A Risk Assessment Analysis to Enhance the Security of OT WAN with SD-WAN

Abstract

This paper introduces a comprehensive risk assessment of various wide area network (WAN) technologies as applied to Operational Technology (OT) infrastructures, thus uncovering which WAN technology is best suited for OT to mitigate the risks of Denial of View (DoV), Denial of Control (DoC), and Denial of Service (DoS). A new risk weight-based evaluation approach is proposed following NIST CSF and ISA/IEC 62443 standard risk scoring (RS). In this approach, RS was modified by introducing new risk metrics, namely, risk (Rn), mitigation (Mm), risk prioritization (WRn), and mitigation prioritization (WMm) to create a specialized probability formula to assess risks on OT WAN infrastructure. The proposed formula has been implemented to automate data analysis and risk scoring across nine WAN technologies. The obtained results demonstrated that software-defined wide area network (SD-WAN) has the best security features that even overshadow its vulnerabilities to perform not just as a WAN solution but as a security solution against DoV, DoC, and DoS. Furthermore, this paper identifies and highlights what to prioritize when designing and assessing an SD-WAN setup. In addition, this paper proposes an SD-WAN-based architecture to reduce DoV, DoC, and DoS risks.

1. Introduction

The adoption of Industry 4.0 marks a new phase of digital transformation in manufacturing companies. This change involves using new technologies and innovations to improve manufacturing processes through automation and smart technologies [1] (pp. i-412). The benefit of this industrial transformation is that it offers better performance and scalability in manufacturing industries. Small to large enterprises yield an increase in efficiency, productivity, and quality of output, which in turn directly or indirectly help in cost management for manufacturing companies [2] (pp. 1415–1420). What entices the move to adopt Industry 4.0 are the benefits of seamless integration of physical and digital components using technologies like cyber-physical systems (CPSs), the Internet of Things (IoT), and robotics. This integration provides better predictability allowing more control and easier data management. This is made possible by technologies like big data analytics, cloud computing, and cybersecurity to optimize operations and decision-making further. The adoption of this emerging technology shows how important data are and how critical it is for the industry revolution. The increasing connectivity and data exchange in Industry 4.0 systems emphasize security to data privacy being crucial [3] (pp. 2797–2810). Sensitive data can be stolen or be rendered unusable if left unprotected. While improved connectivity and real-time data exchange between operational technology (OT) and IT systems enhance the OT availability, they also expand the threat landscape, exposing these systems to new security risks [4].

OT differs in security priorities compared to IT which focuses on safety, availability, and integrity (SAI) as opposed to the CIA Triad [5]. The SAI has been derived from the security lifecycle for Industrial Automation and Control Systems (IACS) [6]. Given that it shows how critical availability is, failing it imposes risk on both the safety and integrity of the industrial control systems (ICS )and cyber physical systems (CPS) [7]. Thus, it is important to understand how denial on ICS and CPS works. There are three denial attacks on ICS and CPS based on MITRE | ATT&CK which are Denial of Control (DoC), Denial of Service (DoS), and Denial of View (DoV) [8,9,10]. DoV disrupts the monitoring of ICS and CPS environments. This attack remains unnoticeable and recovers to normal once the adversary has completed the motive [11]. DoC prevents ICS and CPS operators from interacting with the process controls, leaving it momentarily unmanageable during the said attack [12] (pp. 249). The most crucial is DoS, which disrupts expected or natural device functionality and, in the worst case, would lead to ICS and CPS Permanent Denial of Service (PDoS) since IPS/ICS devices are sensitive to environmental change and can easily be manipulated [13,14].

To achieve near 100% availability, ICS and CPS will need to implement several critical strategies and best practices developed from established standards. For example, ensure that important components have backups that can take over in case of failure through the use of redundant systems and data storage, as well as the use of redundant pathways of communication to avert a single point of failure [15]. Additionally, the design of fault-tolerant systems results in continuous operation even if some of the components fail; this makes the network resilient to unanticipated downtime [16]. Equipment downtime can be significantly minimized with regular maintenance checks, this ensures that systems are maintained with up-to-date security patches against known vulnerabilities [17,18] (pp. (437–465). Another best practice is to divide a network into segments so it can contain breaches and limit their impact [16,19,20,21,22,23,24]. Network segmentation should isolate critical systems from IT networks, thus further limiting the adversary’s entry-point to OT either on public or corporate IT networks [8,9,10,25]. Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) deployments do provide consistent tracking of system activity and network traffic [26,27] (pp. 18–28). High system availability can be maintained by effectively responding to and mitigating incidents by utilizing a well-prepared and -maintained incident response plan, which is also frequently updated based on past incident resolutions [19]. Access to systems having critical information can also be restricted by deploying strong access controls, including role-based access controls (RBACs) [28,29] (pp. 185–233). For instance, multi-factor authentication (MFA) is what helps to limit access to any data-sensitive systems by authorizing only a few individuals who are truly required to access the device, thus enhancing security and minimizing the risk of unauthorized access and other possible disruptions [19,28,29] (pp. 185–233). Ongoing security training for employees should include policies, procedures, and incident response in relation to security. Promoting security awareness also makes sure that all staff members are aware of their responsibilities for upholding security and are knowledgeable of prominent threats [30,31] (pp. 133–144), [32] (pp. 289–296).

1.1. Existing Limitations

Manufacturing businesses operate in remote areas, which makes status visibility and data backup difficult. When exploited, these vulnerabilities may result in DoV (Technique T0815), DoC (Technique T0813), and, worse, DoS [8,9,10,11,12]. Threats include possible natural disasters and other unfavorable events in addition to cyberattacks, which could prevent the provisioning of manufacturing services. Available options at this time, such as integration with third-party networks, are reliant on the provider’s accessibility in the region and may require the private entity’s willingness to give up control over OT traffic management to a third party or vendor. Data integrity may be jeopardized by possible third-party issues [33] (pp. 47–54), [34] (pp. 4543–4572), [35] (pp. 680–693).

The research community has been actively exploring both software-defined network (SDN)-based network security and the security of the SDN architecture, as highlighted in [36]. Additionally, cybersecurity mechanisms within software-defined wide area networks (SD-WAN) architectures have been examined, comparing private and open-source solutions [37,38]. However, to the best of our knowledge, and as will be discussed in the Related Works Section, existing research primarily focuses on the CIA triad and IT infrastructure, without adequately assessing the effectiveness of SD-WAN in mitigating prevailing cybersecurity risks within OT infrastructure. Moreover, current studies rely on simulation tools to evaluate the security capabilities of SDN and SD-WAN, focusing on their functionalities rather than mapping them to OT-specific risks. Most SDN studies concentrate on LAN traffic analysis, whereas this paper emphasizes SAI and the risks associated with extending OT infrastructure using WAN technology. In other words, this paper highlights the importance of analyzing a reliable and secure OT WAN infrastructure for data management and visibility across remote manufacturing sites.

