Essential cybersecurity strategies for industry

The operational technology (OT) environment has become a prime target for cyberattacks, leading industrial companies to face mounting pressure to secure their critical infrastructure. According to Paul Smith, director of Honeywell's cybersecurity portfolio, the key vulnerability in industry stems from systemic challenges: The abundance of legacy equipment and software, as well as the associated delays related to patching OT systems, leaves industry “quite vulnerable.” 

And the stakes for industry have only gotten higher as ransomware gangs increasingly recognize the leverage they hold.

"It's really easy with ransomware to shut down a plant that's generating a million dollars a day," Smith explained. "And companies that find themselves locked out of their systems will usually pay the ransom."

The cybersecurity tool selection dilemma

When organizations attempt to address OT cybersecurity challenges, they often turn to IT security solutions — a logical step given that IT cybersecurity has existed two to three times longer than its OT counterpart. However, this approach can present complications.

Brandon Cho (pictured), director of OT cybersecurity at Honeywell, described the overwhelming landscape of cybersecurity tools: "The sheer volume of choices is overwhelming. So where do you get started? Where do you start looking?"

Cho recounted Honeywell's own experience modernizing their secure remote access technologies: The company identified more than 50 potential tools and evaluated them for more than a year, eventually narrowing the field to 10 on which to conduct deep dives before selecting one.

This experience underscored a critical principle for Cho: "More options doesn't necessarily mean better security. And in cybersecurity, users have to keep in mind that complexity can increase risk."

And the dangers of choosing incorrectly are substantial. Blindly deploying IT tools can lead to misconfiguration, operational disruption and even safety risks.

Many OT teams select siloed tools that fail to provide a comprehensive view of their cybersecurity posture, resulting in excessive logs with questionable value and alerts that no one validates. Smith noted that this problem is compounded by staffing realities — many plants lack dedicated cybersecurity engineers and instead rely on corporate cybersecurity personnel who may not have OT expertise.

The cyber kill chain

Delivering their cybersecurity insights at the 2025 Honeywell Users Group EMEA event, Smith and Cho presented several strategies for industrial companies to help them make more informed cybersecurity decisions.

Their recommendations began with an explanation of the “cyber kill chain.” Originally developed at Lockheed Martin, the cyber kill chain provides a framework for understanding cyberattack anatomy across seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. This insight can help narrow down tool selection because it helps determine what a cyberattack could look like at a site in order to differentiate it from normal network activities.

"Actions on objectives is always the worst thing, because this is where attackers get down into the controls to, for example, turn off a vessel,” said Smith. “You want to make sure that you stop intruders before they get anywhere near ‘actions on objectives’."

At each stage of the cyber kill chain, specific defenses apply. For example, during reconnaissance, companies should audit their exposure, which includes employee LinkedIn profiles that might advertise specific control system certifications.

To address the weaponization stage, bug bounty programs help identify vulnerabilities before attackers exploit them, while delivery vectors focus on having strict controls over USB devices and third-party vendor access.

Vulnerability program scanning addresses exploitation issues. Here, Smith advised that, if you don't already have this capability in place, “this should be your first step beyond firewall implementations.” His reasoning: This scanning is key to understanding what the point of entry is into your environment.

The installation point in the kill chain involves checking your endpoint protections against malware. “You definitely need to analyze and go after the right endpoint protection for your environment to ensure you don’t have something in place that will shut down operations or lock you out,” Smith noted.

Finally, for command and control, Smith suggested looking closely at intrusion detection around remote access and control methods.

Smith pointed out that any one of these kill chain methods should be able to catch an attack and stop it in its path.

Defense in depth and compensating controls

The longstanding principle of a defense-in-depth cybersecurity remains a cornerstone strategy because of its requirement for multiple layers of controls, redundancy and integration. A firewall alone provides only perimeter protection; that’s why companies need to layer additional controls like zero-trust network architecture for remote access.

Cho highlighted that redundancy is essential to OT cybersecurity because single controls inevitably have gaps.

"Every company has some sort of antivirus solution in their environment, but it will always have a gap,” he said. The use of whitelisting (which only allows for approved applications and connections to operate on a network) as a redundancy measure can catch threats that slip through antivirus blacklisting, including zero-day malware.

Smith also emphasized integration as a key factor to filling cybersecurity gaps. "When you have a bunch of cyber tools, if you can make them interrelate and develop use cases around how they work together, that will help solve a lot of your problems," he said. For example, passive monitoring systems should communicate with endpoint protection to blacklist malicious files before they execute.

OT environments also require additional considerations through compensating controls, Smith and Cho noted. When companies can only patch systems once or twice a year, virtual patching at the perimeter can protect against known vulnerabilities during the gap period.

Interdependency — understanding how security tools interact with OT systems — is another crucial factor. "Any cybersecurity tool should not negatively impact your OT critical assets," Cho warned. That’s means companies should be able to correlate physical access data with system events to identify threats, such as tracking who enters the control room to help determine who might have connected a device to a server.

Key cybersecurity takeaways

Beyond these key points, successfully securing OT environments requires a pragmatic approach grounded in organizational reality. In other words, companies must balance the ideal tool against total cost of ownership.

As an example, Smith said, "You can have the best tool on the market that will stop 100% of all attacks. But it takes 50 people to manage it. Can your organization hire 50 people to manage a bulletproof tool?"

That’s why, before investing in specific cybersecurity tools, industrial organizations should define the ‘crown jewels’ they want to protect most and understand their operational processes. For this reason, bottom-up approaches often work best in OT environments, starting with what key systems run operations and building protection layers around them.

Smith also highlighted the use of “tabletop” exercises to help identify vulnerabilities by walking through attack scenarios and working backward to identify access points and shared credentials. With these exercises, you can ask: What if someone accessed the cat cracker? From there you can determine that there are, for example, only three devices that are authorized to access it. And there are two shared credentials that 20 people know. This insight can help you begin to tighten your controls around those 20 people and three shared credentials to figure out a better way of controlling access.

Cho and Smith concluded with four fundamental principles industrial companies should keep in mind as they approach cybersecurity:

• There are no silver bullets — cybersecurity tools must work together. 
• Understand your environment before shopping and especially before investing and implementation.
• Build visibility, detection and response across layers to help separate attacks from authorized but atypical uses.
• Simulate attacks to validate defenses. Smith emphasized the importance of investing in a laboratory for security testing here. It’s the only way to truly understand defensive boundaries in an environment where the consequences of failure extend beyond data loss to physical safety and operational continuity, he said.