Counterfeit Components: A Growing and Underestimated Threat

Counterfeit or unauthorized components present another layer of risk. These parts may look identical to legitimate ones, but they behave differently under certain conditions or fail to meet security and performance standards.

Murphy said, “There are real-world cases where equipment appears genuine on the outside yet internally contains different components. This creates uncertainty about performance, reliability, and security.”

In OT environments, where uptime and safety are critical, this risk carries a significant impact. Counterfeit components can introduce instability, reduce resilience, and create hidden entry points for threat actors.

At a broader level, this reflects a shift in how organizations need to think about cybersecurity. Protection no longer extends only to software and networks; in addition, it extends to the integrity of every component within the environment.

Why This Matters Now

The convergence of IT and OT, combined with increased reliance on cloud and third-party providers, therefore changes the risk profile for critical infrastructure.

At the same time, threat actors are scaling their capabilities and leveraging AI. Automated scanning and exploitation increase both the speed and volume of attacks, so organizations face greater pressure to identify and address weaknesses across their environments.

Murphy said, “These risks apply regardless of where critical infrastructure organizations are on their transformation journey. Whether they run air-gapped systems or move to full cloud integration, they still need to ask the same questions about trust, integrity, and verification.”

Addressing these risks requires a shift in mindset. Critical infrastructure organizations therefore need to extend their security focus beyond deployment and into procurement, vendor selection, and lifecycle management.

Building Resilience Into the Lifecycle

Key areas to focus on include:

  • Supplier transparency: understand where components originate and how vendors validate them
  • Software bill of materials (SBOM): gain visibility into the components within hardware and software, while balancing disclosure risks
  • Vendor due diligence: ask providers how they manage supply chain integrity, hardware assurance, and component validation
  • Continuous verification: treat trust as an ongoing process, not a one-time assumption

Industry initiatives such as the Secure by Design pledge reinforce the need for greater accountability and transparency across the technology lifecycle. In turn, the pledge encourages manufacturers to take ownership of security outcomes and demonstrate measurable progress in strengthening product security.

For organizations operating critical infrastructure, this marks an important shift. Security therefore, no longer focuses only on defending systems after deployment. Instead, it starts with how vendors design, build, and deliver technology.

Murphy said, “Resilience in OT goes beyond detecting and responding to threats. It comes down to confidence in the technology itself. Organizations that build security into every stage of the lifecycle, from supply chain to deployment, will be better positioned to manage risk and maintain operations in an increasingly complex environment.”

Stay Informed With Cyber News Live

Cyber threats are constantly evolving, and staying informed is critical to protecting your organization. Follow Cyber News Live for the latest cybersecurity news, threat intelligence, expert analysis, and practical guidance to help strengthen your cyber defenses.

Shopping Cart0

Cart

Login