1.2. Contributions

The purpose of this paper is to investigate the risks and current mitigation (mitigation is defined as risk mitigation for OT WAN mitigating risks on DoV, DoC, DoS) efficiency of using SD-WANs, a manufacturing-owned cloud network, to increase the security and availability of OT Networks with a focus on DoV, DoC, and DoS attacks. In this paper:

• A new risk assessment approach is introduced based on NIST CSF and ISA/IEC 62443 standards. The proposed risk-scoring approach allows for predicting risk based on security standard requirements and present vulnerabilities.
• A program has been implemented to automate the scrutinization of eight different WAN technologies against SD-WAN to understand the possible gaps of an OT WAN infrastructure and highlight the security advantages of using SD-WAN to secure such infrastructure. The selected technologies are Satellite WAN, LoRaWAN, Private LTE/5G Networks, MPLS (Multiprotocol Label Switching), Leased Line, DMVPN (Dynamic Multipoint Virtual Private Network), IPSec VPN (Internet Protocol Security Virtual Private Network), and VPLS (Virtual Private LAN Service).
• The suitability of all studied WAN technologies in terms of risks and mitigations related to DoC, DoV, and DoS attacks is highlighted.
• Two designs of an OT-WAN-based network using SD-WAN and following the PURDUE model are introduced.

1.3. Paper Organization

The rest of this paper is organized as follows: Section 2 discusses the related works and highlights the gap in the literature pertaining to SD-WAN’s actual effectiveness compared to existing OT WAN, with a focus on security. Section 3 describes the background underpinning the OT risk-assessment framework and contributes to the proposed approach. Section 4 explains the methodology of how our proposed risk-scoring mechanism tests and calculations have been carried out to compare the nine selected OT WAN technologies. Section 5 illustrates the findings. Finally, Section 6 concludes the paper.

2. Related Works

SD-WAN is recognized in OT networks since it is among the major enablers of IT infrastructures [39] (pp. 1–9). SD-WAN ensures safe, uninterrupted operations while providing protection against cyber threats [40]. As a result, it enhances the availability of ICS and CPS, which is essential for advancing along the Industry 4.0 path. A key advantage of SD-WAN is its ability to provide centralized security management, enabling consistent application and real-time monitoring of security policies across all network segments. This ensures that there is no extended exposure to potential threats [40,41] (pp. 14–76). Further, SDN, a parent category of SD-WAN, eases network segmentation by isolating critical ICS/CPS components, helping contain lateral attackers’ movement in line with industry standards [42]. This includes integrating security features into SD-WAN, such as next-generation firewalls, secure web gateways, and anomaly traffic detection for comprehensive security coverage [43]. SD-WAN also offers advanced threat detection and response capabilities, including IDS, IPS, and real-time threat intelligence, enabling effective cyber-attack detection and prevention. Additionally, SD-WAN platforms provide real-time analytics and access to threat intelligence feeds, facilitating proactive threat management [23,24]. Data-in-transit are further secured with encrypted tunnels and a zero-trust model, ensuring only authenticated and authorized entities can access resources or network traffic. To safeguard against tampering, SD-WAN employs authentication certificates and mutual TLS encryption, strengthening communication security and ensuring network integrity. Furthermore, SD-WAN configurations are secured through profiles managed by a cloud controller, preventing unauthorized configuration changes on physical or edge devices. This ensures that only centrally authorized and managed configuration modifications are allowed, effectively mitigating the risk of local tampering [21,22].

2.1. SDN-Related Research

Most existing SDN papers have explored or demonstrated the capabilities of SDN in modern networks.

2.1.1. SDN Non-Security Related

A study on SDN emphasized the use of SDN programmability to achieve network traffic redundancy by connecting multiple data centers for high availability, rather than relying on numerous links from different internet service providers, and by establishing a centralized controller [44] (pp. 479–484). Another paper proposed utilizing a multipath routing technique within an SDN, which was simulated on a small network to demonstrate SDN’s faster reaction time and programmability compared to static routes, dynamically responding to network topology changes during unexpected events or disasters [45] (pp. 478–483). Additionally, the study in [46] (pp. 1–6) focused on SDN-based communication in Smart Grids, highlighting features such as global/local traffic management and application-aware routing. This research introduced the concept of intelligent electronic devices to facilitate efficient data exchange in power line communication distribution networks.

2.1.2. SDN Security Related

The study in [47] (p. 258) focused on the security features of SDN and its deployment in IT/OT-converged networks, particularly IoT environments. The authors explained how SDN responds to DDoS attacks by utilizing dynamic network routing and programmability to assist in decision-making during such incidents [47] (p. 258). Another notable paper proposed to construct an SDN backup and restoration solution to enhance the readiness of organizations to recover from cyber-attacks. The SDN solution was configured within a local area network (LAN), and the backup scheme was simulated using Ryu Controllers within local network premises, with plans to improve it for future applications in wide area and cloud networks [48] (pp. 241–246).

2.2. SD-WAN-Related Research

2.2.1. SD-WAN Non-Security Related

As SDN gained popularity, the need arose to extend the network design to cloud environments and expand its reach across wider WANs. This demand led to the development of SD-WAN, which has since become the focus of numerous studies examining its performance and compatibility with evolving networks. Through a systematic review, the authors in [36] compared the architecture of SD-WAN with that of legacy WANs, providing insights into how SD-WAN overcomes the limitations of traditional networks in response to market demands and emerging network techniques and protocols. Another paper introduced a backup and recovery mechanism utilizing SD-WAN, proposing a method for Distributed Data Backup and Recovery (DDBR). The suggested SD-WAN configuration is implemented across multiple network switches for backing up control plane data [49]. Another backup scheme examines load-balancing optimization of WAN links through OpenNetMon, an open-source dashboard, to enhance bandwidth utilization and facilitate traffic engineering. This article provides an in-depth analysis of SD-WAN features and showcases its effective data backup capabilities [50]. With the increasing demand for cloud networks, the application of SD-WAN in these environments has become widespread. Consequently, one study examined how effectively SD-WAN can enhance network connectivity through its flexibility, scalability, and improved security related to traffic-routing optimization. Another study evaluated the efficiency of SD-WAN in resource provisioning and green energy scheduling within multi-cloud environments [48,51] (pp. 5645–5656).

2.2.2. SD-WAN Security Related

The authors in [36] compared two SD-WAN solutions—Flexiwan and Fortinet—to evaluate their cybersecurity mechanisms in response to common attacks such as man-in-the-middle, DoS, and brute force. The paper concludes that commercial solutions provide superior cybersecurity mechanisms and mitigations. On the other hand, the authors in [37] compared various open-source SD-WAN solutions—Flexiwan, OPNSense, and pfSense—and found that while all three provide comprehensive security features, they also have vulnerabilities that can be addressed. The study in [52] (pp. 1981–1986) explored the applications of SD-WAN within an OT network, emphasizing the use of physical isolation, symmetric key encryption, automated data transfer, and VPNs. The authors underscore the importance of network segregation, point out that certain servers and computers contain sensitive information, and highlight the roles of symmetric key encryption and dynamic data routing in automated data transfer.

2.3. Analysis

While the above- mentioned studies offer valuable insights that contribute to today’s research, there is a significant gap in comprehensively analyzing SD-WAN and assessing its effectiveness as a security solution for OT infrastructure, rather than merely viewing it as a network device. Moreover, the existing research primarily employs simulations using various tools to analyze SD-WAN. This paper will evaluate whether SD-WAN is sufficiently efficient as a security solution for OT networks through a security risk assessment, considering the advantages and disadvantages of an extended OT infrastructure in a cloud environment. Additionally, this paper includes a systematic evaluation of selecting a risk management framework tailored to OT, which will be used to test multiple WAN security solutions and identify key variables to consider when choosing a network security solution to enhance the OT WAN infrastructure and bolster security for ICS and CPS.

