Category Archives: SCADA/ICS

OT & IT Convergence: Defending the Industrial Attack Surface in 2025

Posted on by
Reply

In 2025, the boundary between IT and operational technology (OT) is more porous than ever. What once were siloed environments are now deeply intertwined—creating new opportunities for efficiency, but also a vastly expanded attack surface. For industrial, manufacturing, energy, and critical infrastructure operators, the stakes are high: disruption in OT is real-world damage, not just data loss.

PLC

This article lays out the problem space, dissecting how adversaries move, where visibility fails, and what defense strategies are maturing in this fraught environment.

The Convergence Imperative — and Its Risks

What Is IT/OT Convergence?

IT/OT convergence is the process of integrating information systems (e.g. ERP, MES, analytics, control dashboards) with OT systems (e.g. SCADA, DCS, PLCs, RTUs). The goal: unify data flows, enable predictive maintenance, real-time monitoring, control logic feedback loops, operational analytics, and better asset management.

Yet, as IT and OT merge, their worlds’ assumptions—availability, safety, patch cycles, threat models—collide. OT demands always-on control; IT is optimized for data confidentiality and dynamic architecture. Bridging the two without opening the gates to compromise is the core challenge.

Why 2025 Is Different (and Dangerous)

  • Attacks are physical now. The 2025 Waterfall Threat Report shows a dramatic rise in attacks with physical consequences—shut-downs, equipment damage, lost output. Waterfall Security Solutions

  • Ransomware and state actors converge on OT. OT environments are now a primary target for adversaries aiming for disruption, not just data theft. zeronetworks.com+2Industrial Cyber+2

  • Device proliferation, blind spots. The explosion of IIoT/OT-connected sensors and actuators means incremental exposures mount. Nexus+2IAEE+2

  • Legacy systems with little guardrails. Many OT systems were never built with security in mind; patching is difficult or impossible. SSH+2Industrial Cyber+2

  • Stronger regulation and visibility demands. Critical infrastructure sectors face growing pressure—and liability—for cyber resilience. Honeywell+2Fortinet+2

  • Maturing defenders. Some organizations are already reducing attack frequency through segmentation, threat intelligence, and leadership-driven strategies. Fortinet

Attack Flow: From IT to OT — How the Adversary Moves

Understanding attacker paths is key to defending the convergence.

  1. Initial foothold in IT. Phishing, vulnerabilities, supply chain, remote access are typical vectors.

  2. Lateral movement toward bridging zones. Jump servers, VPNs, misconfigured proxies, flat networks let attackers pivot. Industrial Cyber+2zeronetworks.com+2

  3. Transit through DMZ / industrial demilitarized zones. Poorly controlled conduits allow protocol bridging, data transfer, or command injection. iotsecurityinstitute.com+2Palo Alto Networks+2

  4. Exploit OT protocols and logic. Once in the OT zone, attackers abuse weak or proprietary protocols (Modbus, EtherNet/IP, S7, etc.), manipulate command logic, disable safety interlocks. arXiv+2iotsecurityinstitute.com+2

  5. Physical disruption or sabotage. Alter sensor thresholds, open valves, shut down systems, or destroy equipment.

Because OT environments often have weaker monitoring and fewer detection controls, malicious actions may go unnoticed until damage occurs.

The Visibility & Inventory Gap

You can’t protect what you can’t see.

  • Publicly exposed OT devices number in the tens of thousands globally—many running legacy firmware with known critical vulnerabilities. arXiv

  • Some organizations report only minimal visibility into OT activity within central security operations. Nasstar

  • Legacy or proprietary protocols (e.g. serial, Modbus, nonstandard encodings) resist detection by standard IT tools.

  • Asset inventories are often stale, manual, or incomplete.

  • Patch lifecycle data, firmware versions, configuration drift are poorly tracked in OT systems.

Bridging that visibility gap is a precondition for any robust defense in the converged world.

Architectural Controls: Segmentation, Microperimeters & Zero Trust for OT

You must treat OT not as a static, trusted zone but as a layered, zero-trust-aware domain.

