{"id":70530,"date":"2022-02-25T13:37:15","date_gmt":"2022-02-25T21:37:15","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=70530"},"modified":"2022-02-25T14:03:12","modified_gmt":"2022-02-25T22:03:12","slug":"it-ot-cybersecurity-orchestration","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/it-ot-cybersecurity-orchestration\/","title":{"rendered":"In High-profile OT Cyberattacks, the Culprit May Be the IT Network"},"content":{"rendered":"

Almost a year since the Colonial Pipeline ransomware attack on critical infrastructure occurred, the question still looms large: not whether such an incident could happen again, but when?<\/p>\n

Now a string of ransomware attacks<\/a> has affected at least 17 oil port terminals in Western Europe that caused tankers to be re-routed and supply chains disrupted. Hackers targeted the port terminal software used by Oiltanking (Germany), SEA-Invest (Belgium) and Evos (Netherlands), which is used to maximize throughput and minimize loading and unloading delays. It isn\u2019t clear whether the multiple incidents were a coordinated effort to disrupt the European energy sector or whether the hackers were simply able to compromise the same software used by all three companies.<\/p>\n

Two things about the recent spate of attacks underscore what is increasingly obvious about perceived operational technology (OT) attacks and how to prevent them:<\/p>\n

Without cross-visibility, OT shutdown is SOP<\/h2>\n

First, as with Colonial Pipeline, the hackers did not directly target OT and never actually touched an OT network. With critical infrastructure attacks, the belief is that threat actors will use spear phishing, default passwords or other means to gain access to the IT network before pivoting into the OT network. But rarely do they need to pivot. As soon as the threat presence is detected on the IT network, company cybersecurity policies stipulate that they shut down OT and industrial control systems (ICS) themselves rather than risk harm to people and infrastructure.<\/p>\n

In the case of Colonial Pipeline, hackers infiltrated the IT network through an exposed password for a VPN account. After they posted the ransom, company officials swiftly took the 5,500-mile pipeline offline. The oil logistics companies followed suit, reverting to manual operations as soon as the threat was detected in their software.<\/p>\n

The Colonial Pipeline shutdown lasted five days, but the impact was lasting. Large, complex infrastructure controlled by OT can\u2019t be taken off- and then back online quickly. Even after Colonial Pipeline paid the ransom (most of which they reportedly recovered), it took several more days to fully restart OT systems and for the supply chain to return to normal, at a cost to the company of tens of millions of dollars.<\/p>\n

\n

Security point solutions require orchestration<\/h2>\n

Second, we can assume the companies that were hit have mature cyber initiatives in place. Energy sector companies<\/a> are typically ahead of the curve in this regard. They have already heeded advice to gain visibility into their OT networks and to carefully segment IT and OT networks to prevent breaches from spreading laterally. So, what went wrong?<\/p>\n

Organizations that manage critical infrastructure rely on thousands of IP-connected devices to monitor and control operations that were once manual. To secure them all, companies invest heavily in point solutions from multiple vendors: asset management systems, endpoint security solutions, vulnerability assessment tools, SIEM and ticketing systems, and so on. These tools don\u2019t always work together, and each one may or may not be properly configured and updated. The complexity can be greatly reduced by automating and orchestrating security operations<\/a> across all assets with a single platform.<\/p>\n

Organizations rely on Forescout to maximize the value of the standalone tools they\u2019ve already invested in to make them work more effectively. Forescout orchestrates communication and workflows among point solutions by:<\/p>\n