2.4. Existing Risk-Scoring Techniques

We summarized the different risk-scoring methods in

Table 1. Comparison of the different related risk-scoring techniques.

Technique	Advantages	Disadvantages	Application in OT	Formula Granularity and Approach	Risk Score Scaling	Includes Risk and Mitigation Scoring	Per Asset Assessment	Predictive Risk Score Analysis
Proposed Risk Scoring (OT WAN Risk Scoring)	Provides comprehensive and granular approach in identifying risk severity and mitigation effectiveness present per WAN device when used in OT.	Focus only on the OT WAN devices.	Efficiently calculate the risks in WAN technologies when used in OT.	Yes— (Detailed in the next sections).	Yes	Yes	Yes	Yes
FTA/ETA	Identifies root causes and potential failure sequences which is good for incident prediction and risk reduction.	Requires detailed knowledge of failure probabilities, which may be hard to quantify.	Applied in OT for predictive analysis of failures and to model cascading impacts on operations.	No— Probability of Top Event = Product of probabilities of all contributing events	Yes	Yes	Yes	Yes
FMEA	Structured, systematic approach; helps prioritize risks based on severity, occurrence, and detectability; useful for identifying critical failure modes.	Can be subjective; requires detailed analysis; time-consuming to implement across large systems.	Used in OT to assess potential failure modes of equipment and processes.	Yes— RPN = Severity × Occurrence × Detectability.	Yes	No	Yes	No
QRA	Provides numerical results that support cost–benefit analysis and decision-making; useful in high-risk industries for precise risk quantification.	Requires substantial data and statistical expertise; can be time-consuming and resource intensive.	Applied in safety-critical OT environments such as oil and gas, chemical, and nuclear sectors.	Yes— Probability of Occurrence × Impact; uses statistical models and probabilistic analysis.	Yes	No	No	Yes
CVE-Based Scoring (CVSS)	Widely recognized; standardized scoring; adaptable for OT with environmental modifications.	May not fully capture OT-specific risks like physical safety or operational impact without modification.	Used to evaluate vulnerabilities with environmental modifications to better reflect OT-specific impacts.	No— CVSS Score = Base Score × Temporal Score × Environmental Score	Yes	No	Yes	Yes
Threat Likelihood and Impact Matrix (Risk Matrix)	Simple visualization of risk; easily understood; allows for prioritization.	Can oversimplify risk; subjective scoring may lead to inconsistencies in results.	Commonly used in OT for its straightforward approach to evaluating and prioritizing risks.	Yes— Risk Score = Likelihood × Impact	Yes	No	No	Yes
HAZOP	Identifies potential hazards and operability issues systematically; highly detailed and structured; widely recognized in process industries.	Requires expert knowledge; can be labor-intensive; qualitative, making numerical comparisons hard.	Commonly used in chemical, oil and gas, and other process industries for hazard analysis.	No— Uses guide words to identify deviations; no direct scoring formula.	No	Yes	No	No
Bow-Tie Analysis	Provides clear visualization of threats and mitigation paths; focuses on prevention and mitigation measures.	Time-consuming to create and interpret; lacks numerical scoring, making comparisons difficult.	Useful in OT for visually mapping cause-effect relationships and mitigation measures in critical systems.	No— Scoring based on risk scenario analysis with predefined preventive and mitigative measures (No direct formula)	No.	Yes	No	No
MITRE ATT&CK for ICS Framework	Maps specific OT attack vectors; highly granular; assists in identifying targeted threats.	No standard numerical scoring; qualitative; requires expert knowledge to interpret results.	Highly specific to OT, providing detailed insights into attack vectors and security control gaps.	No— Scoring based on observed tactics, techniques, and procedures (TTPs) using a scoring rubric.	No	No	No	No

. This evaluation aims to identify the effectiveness and gaps in current risk-scoring techniques that can be adapted for extending OT WANs. The comparison focuses on different risk-assessment functionalities, including the availability of a ready-to-use formula, existing risk-score-scaling techniques, the incorporation of risk with mitigation scoring, asset-specific assessments, and predictive risk analysis.

Fault Tree Analysis (FTA) and Event Tree Analysis (ETA) method can predict failures based solely on design, without the need for physical components, by analyzing single failure paths for each asset or event [53] (pp. 83781–83793), [54].

Failure Modes and Effects Analysis (FMEA) prioritizes risks using risk priority numbers but primarily focuses on identifying failures rather than mitigating events. While it performs detailed analysis per asset, it tends to be retrospective and is not typically employed for predictive risk assessments [55] (p. 106480), [56].

Quantitative risk analysis (QRA) applies numerical scaling to assess probability and impact, concentrating on quantifying risk rather than detailing mitigation. QRA usually evaluates scenarios that encompass more than single assets while offering predictions using statistical and probabilistic models [57] (pp. 127–139).

CVE-based scoring or CVSS assigns scores ranging from 0 to 10, with higher scores indicating greater risk. This method evaluates vulnerabilities specific to each asset without considering mitigations, making it suitable for predictive analysis based on known vulnerabilities, which may be vendor-dependent [58] (pp. 353–356), [59] (pp. 4486–4495).

The Risk Matrix is a threat likelihood and impact matrix that operates on a scale from 1 to 25. It primarily assesses risks without explicit mitigation and can be applied for predictions in hypothetical scenarios [60] (pp. 29775–29818).

Hazard and Operability Study (HAZOP) is used for qualitative risk assessment, classifying risks descriptively instead of numerically. It includes safeguard ratings but is generally applied at a system-wide level rather than for individual assets and is not suited for predictive analytics without modifications [61] (pp. 266–279), [62].

Bow-Tie Analysis does not provide direct scoring; instead, it visually represents threats and mitigation measures, displaying them graphically. It broadly maps threats rather than focusing on individual assets, making it more appropriate for mapping existing systems rather than for predictive analysis [63].

The MITRE ATT&CK for ICS Framework does not offer numerical scores, but it does provide a qualitative or descriptive severity scale for various attack techniques. It does not aim to assess the vulnerability of specific assets but rather offers mitigation strategies for identified attack techniques. Designed for operational scenarios, it is not ideally suited for predictive modeling without further component analysis [64] (pp. 1–6), [65] (pp. 1–6).

In summary, current risk-scoring techniques lack a detailed approach for calculating risk while accounting for mitigation factors specific to each WAN device. Most existing methods do not offer predictive risk scoring to evaluate risks and mitigations when a WAN device is deployed in OT, which is crucial during the planning phase before acquiring such devices. This paper proposes a new risk-scoring method to address these limitations. While FTA/ETA is the closest existing technique, it does not provide guidance on how to compute probability variables or how mitigation factors influence risk scoring. This paper will also rectify these issues through the proposed risk-scoring method.