1. Zone & Conduit Model

Apply segmentation by functional zones (process control, supervisory, DMZ, enterprise) and use controlled conduits for traffic. This limits blast radius. iotsecurityinstitute.com+2Palo Alto Networks+2

2. Microperimeters & Microsegmentation

Within a zone, restrict east-west traffic. Only permit communications justified by policy and process. Use software-defined controls or enforcement at gateway devices.

3. Zero Trust Principles for OT

  • Least privilege access: Human, service, and device accounts should only have the rights they need to perform tasks. iotsecurityinstitute.com+1

  • Continuous verification: Authenticate and revalidate sessions, devices, and commands.

  • Context-based access: Enforce access based on time, behavior, process state, operational context.

  • Secure access overlays: Replace jump boxes and VPNs with secure, isolated access conduits that broker access rather than exposing direct paths. Industrial Cyber+1

4. Isolation & Filtering of Protocols

Deep understanding of OT protocols is required to permit or deny specific commands or fields. Use protocol-aware firewalls or DPI (deep packet inspection) for industrial protocols.

5. Redundancy & Fail-Safe Paths

Architect fallback paths and redundancy such that the failure of a security component doesn’t cascade into OT downtime.

Detection & Response in OT Environments

Because OT environments are often low-change, anomaly-based detection is especially valuable.

Anomaly & Behavioral Monitoring

Use models of normal process behavior, network traffic baselines, and device state transitions to detect deviations. This approach catches zero-days and novel attacks that signature tools miss. Nozomi Networks+2zeronetworks.com+2

Protocol-Aware Monitoring

Deep inspection of industrial protocols (Modbus, DNP3, EtherNet/IP, S7) lets you detect invalid or dangerous commands (e.g. disabling PLC logic, spoofing commands).

Hybrid IT/OT SOCs & Playbooks

Forging a unified operations center that spans IT and OT (or tightly coordinates) is vital. Incident playbooks should understand process impact, safe rollback paths, and physical fallback strategies.

Response & Containment

  • Quarantine zones or devices quickly.

  • Use “safe shutdown” logic rather than blunt kill switches.

  • Leverage automated rollback or fail-safe states.

  • Ensure forensic capture of device commands and logs for post-mortem.

Patch, Maintenance & Change in OT Environments

Patching is thorny in OT—disrupting uptime or control logic can have dire consequences. But ignoring vulnerabilities is not viable either.

Risk-Based Patch Prioritization

Prioritize based on:

  1. Criticality of the device (safety, control, reliability).

  2. Exposure (whether reachable from IT or remote networks).

  3. Known exploitability and threat context.

Scheduled Windows & Safe Rollouts

Use maintenance windows, laboratory testing, staged rollouts, and fallback plans to apply patches in controlled fashion.

Virtual Patching / Compensating Controls

Where direct patching is impractical, employ compensating controls—firewall rules, filtering, command-level controls, or wrappers that mediate traffic.

Vendor Coordination & Secure Updates

Work with vendors for safe update mechanisms, integrity verification, rollback capability, and cryptographic signing of firmware.

Configuration Lockdown & Hardening

Disable unused services, remove default accounts, enforce least privilege controls, and lock down configuration interfaces. Industrial Cyber

Operating in Hybrid Environments: Best Practices & Pitfalls

  • Journeys, not Big Bangs. Start with a pilot cell or site; mature gradually.

  • Cross-domain teams. Build integrated IT/OT guardrails teams; train OT engineers with security awareness and IT folk with process sensitivity. iotsecurityinstitute.com+2Secomea+2

  • Change management & governance. Formal processes must span both domains, with risk acceptance, escalation, and rollback capabilities.

  • Security debt awareness. Legacy systems will always exist; plan compensating controls, migration paths, or compensating wrappers.

  • Simulation & digital twins. Use testbeds or digital twins to validate security changes before deployment.

