When Colonial Pipeline CEO Joseph Blount testified before the US Congress, he revealed that the attack was completely avoidable; Blount admitted that Darkside gained access through a VPN that did not require multifactor authentication.
As IT and OT networks continue to converge, organizations need to understand how these networks are connected.
Programmable Logic Controllers (PLC) monitor the communication input and output of devices connected to an organization's network. These communications can be analyzed at the packet level to detect anomalies or signatures of known attacks. Upon detection of an incident on the IT network, an organization should quarantine compromised devices and block all communication between IT and OT.
This approach requires network monitoring and enforcement tools to identify current network communications, detect threats and violations, and enforce segmentation rules.
The Oldsmar water treatment plant attack is evidence that the use of remote access has increased since the pandemic. Organizations need to ensure that only approved remote access connections are allowed by continuously monitoring communications such as VNC, SSH, RDP, and others. Oldsmar got lucky, but many other OT systems in similar treatment plants may lack the visibility security teams need to identify these attacks.
Iranian railways discovered a preventable host of vulnerabilities in their IT network last July. Train systems rely on critical OT systems that integrate with IT systems and include everything from signaling solutions to sensors and brake unit devices. These endpoints connectto the network, and include software that enables the collection of data and communication back to network operations centers.
To enable this communication, connected devices rely on the TCP/IP stack. Forescout research has revealed nearly 100 vulnerabilities across more than a dozen TCP/IP stack implementations.
When it comes to the shared responsibility of securing third-party software, organizations need to become proactive in their vendor security assessments. The industry should reward vendors that have secure software design lifecycles and exploit mitigation, but it should not stop there.
As an industry, we need to move towards Zero trust policies for least-privileged access of devices and rigorous access management processes that apply to all computing environments, be they mainframe, OT or hybrid cloud IT.
Those who act now will have less to worry about when new regulations are introduced. Organizations that have learned the lessons of network segmentation, visibility and third-party risk assessment will be better prepared to minimize the impact and likelihood of similar incidents happening to them in the future.
"Slip slidin' away. Slip slidin' away. You know the nearer your destination, the more you slip slidin' away."