3. Background

3.1. OT Risk Management Frameworks

Critical systems have several notable risk management frameworks in the OT cybersecurity field, which are structured methodologies for securing ICS and CPS. The most popular include the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, ISA/IEC 62443, and NERC CIP. Each of these frameworks has distinct strengths in terms of what aspects of cybersecurity they are designed to help with; in the case of OT environments, NIST CSF and ISA/IEC 62443 are quite popular since they are considered broad and detailed [66] (p. 101677), [67] (pp. 59–72).

The NIST Cybersecurity Framework allows for a broad and flexible approach to cybersecurity by equally covering IT and OT environments. It structures five major core components around the actions of Identify, Protect, Detect, Respond, and Recover. This ensures that risks are well understood and managed in a comprehensive manner and permits an organization to adjust the framework to suit its needs. This allows NIST CSF to be very flexible and have a very wide acceptance base in different industries. These elements also position NIST CSF as applicable in diverse and ever-evolving threats found in OT environments, where flexibility and comprehensiveness in risk management can serve well [17,68].

ISO/IEC 27001 is an internationally accepted standard that gives a rigorous, structured approach to managing information security. Its core component, the Plan–Do–Check–Act cycle, maintains a uniform process of managing and enhancing information security. While ISO/IEC 27001 is largely IT-oriented, its vast documentation depth and compliance requisites can be applied to OT through large efforts. Compliance with several global regulations makes it widely applicable for organizations seeking international compliance. However, its concentration on IT and implementation complexity make the framework less liked by OT users compared to NIST CSF and ISA/IEC 62443 [69].

ISA/IEC 62443 is specifically tailored to address the challenges associated with securing OT (ICS/CPS) systems, which come with unique requirements. The framework is divided into several parts that offer guidelines on various security aspects in ICS, including general concepts, policies and procedures, system requirements, and component requirements. This level of detailed technical guidance ensures that the security requirements for individual components and overall systems are thoroughly developed and robust. The lifecycle approach of ISA/IEC 62443 facilitates ongoing security enhancements from design through operation and maintenance, making it particularly effective for the OT environment, which necessitates specialized security controls. Another notable strength of this framework is its strong sectoral focus, making it highly valued in industries that utilize OT [70].

NERC CIP standards are applicable and mandatory for the whole North American energy sector, focusing on the security of electric utilities. The scope of the standards involves everything from identification of assets to the management of security, personnel training, electronic and physical security, system security management, and even incident reporting. While NERC CIP provides detailed and specific directives regarding its guidelines, its functionality and mandates are exclusively applicable to the energy sector. This targeted nature makes the framework less suitable for use in other OT environments. However, its prescriptive compliance guarantees high levels of security and reliability specifically within its designated sector [71].

In summary, NIST CSF and ISA/IEC 62443 are more inclined toward industrial systems, making them inclusive, flexible, and better suited in an OT environment. While it is broad in applicability and has an emphasis on betterment, NIST CSF allows itself to be tailored toward various industries. In turn, ISA/IEC 62443 elaborates on detailed technical standards, arming it with solid security protocols meant explicitly for OT. Lastly, even though ISO/IEC 27001 is globally accepted and has a structured approach, its best application is when IT environments are addressed alone. In turn, NERC CIP is more sector-specific, relating solely to the energy sector, and it lacks such broad applicability as NIST CSF and ISA/IEC 62443.

Table 2. Comparison of the different frameworks.

Feature	NIST CSF	ISO/IEC 27001	ISA/IEC 62443	NERC CIP
Focus	Broad, includes IT and OT	Primarily IT, with some OT applications	Specific to ICS and OT	Specific to the energy sector
Core Components	Five Functions: Identify, Protect, Detect, Respond, Recover	Plan-Do-Check-Act (PDCA) cycle	Various parts for different aspects of ICS security	CIP Standards
Industry Adoption	Widely adopted across multiple industries	Widely adopted, especially in IT	Increasing adoption in industrial sectors	Mandated for North American electric utilities
Flexibility	High, adaptable to various industries and organizations	Moderate, less tailored for OT	Moderate, tailored for ICS but can be complex	Low, highly specific to the energy sector
Regulatory Alignment	Aligns with various regulations and standards	Aligns with ISO standards and some regulations	Aligns with IEC standards and some regulations	Aligns with energy sector regulations
Implementation Complexity	Moderate, with clear guidelines and best practices	Moderate to high, requires significant documentation	High, detailed and technical	High, detailed and sector-specific
Support for ICS/OT	Strong, with NIST SP 800-82 providing specific guidance	Limited, more IT-focused	Strong, specifically designed for ICS/OT	Strong, but specific to the energy sector
Continuous Improvement	Emphasizes continuous improvement through core functions	Emphasizes continuous improvement through PDCA	Supports continuous improvement through lifecycle approach	Emphasizes compliance and periodic review
Documentation and Resources	Extensive, including detailed guidelines and case studies	Extensive, but often more general	Extensive, technical focus	Extensive, but very specific
Global Recognition	High, especially in the U.S. and globally	High, globally recognized	Growing, recognized in industrial sectors	High, but limited to the energy sector

summarizes the differences between the above-mentioned frameworks.

3.2. OT WAN Device Risk Identification and Mitigation

Availability risks in WAN devices with respect to OT infrastructure must be identified and mitigated. This section gives a description of the several techniques to identify and mitigate OT WAN device risks. One of the major vulnerabilities in WAN devices, according to NIST, includes firmware exploits. Under ID.RA-1 in the NIST Cybersecurity Framework, it is stated that vulnerabilities to known threats should be collected, correlated, and communicated [19]. Similarly, ISA/IEC 62443 stipulates that systems should be designed to minimize exposure to these device vulnerabilities. Another notable risk is through attack surfaces caused by unrecorded devices, nonstandard configurations, enabled unused protocols, and external access exposure. NIST CSF ID.AM-2 indicates the need for an inventory of software platforms and applications in an organization [19]. ISA/IEC 62443 3-3 SR 7.3 also emphasizes the importance of reducing attack surfaces to a minimum [6]. Zero-day vulnerabilities can also be directly attributed to the firmware or software of devices. NIST CSF DE.CM-4 emphasizes the importance of the device’s ability to detect malicious code, and ISA/IEC 62443 4-1 SR 1.4 establishes the same security management in mitigating this risk [6,19].

Additional considerations include the incident impact when a device is down. NIST CSF ID.BE-5 addresses the identification of resilience requirements to support critical services [19]. ISA/IEC 62443 2-1 SR 2.6 suggests that an analysis of the consequences of such incidents should be conducted as part of the process [6]. Third-party dependency, where an organization may depend on external software or hardware, can also be a risk. NIST CSF ID.SC-1 implies that identifying and evaluating suppliers and partners should be included in the risk assessment process [19]. A similar recommendation from ISA/IEC 62443 2-4 SR 1.1 is that dependencies on third parties should be documented or recorded [6]. Hardware failure risks must be considered, and NIST CSF PR.DS-4 proposes that there should be enough capacity to support availability in case of hardware failure [19]. Similarly, ISA/IEC 62443 3-3 SR 7.4 states that system designs should be resistant to hardware failures [6]. Physical protections against environmental risks, such as the ability of the device to withstand temperature and humidity, are addressed in NIST CSF PR.PT-5 and ISA/IEC 62443 3-3 SR 5.1, respectively [6,19].