  • Supply chain & third-party access. Strong control over third-party remote access is essential—no direct device access unless brokered and constrained. Industrial Cyber+2zeronetworks.com+2

Governance, Compliance & Regulatory Alignment

  • Map your security controls to frameworks such as ISA/IEC 62443NIST SP 800‑82, and relevant national ICS/OT guidelines. iotsecurityinstitute.com+2Tenable®+2

  • Develop risk governance that includes process safety, availability, and cybersecurity in tandem.

  • Align with critical infrastructure regulation (e.g. NIS2 in Europe, SEC cyber rules, local ICS/OT mandates). Honeywell+1

  • Build executive visibility and metrics (mean time to containment, blast radius, safety impact) to support prioritization.

Roadmap: From Zero → Maturity

Here’s a rough maturation path you might use:

Phase Focus Key Activities
Pilot / Awareness Reduce risk in one zone Map asset inventory, segment pilot cell, deploy detection sensors
Hardening & Control Extend structural defenses Enforce microperimeters, apply least privilege, protocol filtering
Detection & Response Build visibility & control Anomaly detection, OT-aware monitoring, SOC integration
Patching & Maintenance Improve security hygiene Risk-based patching, vendor collaboration, configuration lockdown
Scale & Governance Expand and formalize Extend to all zones, incident playbooks, governance models, metrics, compliance
Continuous Optimization Adapt & refine Threat intelligence feedback, lessons learned, iterative improvements

Start small, show value, then scale incrementally—don’t try to boil the ocean in one leap.

Use Case Scenarios

  1. Remote Maintenance Abuse
    A vendor’s remote access via a jump host is compromised. The attacker uses that jump host to send commands to PLCs via an unfiltered conduit, shutting down a production line.

  2. Logic Tampering via Protocol Abuse
    An attacker intercepts commands over EtherNet/IP and alters setpoints on a pressure sensor—causing shock pressure and damaging equipment before operators notice.

  3. Firmware Exploit on Legacy Device
    A field RTU is running firmware with a known remote vulnerability. The attacker exploits that, gains control, and uses it as a pivot point deeper into OT.

  4. Lateral Movement from IT
    A phishing campaign generates a foothold on IT. The attacker escalates privileges, accesses the central historian, and from there reaches into OT DMZ and onward.

Each scenario highlights the need for segmentation, detection, and disciplined control at each boundary.

Checklist & Practical Guidance

  • ⚙️ Inventory & visibility: Map all OT/IIoT devices, asset data, communications, and protocols.

  • 🔒 Zone & micro‑segment: Enforce strict controls around process, supervisory, and enterprise connectivity.

  • ✅ Least privilege and zero trust: Limit access to the minimal set of rights, revalidate often.

  • 📡 Protocol filtering: Use deep packet inspection to validate or block unsafe commands.

  • 💡 Anomaly detection: Use behavioral models, baselining, and alerts on deviations.

  • 🛠 Patching strategy: Risk-based prioritization, scheduled windows, fallback planning.

  • 🧷 Hardening & configuration control: Remove unused services, lock down interfaces, enforce secure defaults.

  • 🔀 Incident playbooks: Include safe rollback, forensic capture, containment paths.

  • 👥 Cross-functional teams: Co-locate or synchronize OT, IT, security, operations staff.

  • 📈 Metrics & executive reporting: Use security KPIs contextualized to safety, availability, and damage containment.

  • 🔄 Continuous review & iteration: Ingest lessons learned, threat intelligence, and adapt.

  • 📜 Framework alignment: Use ISA/IEC 62443, NIST 800‑82, or sector-specific guidelines.

Final Thoughts

As of 2025, you can’t treat OT as a passive, hidden domain. The convergence is inevitable—and attackers know it. The good news is that mature defense strategies are emerging: segmentation, zero trust, anomaly-based detection, and governance-focused integration.

The path forward is not about plugging every hole at once. It’s about building layered defenses, prioritizing by criticality, and evolving your posture incrementally. In a world where a successful exploit can physically damage infrastructure or disrupt a grid, the resilience you build today may be your strongest asset tomorrow.