Another notable risk is human error, such as misconfigurations, which can be mitigated through response and recovery plan testing guided by NIST CSF PR.IP-9 and ISA/IEC 62443 2-4 SR 3.1, and effective training [6,19]. Software-related risks must be patched to prevent firmware complications. According to both NIST CSF PR.IP-12 and ISA/IEC 62443 3-3 SR 7.5, this requires support for vulnerability and update management [6,19]. Access control risks are associated with the management of user access and permissions. NIST CSF PR.AC-1 involves the identity and credential management process [19], while ISA/IEC 62443 3-3 SR 1.1 ensures capabilities for user authentication are in place [6]. Communication network risks, which depend on both the availability and integrity of information, can be mitigated through NIST CSF PR.PT-3 and ISA/IEC 62443 3-3 SR 3.2 to protect system access and communications [6,19]. These mitigation strategies involve deploying security devices and solutions, including firewalls and encryption, which are addressed in NIST CSF PR.IP-3 and ISA/IEC 62443 3-3 SR 3.1 [6,19]. Implementing redundancy and failover capabilities as stated in NIST CSF PR.DS-4 and ISA/IEC 62443 3-3 SR 5.2 [6,19] are crucial to OT infrastructure. The effectiveness of policy and configuration management is observed in NIST CSF PR.IP-1, along with ISA/IEC 62443 3-3 SR 1.8, providing guidelines for maintaining baseline configurations [6,19]. Staying up to date with current threat intelligence is essential, as implied by both NIST CSF DE.DP-4 and ISA/IEC 62443 4-1 SR 1.8, which is necessary for effective threat management. Security awareness training, guided by NIST CSF PR.AT-1 and ISA/IEC 62443 2-4 SR 3.1, aim to reduce human errors [6,19]. This is further supported by various NIST CSF and ISA/IEC 62443 guidelines in implementing resource budget management, compliance with regulations, business continuity, and backup solutions.

In summary, assessing risks and mitigating risks for WAN devices in OT infrastructure involves a comprehensive approach guided by frameworks like NIST CSF 2.0 and ISA/IEC 62443. These frameworks provide detailed guidelines to identify vulnerabilities, minimize risks, and ensure robust security measures, contributing to the overall resilience and reliability of OT systems. Those frameworks provide clear guidelines about the identification of weaknesses, risk reduction, and ways to assure strong security levels among other resiliency features and dependability of OT systems.

Table 3. OT WAN device risks identification and mitigations per framework.

Category	Risks/Mitigations	NIST CSF	ISA/IEC 62443
OT WAN Device Risk	Vulnerability Risks	ID.RA-1	3-3 SR 7.7
	Attack Surface Risks	ID.AM-2	3-3 SR 7.3
	Zero Day Existing Risks	DE.CM-4	4-1 SR 1.4
	Incident Risk Impact when Down	ID.BE-5	2-1 SR 2.6
	Third-Party Dependencies	ID.SC-1	2-4 SR 1.1
	Hardware Failure Risks	PR.DS-4	3-3 SR 7.4
	Environmental Risks	PR.PT-5	3-3 SR 5.1
	Human Error Risks	PR.IP-9	2-4 SR 3.1
	Software Update Risks	PR.IP-12	3-3 SR 7.5
	Access Control Risks	PR.AC-1	3-3 SR 1.1
	Communication Network Risks	PR.PT-3	3-3 SR 3.2
OT WAN Risk Mitigation	Security Measures within the Device	PR.IP-3	3-3 SR 3.1
	Network Configuration Fault Tolerance	PR.DS-4	3-3 SR 5.2
	Policy Management and Configuration Management	PR.IP-1	3-3 SR 1.8
	Capability for Threat Intelligence and Updates	DE.DP-4	4-1 SR 1.8
	Security Awareness	PR.AT-1	2-4 SR 3.1
	Resource Budget	ID.GV-2	2-1 SR 2.3
	Regulatory Environment Compliance	ID.GV-3	4-2 SR 1.1
	Business Continuity	PR.IP-4	3-3 SR 5.3
	Detection of Attack Attempts	DE.CM-1	4-2 SR 2.7
	Backup and Recovery Solutions	PR.IP-4	3-3 SR 5.5
	Access Control Policies	PR.AC-3	3-3 SR 1.6
	Encryption and Data Protection Measures	PR.DS-1	3-3 SR 4.3
	Patch Management Processes	PR.IP-12	3-3 SR 7.5
	Compatibility with SIEM Systems	DE.DP-4	4-2 SR 2.7
	Network Segmentation	PR.AC-5	3-3 SR 3.1
	Redundancy and Failover Mechanisms	PR.DS-4	3-3 SR 5.2
	Third-Party Vendor Risk Management	ID.SC-1	2-4 SR 1.1

summarizes OT WAN device risks identification and mitigations per framework. The identified risks and mitigations serve as the factors used in the proposed risk scoring calculation.

4. Proposed Risk-Assessment Approach

The first aim of this paper is to raise the availability of OT infrastructure and secure it against DoV, DoC, and DoS attacks by extending it to a WAN technology. The second aim is to evaluate the risks associated with the proposed extension and highlight which WAN technology is more appropriate in terms of security. The proposed risk-scoring (RS) method is based on a military risk management called Composite Risk Management (CRM), which identifies hazards from assets and develops controls prioritization to be supervised and reviewed in a cycle process [72]. NIST is the main framework to be used in the proposed RS method, which independently calculates WAN technology risk score instead of assessing the infrastructure as a whole (details are in Section 4.3). The proposed methodology is intended to complement, rather than replace, the existing risk metric calculation standards by specifically focusing on OT WAN risk assessment. The proposed risk scoring (RS) calculation method incorporates both qualitative and quantitative values. Qualitative values are derived from risk variables, as each OT infrastructure will experience different occurrences of risk, which also applies to mitigation variables [60] (see Section 4.2 for more details). The quantitative aspect of the calculation represents the actual risk score, which is the total value of risk determined based on the qualitative variable assumptions. Equation (1) represents the proposed RS calculation approach, where RS is the average sum of the total weighted risks (WRt) and the total weighted mitigations (WMt).

$$RS={\displaystyle \frac{WRt+WMt}{2}}$$

(1)

WRt is calculated as the sum of the weight assigned to a risk factor multiplied by the risk factor value, as depicted in Equation (2). On the other hand, WMt is calculated as the sum of weight assigned to a mitigation factor multiplied by the mitigation factor value, as depicted in Equation (3). Details about Rn and Mn variables are in Section 4.2. After substitution, RS is calculated according to Equation (4), where n and m represent the risk and mitigation factors, respectively. n and m variables track the number of existing risks in the given WAN solution and their corresponding mitigation features designed to counteract those risks.

$$WRt={\sum }_{n=1}^x\left(WRn\left)\right(Rn\right)$$

(2)

$$WMt={\sum }_{m=1}^y\left(WMm\left)\right(1-Mm\right)$$

(3)

$$RS={\displaystyle \frac{1}{2}}\left[{\sum }_{n=1}^x\left(WRn\left)\right(Rn\right)+{\sum }_{m=1}^x\left(WMm\left)\right(1-Mm\right)\right]$$

(4)

In the following sections, we will present details for every component in Equation (4).