More Info and Assistance

For discussion, more information, or assistance, please contact us. (614) 351-1237 will get us on the phone, and info@microsolved.com will get us via email. Reach out to schedule a no-hassle and no-pressure discussion. Put out 30+ years of OT experience to work for you! 

 

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Recalibrating Cyber Risk in a Geopolitical Era: A Bayesian Wake‑Up Call

Posted on by
Reply

The cyber landscape doesn’t evolve. It pivots. In recent months, shifting signals have upended our baseline assumptions around geopolitical cyber risk, OT/edge security, and the influence of AI. What we believed to be emerging threats are now pressing realities.

ChatGPT Image Jun 19 2025 at 11 28 16 AM

The Bayesian Recalibration

New data forces sharper estimates:

  • Geopolitical Spillover: Revised from ~40% to 70% – increasingly precise cyberattacks targeting U.S. infrastructure.
  • AI‑Driven Attack Dominance: Revised from ~50% to 85% – fueled by deepfakes, polymorphic malware, and autonomous offensive tools.
  • Hardware & Edge Exploits: Revised from ~30% to 60% – threats embedded deep in physical systems going unnoticed.

Strategic Imperatives

To align with this recalibrated threat model, organizations must:

  1. Integrate Geopolitical Intelligence: Tie cyber defenses to global conflict zones and state-level actor capabilities.
  2. Invest in Autonomous AI Defenses: Move beyond static signatures—deploy systems that learn, adapt, and respond in real time.
  3. Defend at the OT/Edge Level: Extend controls to IoT, industrial systems, medical devices, and field hardware.
  4. Fortify Supply‑Chain Resilience: Assume compromise—implement firmware scanning, provenance checks, and strong vendor assurance.
  5. Join Threat‑Sharing Communities: Engage with ISACs and sector groups—collective defense can mean early detection.

The Path Ahead

This Bayesian lens widens our aperture. We must adopt multi‑domain vigilance—digital, physical, and AI—even as adaptation becomes our constant. Organizations that decode subtle signals, recalibrate rapidly, and deploy anticipatory defense will not only survive—they’ll lead.

 

 

* AI tools were used as a research assistant for this content, but human moderation and writing are also included. The included images are AI-generated.

Regulatory Requirements and Best Practices for Third-Party Network Configuration Reviews

Posted on by
Reply

The security of an organization’s network infrastructure is paramount.
Routers, switches, and wireless configurations serve as the backbone of enterprise networks, facilitating seamless
communication and data flow. However, if not properly configured and regularly assessed, these critical components
can become vulnerable entry points for cyber threats. Engaging third-party assessors to conduct regular configuration
reviews across global networks is not only a best practice but also aligns with various regulatory requirements.

ConfigRvw

Regulatory Mandates for Configuration Reviews

Several regulatory frameworks emphasize the importance of regular network configuration assessments:

  • National Institute of Standards and Technology (NIST): The NIST Cybersecurity Framework highlights the necessity of maintaining secure configurations for network devices such as firewalls, routers, and switches. It advocates for regular assessments to ensure configurations align with security policies and standards.
  • Payment Card Industry Data Security Standard (PCI DSS): PCI DSS Requirement 2 mandates that organizations “do not use vendor-supplied defaults for system passwords and other security parameters.” This underscores the need for secure configurations and regular reviews to prevent unauthorized access.
  • Center for Internet Security Critical Security Controls (CIS CSC) Version 8: Control 11 emphasizes the importance of “secure configuration for network devices,” recommending regular audits and the use of configuration management tools to maintain security standards.
  • Service Organization Control 2 (SOC 2): SOC 2’s Trust Services Criteria require organizations to implement controls to prevent unauthorized access, which includes maintaining and reviewing secure configurations of network devices.
  • Health Insurance Portability and Accountability Act (HIPAA): HIPAA’s Security Rule mandates that covered entities implement security measures to guard against unauthorized access to electronic protected health information, which includes ensuring secure configurations of network devices.
  • Federal Financial Institutions Examination Council (FFIEC): The FFIEC IT Examination Handbook advises financial institutions to conduct regular security assessments, including reviews of network device configurations, to identify and mitigate vulnerabilities.

Benefits of Third-Party Configuration Reviews

Engaging third-party assessors for network configuration reviews offers several advantages:

  • Unbiased Evaluation: External assessors provide an impartial perspective, identifying vulnerabilities and misconfigurations that internal teams might overlook due to familiarity or cognitive biases.
  • Expertise and Experience: Third-party professionals often possess specialized knowledge and experience across various industries and technologies, enabling them to apply best practices and identify emerging threats.
  • Regulatory Compliance: Regular third-party assessments demonstrate due diligence and proactive risk management, which are critical components of regulatory compliance.

How MicroSolved and MachineTruth Global Configuration Assessments Can Help

Organizations looking to enhance the security and compliance of their network configurations can leverage the expertise of
MicroSolved and the MachineTruth Global Configuration Assessment service.

  • Comprehensive Configuration Analysis: MachineTruth provides deep visibility into router, switch, and wireless configurations across global networks, identifying misconfigurations, vulnerabilities, and deviations from industry best practices.
  • Automated and Manual Review: The service combines advanced automation with expert human analysis to ensure configurations align with regulatory requirements and security standards.
  • Customized Reporting: Organizations receive detailed reports outlining security gaps, compliance risks, and actionable remediation steps to enhance network resilience.
  • Continuous Monitoring and Assessments: MachineTruth enables organizations to move beyond point-in-time reviews by establishing continuous assessment cycles, ensuring that networks remain secure over time.
  • Global Coverage: Designed for enterprises with complex, distributed networks, the solution scales to assess configurations across multiple locations, helping organizations maintain security and compliance on a global scale.

By partnering with MicroSolved and leveraging MachineTruth, organizations can proactively secure their network infrastructure,
maintain compliance, and reduce the risk of misconfigurations leading to breaches. Regular third-party configuration assessments
are not just a regulatory requirement—they are a critical component of modern cybersecurity strategy.

 

* AI tools were used as a research assistant for this content.

 

 

Why Emulate a PLC with a Raspberry Pi

Posted on by
Reply

One of the most powerful uses of emulating a PLC (Programmable Logic Controller) field device with a Raspberry Pi is that it provides an affordable and easily obtained platform for prototyping, performing ladder logic testing, and researching various industrial control systems and cybersecurity concepts.

Raspberry Pis are Affordable

Raspberry Pi models 3 and 4 are significantly more affordable than real PLCs. A typical PLC can cost hundreds or thousands of dollars.

The Raspberry Pi costs around $35-50 depending on your model choice. This makes them very accessible to hobbyists, students, researchers, developers, and anyone else who wants to work with the basics of industrial control systems. The low cost makes them ideal candidates to emulate a PLC in many scenarios.

Raspberry Pis are Easily Obtainable

PLCs can be quite difficult to come by, especially if you want one without any pre-existing software installed. Many manufacturers will not sell their products to third parties unless they have some kind of existing relationship. If you don’t already know someone at the manufacturer then you may need to pay a hefty upcharge. Additionally, purchasing the addons for power supplies, specific programming software, and such can quickly turn into a slog of paperwork and supporting tasks. The lead time and delivery times can take weeks to months.

The Raspberry Pi, on the other hand, can be purchased at many big-box electronics or computer stores, directly from many providers, or even delivered to your door from Amazon and other online sources. It uses a common USB power supply and can be configured and programmed using open source tools available online. Lead time is a couple of days to a few hours, letting you stay focused on your work.

The OpenPLC Project

The OpenPLC Project is a stable, well-documented toolkit for emulating basic PLC operations on the Pi. It has been used successfully to simulate a variety of different types of PLCs and includes support for ladder logic and other common PLC functions. You can find the programming reference and review the available capabilities here.

You can get OpenPLC up and running on a Pi in less than 30 minutes. In our testing, we were able to begin using the emulated PLC in our lab within an hour!