4.1. OT Risks and Mitigations Prioritization and Priority Weighting

Prioritizing the risks to implement the mitigation process chronologically based on severity is essential. This is needed to properly scale implementation progress and to measure effectively the efficiency of the deployed solution. It is best to align it with the recommendations in NIST SP 800-82 Rev. 3, which provides guidance on securing OT systems while addressing unique performance, reliability, and safety requirements. It also incorporates the principles from ISA/IEC 62443, which focuses on securing industrial automation and control systems by managing risks associated with these environments [19,73].

Table 4. OT WAN risks prioritization and weight values.

Priority Level	Risks	${\mathit{S}}_{\mathit{D}\mathit{o}\mathit{V}}$	${\mathit{S}}_{\mathit{D}\mathit{o}\mathit{C}}$	${\mathit{S}}_{\mathit{D}\mathit{o}\mathit{S}}$	Combined Score	Weight (WRn)	Description
High Priority	Access Control Risks	5	5	4	100	0.1484	Crucial in preventing the unauthorized access to systems and devices, which can make way for serious security breaches.
High Priority	Communication Network Risks	5	5	5	125	0.1855	It is necessary to provide safe and reliable paths for communication in OT settings.
High Priority	Vulnerability Risks	5	4	5	100	0.1484	The top responsibility is the identification and addressing of known vulnerabilities that attackers can exploit.
High Priority	Zero Day Existing Risks	4	4	4	64	0.095	There could be unknown vulnerabilities that may be exploited by new attacks, which are unexpected; this unverified vulnerability is in urgent need of fixing.
High Priority	Incident Risk Impact when Down	4	4	5	80	0.1187	Ensuring minimal disruption and quick recovery during incidents to maintain operational continuity.
Medium Priority	Software Update Risks	4	5	2	40	0.0593	This is important for the management of risks associated with applying software updates, which can add new vulnerabilities or incompatibility issues.
Medium Priority	Hardware Failure Risks	2	5	5	50	0.0742	Addressing potential failures in hardware that could disrupt operations or compromise security.
Medium Priority	Attack Surface Risks	4	4	3	48	0.0712	Reducing the number of potential entries points that attackers can exploit.
Medium Priority	Third-Party Dependencies	3	3	3	27	0.0401	Managing risks associated with reliance on external vendors and service providers.
Medium Priority	Human Error Risks	4	4	2	32	0.0475	Mitigating risks arising from human mistakes that can lead to security incidents.
Low Priority	Environmental Risks	2	2	2	8	0.0119	Consideration to environmental factors that may affect the physical and operational integrity of OT systems.
					674	1

and

Table 5. OT WAN mitigations prioritization and weight values.

Priority Level	Mitigations	${\mathit{S}}_{\mathit{D}\mathit{o}\mathit{V}}$	${\mathit{S}}_{\mathit{D}\mathit{o}\mathit{C}}$	${\mathit{S}}_{\mathit{D}\mathit{o}\mathit{S}}$	Combined Score	Weight (WMm)	Description
High Priority	Business Continuity	5	5	5	125	0.1394	Capability to support continuity plans of the business during and after security-related incidents.
High Priority	Access Control Policies	5	5	4	100	0.1115	It is critical for preventing unauthorized access to critical systems.
High Priority	Network Segmentation	4	4	5	80	0.0892	It helps contain breaches, hence limiting the spread of cyber incidents within the network.
High Priority	Security Measures within the Device	4	4	5	80	0.0892	It ensures the integrity of devices operating within the OT environment.
High Priority	Patch Management Processes	4	4	4	64	0.0713	Ensures that systems are up to date and able to validate the latest security patches to mitigate vulnerabilities.
High Priority	Encryption and Data Protection Measures	5	5	4	100	0.1115	Critical for maintaining the confidentiality and integrity of data in transit and at rest.
Medium Priority	Detection of Attack Attempts	3	3	4	64	0.0713	Implementing mechanisms to detect and respond to security incidents.
Medium Priority	Backup and Recovery Solutions	3	4	5	60	0.0669	This ensure that data and system states can be restored in the case of an event.
Medium Priority	Network Configuration Fault Tolerance	3	3	5	45	0.0502	It enhances the network’s fault tolerance, therefore enabling it to sustain and recover from faults quickly.
Medium Priority	Redundancy and Failover Mechanisms	3	4	5	60	0.0669	Ensures continuity of operations in the event of system failures.
Medium Priority	Capability for Threat Intelligence and Updates	4	4	3	48	0.0535	Keeping the system updated with the newest threat intelligence to help prevent an attack.
Low Priority	Policy Management and Configuration Management	3	4	1	12	0.0134	Manages the security policies and configuration enforcement.
Low Priority	Security Awareness	4	4	1	16	0.0178	Training difficulty (adaptability) to employees to identify and respond to potential security threats.
Low Priority	Third-Party Vendor Risk Management	3	3	2	18	0.0201	Manages the risk positioned by third-party vendors; escalates so that they do not turn into a weak link in the process.
Low Priority	Regulatory Environment Compliance	2	2	2	8	0.0089	Ensuring that operations are operating in accordance with relevant regulations and standards.
Low Priority	Compatibility with SIEM Systems	3	3	1	9	0.01	Ensures integration with Security Information and Event Management (SIEM) tools for better monitoring and analysis.
Low Priority	Resource Budget	2	2	2	8	0.0089	Cost allocation of appropriate budget to support the security measures.
					897	1

provide OT risks and mitigations prioritization, respectively, which are based on NIST SP 800-82 and ISA/IEC 62443. This will be used in the RS computation defining both risk and mitigation variables based on their priority level, and showing how OT WAN devices or solutions will be assessed before they can be deployed in the OT Infrastructure. The prioritized risks and mitigations are the ones identified in Table 3 mapping the NIST and ISA/IEC standards considered for OT WAN.

Table 4 and Table 5 illustrate the distribution of priority weights for risks and mitigations, respectively, which will be utilized in Equations (2) and (3) for calculating the risk score (RS) as shown in Equation (4). The weights range from 0 to 1, with a total sum of 1 for the overall weight, signifying that a higher weight value indicates greater priority in risk and mitigation calculations. Both risk and mitigation weights are based on qualitative and quantitative assumptions informed by NIST CSF and ISA/IEC 62443. They are qualitative because each OT infrastructure will prioritize risks differently, but since the proposed method is based on the OT risk-assessment standard framework, it is also quantitative in nature. The scoring is influenced by the priorities outlined by NIST and ISA/IEC 62443. However, the weight values may vary in actual OT environments based on expert assumptions and real occurrences.

A risk/mitigation value is attributed to every attack ($S_{DoV}$, $S_{Doc },$ and $S_{Dos}$). The values are associated with a priority level (1 to 5) that can be high (4 or 5), medium (3) or low (1 or 2) (see Table 4 and Table 5). The values assigned to DoV, DoC, and DoS are based on how the risk affects its occurrence. The same is expressed in mitigation but to emphasize how effective it can prevent DoV, DoC, and DoS. A combined score multiplying the 3 values is then calculated following Equation (5). The weight for every risk (i.e., WRn)/mitigation (i.e., WMm) is then calculated by dividing the combined score for a given risk/mitigation factor by the sum of all combined scores as depicted in Equations (6) and (7), respectively.