Going The Extra Mile With SCADABR

SCADABR is an open-source supervisory control and data acquisition software package designed to allow you to create interactive screens or human-machine interfaces (HMI) for your automation projects. It provides tools for creating graphical user interface widgets, event handlers, timers, and dialogs. With its ability to communicate with multiple controllers (including OpenPLC), ScadaBR is an ideal companion for the OpenPLC Runtime and Editor.

Using a Pi, OpenPLC, and SCADABR together, can get you a very powerful and useful PLC platform up and running for under $100 and in less than a few hours. Once implemented, you can use the platform to learn about industrial controls systems, ladder logic, PLC programming, and operations. You can also do basic ladder logic research and testing, and even prototyping for future real-world PLC deployments. Cybersecurity folks also have a very capable platform for learning about industrial control security requirements, performing vulnerability research, reverse engineering, or practicing their assessment skills in a safe environment.

While you might not get the full power of a true PLC (there are some limitations to Pi’s capabilities), you will likely get more than you expect. If you have an interest in or a need for some basic industrial control systems capabilities, this is a great place to start.

 

 

Saved By Ransomware Presentation Now Available

Posted on by
Reply

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

Example of Pole Mounted Device Threats Visualized

Posted on by
Reply

As a part of our threat modeling work, which we do sometimes as a stand-alone activity or as part of an deeper assessment, we often build simple mind maps of the high level threats we identify. Here is an example of a very simple diagram we did recently while working on a threat model for pole mounted environments (PME’s) for a utility client. 

This is only part of the work plan, but I am putting it forward as a sort of guideline to help folks understand our process. In most cases, we continually expand on the diagram throughout the engagement, often adding links to photos or videos of the testing and results. 

We find this a useful way to convey much of the engagement details with clients as we progress. 

Does your current assessment or threat modeling use visual tools like this? If not, why not? If so, drop me a line on Twitter (@lbhuston) and tell me about it. 

Thanks for reading! 

Pole Mounted Environment Threats

3 Quick Thoughts for Small Utilities and Co-Ops

Posted on by
Reply

Recently I was asked to help some very small utilities and co-ops come up with some low cost/free ideas around detection. The group was very nice about explaining their issues, and here is a quick summary of some of the ideas we discussed.

1) Dump external router, firewall, AD and any remote access logs weekly to text and use simple parsers in python/perl or shell script to identify any high risk issues. Sure, this isn’t the same as having robust log monitoring tools (which none of these folks had), but even if you detect something really awful a week after it happens, you will still be ahead of the average curve of attackers having access for a month or more. You can build your scripts using some basis analytics, they will get better over time, and here are some ideas to get you started. You don’t need a lot of money to quickly handle dumped logs. Do the basics and improve.

2) Take advantage of cheap hardware, like the Raspberry Pi for easy to learn/use Linux boxes for scripting, log parsing or setting up cron jobs to automate tasks. For less than 50 bucks, you can have a powerful machine to do a lot of work for you and serve as a monitoring platform for a variety of tools. The group was all tied up in getting budget to buy server and workstation hardware – but had never taken the Pi seriously as a work platform. It’s mature enough to do a lot of non-mission critical (and some very important) work. It’s fantastic if you’re looking for a quick and dirty way to gain some Linux capabilities in confined Windows world.

3) One of the best bang for the buck services we have at MSI is device configuration reviews. For significantly less money than a penetration test, we can review your external routers, firewall and VPN for configuration issues, improper rules/ACLs and insecure settings. If you combine this with an exercise like attack surface mapping and threat modeling, you can get a significant amount of insight without resorting to (and paying for) vulnerability assessments and penetration testing. Sure, the data might not be as granular, and we still have to do some level of port scanning and service ID, but we have a variety of safe ways to do that work – and you get some great information. You can then make risk-based decisions about the data and decide what you want to act on and pay attention to. If your budget is tight – get in touch and discuss this approach with us.

I love to talk with utilities and especially smaller organizations that want to do the right thing, but might face budget constraints. If they’re willing to have an open, honest conversation, I am more than willing to get creative and engage to help them solve problems within their needs. We’d rather get creative and solve an issue to protect the infrastructure than have them get compromised by threat actors looking to do harm.

If you want to discuss this or any security or risk management issue, get in touch here.  

Utility Tabletop Cybersecurity Exercises

Posted on by
Reply

Recently, a group of federal partners, comprised of the Federal Energy Regulatory Commission (FERC), North American Reliability Corporation (NERC) and it’s regional entities released their Cyber Planning for Response and Recovery Study (CYPRES). The report was based on a review and analysis of the incident response and recovery capabilities of a set of their member’s cyber security units, and is a great example of some of the information sharing that is increasing in the industry. The report included reviews of eight utility companies’ incident response plans for critical infrastructure environments, and the programs reviewed varied in their size, complexity and maturity, though all were public utilities.

Though the specific tactics suggested in the report’s findings have come under fire and criticism, a few items emerged that were of broad agreement. The first is that most successful programs are based on NIST 800-61, which is a fantastic framework for incident response plans. Secondly, the report discusses how useful tabletop exercises are for practicing responses to cybersecurity threats and re-enforcing the lessons learned feedback loop to improve capabilities. As a result, each public utility should strongly consider implementing periodic tabletop exercises as a part of their cyber security and risk management programs.

Tabletop Exercises from MSI

At MicroSolved, we have been running cyber security tabletop exercises for our clients for more than a decade. We have a proprietary methodology for building out the role playing scenarios and using real-world threat intelligence and results from the client’s vulnerability management tools in the simulation. Our scenarios are developed into simulation modules, pre-approved by the client, and also include a variety of randomized events and nuances to more precisely simulate real life. During the tabletop exercise, we also leverage a custom written gaming management system to handle all event details, track game time and handle the randomization nuances.

Our tabletop exercise process is performed by two MSI team members. The first acts as the simulation moderator and “game master”, presenting the scenarios and tracking the various open threads as the simulation progresses. The second team member is an “observer” and they are skilled risk management team members who pre-review your incident response policies, procedures and documentation so that they can then prepare a gap analysis after the simulation. The gap analysis compares your performance during the game to the process and procedure requirements described and notes any differences, weaknesses or suggestions for improvement.

Target scenarios can be created to test any division of the organization, wide scale attacks or deeply nuanced compromises of specific lines of business. Various utility systems can be impacted in the simulation, including business networks, payment processing, EDI/supply chain, metering/AMI/smart grid, ICS/SCADA or other mission critical systems.Combination and cascading failures, disaster recovery and business continuity can also be modeled. In short, just about any cyber risks can be a part of the exercise.

Tabletop Exercise Outcomes and Deliverables

Our tabletop exercises result in a variety of detailed reports and a knowledge transfer session, if desired. The reports include the results of the policy/procedure review and gap analysis, a description of the simulated incident and an action plan for future improvements. If desired, a board level executive summary can also be included, suitable for presentation to boards, management teams, direct oversight groups, Public Utility Commission and Homeland Security auditors as well.

These reports will discuss the security measures tested, and provide advice on proactive controls that can be implemented, enhanced, matured or practiced in order to display capabilities in future incidents that reflect the ability to perform more rapid and efficient recovery.

The knowledge transfer session is your team’s chance to ask questions about the process, learn more about the gaps observed in their performance and discuss the lessons learned, suggestions and controls that call for improvement. Of course the session can include discussions of related initiatives and provide for contact information exchange with our team members, in the event that they can assist your team in the future. The knowledge transfer session can also be performed after your team has a chance to perform a major review of the reports and findings.

How to Get Started on Tabletop Exercises from MSI

Tabletop exercises are available from our team for cyber security incidents, disaster preparedness and response or business continuity functions. Exercises are available on an ad-hoc, 1 year, 2 year or 3 year subscription packages with frequencies ranging from quarterly to twice per year or yearly. Our team’s experience is applicable to all utility cyber programs and can include any required government partners, government agencies or regulators as appropriate.