The calculation concept is inspired from NIST (see Section 4.3), but the scaling is based on the proposed approach.

$${Combined Score=S}_{DoV} \ast S_{Doc} \ast S_{DoS}$$

(5)

$$WRn={\displaystyle \frac{{Risk}_{Combined Score}}{\sum {Risk}_{Combined Score}}}$$

(6)

$$WMm={\displaystyle \frac{{|Mitigation}_{Combined Score}}{\sum {Mitigation}_{Combined Score}}}$$

(7)

4.2. Risk and Mitigation Values per Selected Technology

Table 6. Risks when using WAN technology to extend OT.

Technology	Access Control Risks	Communication Network Risks	Vulnerability Risks	Zero Day Existing Risks	Incident Risk Impact when Down	Software Update Risks	Hardware Failure Risks	Attack Surface Risks	Third-Party Dependencies	Human Error Risks	Environmental Risks	References
SD-WAN	2	2	3	3	3	3	3	3	3	2	2	Proposed work
Satellite WAN	3	4	3	3	5	3	4	4	5	3	5	[74,75]
LoRaWAN	3	4	4	3	4	3	3	4	4	3	4	[76,77]
Private LTE/5G Networks	3	4	3	3	5	3	3	5	3	3	5	[78,79]
MPLS	2	2	2	2	4	2	3	2	3	2	2	[80,81,82,83]
Leased Line	2	2	2	2	5	1	3	2	3	2	2
DMVPN	3	2	3	3	4	3	3	3	3	4	2	[84,85]
IPSec VPN	3	2	3	3	4	3	4	3	3	4	2	[86,87,88]
VPLS	3	3	3	2	4	2	3	2	4	3	2	[89,90]

and

Table 7. Risks mitigations when using wan technology to extend OT.

Technology	Access Control Policies	Network Segmentation	Security Measures within the Device	Patch Management Processes	Encryption and Data Protection Measures	Detection of Attack Attempts	Backup and Recovery Solutions	Network Configuration Fault Tolerance	Redundancy and Failover Mechanisms	Capability for Threat Intelligence and Updates	Policy Management and Configuration Management	Security Awareness	Third-Party Vendor Risk Management	Regulatory Environment Compliance	Business Continuity	Compatibility with SIEM Systems	Resource Budget	References
SD-WAN	4	4	4	4	5	4	4	4	4	4	4	3	4	4	4	4	3	Proposed work
Satellite WAN	3	3	3	2	3	3	2	2	3	3	3	2	3	3	3	3	2	[74,75]
LoRaWAN	3	3	3	2	4	3	2	2	2	2	3	2	3	3	2	2	2	[76,77]
Private LTE/5G Networks	3	4	3	3	2	3	3	3	3	3	3	3	3	3	3	3	2	[78,79]
MPLS	4	5	4	4	3	3	3	4	4	3	3	3	4	4	4	3	2	[80,81,82,83]
Leased Line	4	5	4	4	3	3	3	4	4	3	3	3	4	4	4	3	2
DMVPN	4	4	3	3	5	2	3	3	3	2	3	3	4	4	4	3	4	[84,85]
IPSec VPN	4	4	3	3	5	2	2	2	2	2	3	3	4	4	2	4	5	[86,87,88]
VPLS	4	5	4	3	4	2	3	3	4	2	3	3	4	4	4	3	3	[89,90]

represent the qualitative risks and mitigations assumptions based on the current OT infrastructure setup (i.e., related to WAN technology extension). The values are based on the metric scaling shown in

Table 8. Metric scaling and RS.

Metric Scaling		Mm/5 and Rn/5 Values
1	Very Low	RS < 0.2	Very Low
2	Low	RS < 0.4	Low
3	Moderate	RS < 0.6	Moderate
4	High	RS < 0.8	High
5	Very High	RS ≥ 0.8	Very High

, which is meant to follow NIST scoring. The values will be used in Equations (8) and (9) to calculate Rn and Mm, respectively. As Rn and Mm are probabilities that take values between 0 and 1, risk and mitigation are normalized. Weighted risk and weighted mitigation will then be calculated using Equations (2) and (3), respectively. The scores in Table 6 and Table 7 are not standard or fixed values; for clarity and simplicity, they were assigned based on research insights into WAN technology and were guided by NIST and ISA/IEC frameworks. In a real scenario, this will be based on experts’ assumptions or most effectively based on the existing risk assessment framework. The values were decided based on OT WAN environments considering their location, technology setup, and availability of the said technology.

The proposed method will help estimate the risks during the decision phase, before procuring and installing a WAN solution. The computation is designed to be compatible with the manufacturing existing risk scoring.

$$Rn={\displaystyle \frac{Risk}{5}}$$

(8)

$$Mm={\displaystyle \frac{Mitigation}{5}}$$

(9)

4.3. RS Derivation from NIST

The concept for RS (Risk Score) computation is based on the NIST model, which defines risk as the product of Threat, Vulnerability, and Impact as illustrated in Equation (10), where:

• Threats considered are DoV, DoC, and DoS—known attacks that are consistently exploited along the OT ICS/CPS kill chain [8,9,10,11,12].
• Vulnerability refers to the risks associated with using a WAN device to extend OT infrastructure and the likelihood of its mitigation features successfully addressing DoV, DoC, and DoS. In other words, it is equal to the probability of risk and probability of mitigation to succeed
• Impact is represented by a weight that prioritizes the OT infrastructure, ranking the risks and mitigations based on their current relevance to the specific OT environment. Precisely, the impact equals the weight of risk and the weight of mitigation.

$$R_{NIST}=Threat \ast Vulnerability \ast Impact$$

(10)

By substituting the relevant values, Equation (1) will be formulated, representing the average risk from both the risk associated with each device used in the OT WAN and the probability of mitigation failure.

5. Implementation, Results, and Analysis

5.1. Automation

The proposed risk evaluation has been implemented using Python, as depicted in Figure 1. A program was developed to automate the graphical presentation and calculation of the nine WAN technologies which have 56 variables: 11 risk variables (Table 6), 17 mitigation variables (Table 7), and 28 priority weight values (Table 4 and Table 5). The automation was made possible by declaring the risk values and mitigation values in a CSV file. The priority weights are hardcoded in the Python code since of the said variables, it is the least likely to change because it will be the standard prioritization of the said OT infrastructure. All variables are not fixed; the program is flexible enough to be modified whenever adjustment is needed or if changes in design are made. The flowchart in Figure 1 is straightforward, explaining the code in layman’s terms thus directly representing the whole code.

5.2. Testing and Discussion

The comparison results of the implemented RS approach indicate that SD-WAN has the lowest risk score based on mitigation to risk averaging (as highlighted in Equation (1)), which is presented in Figure 2, and this is supported by Figure 3 (OT WAN-weighted risk) and Figure 4 (OT WAN-weighted mitigation). The results also indicate that the weighted mitigation score (complimentary percentage, the lower the better) of SD-WAN outweighs its risks. SD-WAN score has a marginal gap compared to its predecessors which are MPLS, leased line, and VPLS because of the security features SD-WAN innately has.

RS presented in Figure 2 shows that SD-WAN, MPLS, and leased line have the lowest risk scores, meaning these technologies will provide a better and secure OT WAN connectivity avoiding DoV, DoC, and DoS attacks and ensuring more availability. On the other hand, VPLS, DMVPN, IPSec VPN, LTE/5G, Satellite, and LoraWAN technologies fall behind in terms of their mitigation capabilities, like network visibility, network management, and threat intelligence, which in turn makes the OT infrastructure more susceptible to risk, which can be seen in both Figure 3 and Figure 4, yielding to a higher risk score as presented in Figure 2.

The weighted risks which can contribute to DoV, DoC, and DoS attacks as presented in Figure 3 show that MPLS, leased line and SDWAN have the lowest risk. The risk heat map graph in Figure 5 highlights the risk breakdown, showing what risk variables contributed the most to Figure 3 values. For example, from Figure 5, we see that SD-WAN has multiple moderate risk scores, which are zero-day, incident impact when down, software, hardware, attack surface, recorded vulnerabilities, and, lastly, third-party dependencies. These risk variables show what can be improved in SD-WAN and can be mapped on its mitigation features if this has been remediated. Although SD-WAN has multiple moderate risks, it is visible in Figure 5 that other WAN technologies, other than MPLS and leased line, have higher risks which is also highlighted in Figure 3.

The weighted mitigations which will help on preventing DoV, DoC, and DoS attacks as presented in Figure 4 show what technologies have the best mitigation features. SD-WAN, MPLS, and leased line have the top-three best mitigation features. This is supported by the mitigation heat map, in Figure 6, which can also be used in assessing a specific technology against a predefined feature requirement to have in each OT infrastructure. Figure 6 also shows that, among all nine OT WAN technologies, SD-WAN has the best mitigation features, which only falls behind on security awareness, which means engineers will need further training to adapt to this technology and resource budget, meaning it is moderately costly to implement.

If future changes are made to the OT infrastructure, the severity of risks and the effectiveness of mitigations may fluctuate based on the cybersecurity posture of the OT WAN. This could lead to either higher mitigation weights and lower risk weights if the security has been enhanced through continuous improvement, or higher risk weights and lower mitigation weights if an unforeseen vulnerability has been introduced due to the WAN modification. It is important to note that this paper focuses solely on the WAN aspect of the OT infrastructure, meaning any changes beyond the WAN (such as internal traffic) are outside the scope, as the weights are specifically assigned to WAN devices managing inbound and outbound external traffic.

5.3. SD-WAN Design Based on the Proposed OT WAN Risk Assessment

In this section, we propose an SD-WAN based design to secure OT infrastructure following our proposed RS approach. Aligning to the obtained results, SD-WAN has been selected to be deployed on the IT side of the network where it is part of the layered security design. SD-WAN is integrated into the OT Purdue model (The Purdue Enterprise Reference Architecture (PERA) model is a hierarchical framework for designing and securing industrial control systems by organizing operations from physical processes to business planning [91] (pp. 12–44)) as depicted in Figure 7 and Figure 8. The design is based on NIST CSF and ISA/IEC 62443 standards, which incorporate a zero-trust architecture to segregate the IT network from the OT network. In the proposed design, the zero-trust next-generation firewall is implemented with IPS/IDS modules installed and perimeter DMZ firewalls to isolate OT from IT network. Traditionally, OT environments are designed as air-gapped facilities which necessitates a robust segregation method on the extended OT network to replicate it. Based on the proposed setup (see Figure 7), policies must be implemented on both SD-WAN and firewalls ensuring that proper logging and threat intelligence are available both locally and remotely. This setup enhances security by monitoring and responding to potential threats in real time. It is important to note that traffic management is one of the key features of SD-WAN, which allows it to monitor and apply policing in either inbound or outbound traffic, allowing only one-way traffic, which is OT to IT and not bidirectional and should also be imposed on the firewalls.

Figure 8 illustrates how SD-WAN can be configured as a medium for out-of-band connectivity, a management connection utilized in both IT and OT network designs. Focusing on OT, the design shows that SD-WAN can be placed in the DMZ, dedicated to managing traffic, which enhances security for remote patching of OT servers, out-of-band maintenance connections, and hardens third-party remote access for ICS and CPS. This setup is also applicable to smaller OT infrastructures, where IT networks are connected remotely over WAN.

To prevent loss of availability in ICS and CPS, data backups (i.e., M0953 as outlined in MITRE | ATT&CK) can be secured over the WAN via SD-WAN, which also enables logging and monitoring of OT infrastructure. This can be achieved through a management connection or out-of-band communication (i.e., M0810 in MITRE | ATT&CK) using SD-WAN’s ability to encrypt and segregate network segments with multi-VPNs. Another mitigation for availability loss is service redundancy (i.e., M0811 as presented in MITRE | ATT&CK), which can be implemented over WAN for ICS and CPS. SD-WAN’s compatibility with various WAN technologies allows for secure and redundant options.

6. Conclusions and Future Directions

The key conclusion of this paper is that SD-WAN is the most effective WAN technology for enhancing the availability of OT infrastructure, particularly in ICS and CPS environments. This conclusion is supported by the proposed risk assessment approach, where SD-WAN achieved the lowest risk score of 0.3522, outperforming MPLS at 0.3625 and Leased Line at 0.3685, both widely recognized WAN connectivity options. Other WAN technologies exhibited moderate to high-risk values, ranging from 0.4321 to 0.5950, indicating that SD-WAN provides the best risk-to-mitigation ratio. The findings emphasize SD-WAN’s superior mitigation capabilities. It can prevent vulnerabilities such as Denial of View (Technique T0815), Denial of Control (Technique T0813), and Denial of Service (DoS) in OT WAN environments by selecting the WAN technology with the lowest risk score, thus minimizing exposure to threats.

This paper demonstrated that by assessing potential SD-WAN risks alongside its integrated mitigation features, a risk score can be calculated. This scoring aligns with NIST and ISA/IEC risk and mitigation prioritization frameworks, offering an evaluation of how effectively SD-WAN can prevent OT WAN vulnerabilities. Additionally, this paper conducted a comprehensive OT risk analysis of various WAN technologies, including Satellite WAN, LoRaWAN, LTE/5G, MPLS, leased line, DMVPN, IPSec VPN, and VPLS, providing a detailed approach to assessing WAN technology risks.

By calculating the risk score for each WAN technology, considering their inherent risks and mitigation capabilities, the exploitable vulnerabilities of these technologies when applied in OT infrastructure are clearly identified. As a result, the probabilities of Denial of View (DoV), Denial of Control (DoC), and Denial of Service (DoS) can be estimated and minimized.

A limitation of this paper is the absence of a comprehensive network simulation for the proposed designs in Figure 7 and Figure 8. Therefore, it would be beneficial for future studies to test the proposed design by implementing it within an actual OT infrastructure. This would allow for the fine-tuning of IPS/IDS anomaly detection settings, as well as monitoring and tagging network traffic over SD-WAN. Simulations should specifically involve actual OT devices, particularly focusing on unidirectional traffic from OT to IT, and examine the behavior of SD-WAN multi-VPN during secure remote monitoring (such as ICS and CPS status updates) and redundancy backup drills for ICS and CPS data (including historical logs and configuration backups).