Our team can help develop the scope of threats, cyber attacks or emergency events to be simulated. Common current examples include ransomware, phishing-based account compromises, cyber attacks that coincide with catastrophic events or service disruptions, physical attacks against substations or natural gas pipelines, data breach and compromise of various parts of the ICS/SCADA infrastructure. Our team will work with you to ensure that the scenario meets all of your important points and concerns.

Once the scenario is approved, we will schedule the simulation (which can be easily performed via web-conference to reduce travel costs and facilitate easy team attendance) and build the nuances to create the effects of a real event. Once completed, the reporting and knowledge transfer sessions can follow each instance.

Tabletop exercises can go a long way to increasing cybersecurity preparedness and re-enforcing the cybersecurity mindset of your team. It can also be a great opportunity for increasing IT/OT cooperation and strengthening relationships between those team members.

To get started, simply contact us via this web form or give us a call at (614) 351-1237. We would love to discuss tabletop exercises with you and help you leverage them to increase your security posture.

 

WARNING: Migrate Windows Server 2003 Immediately

Posted on by
Reply

Believe it or not, we still get queries from a few utility companies that have operational processes locked on Windows Server 2003 as a platform. Most of the time, these are legacy applications associated with some form of ICS device or data management system that they have not been able to afford to replace.

Windows 2003 Server end-of-life searches are still among the most popular searches on our StateOfSecurity.com blog, receiving more than 200 queries most months. Keep in mind, this is an operating system that patches haven’t been released for since 2015. According to Spiceworks, an online community for IT professionals, the Windows 2003 Server operating system still enjoys a market share of 17.9%, though we could not validate the time frames of their claim.

But, just in the last year or so, we have seen it alive and well in natural gas, energy and the communications infrastructures, both foreign and domestic. So, we know it is still out there, and still being used in seemingly essential roles.

I’m not going to lecture you about using a system that is unmatched for 5 years. That’s just common sense. Instead, what I am going to do is make three quick suggestions for those of you who can’t get rid of this zombie OS. Here they are:

1. Install a firewall or other filtering device between the legacy system and the rest of your environment. This firewall should reduce the network traffic allowed to the system down to only specifically required ports and source addresses. It should also restrict all unneeded outbound traffic from the device to anything else in the network or the world. The device should be monitored for anomalies and security IOCs.

2. If the hardware is becoming an issue, as well, consider virtualizing the system using a modern virtualization solution. Then apply the firewalling above. Server 2003 seems to be easily virtualized and most modern solutions can handle it trivially.Hardware failure of many of these aging systems is their largest risk in terms of availability.

3. Eliminate the need AS SOON AS POSSIBLE. Even with the firewalling and filtering, these systems have high risk. You might also consider if you can migrate portions of the services from Windows 2003 to a more recent system or platform. This isn’t always possible, but everything you can move from Windows 2003 to a supported OS is likely to let you crank down your filtering even more.

Lastly, if you’re still trapped on Windows 2003, make sure you review this every quarter with the application owners and management. Keep it on their mind and on the front burner. The sooner you can resolve it, the better. 

If you need more help or advice on risk mitigation or minimization, get in touch. We’d love to help! Just email us at info@microsolved.com and we can connect.

EDI – The Often Overlooked Critical Process in Utilities

Posted on by
Reply

EDI (Electronic Data Interchange) is an often forgotten underpinning of many utility companies, even though many of its functions are likely to be critical to the operation. In many states, EDI is a mandated operation for commercial bill pay and meter reading data exchange with third party services. In fact, between the Gas Industry (GISB) and North American Energy (NAESB) Standards Boards, a substantial set of requirements exist for industry use of EDI.

Data

While EDI exists as a specific set of functions for exchanging digital data, it is often managed through third party applications and networks. These operations carry several different threat models, from disruption of service and outages that impact the data availability, to tampering and compromise of the data in transit. As such, it is essential that utilities have performed business function and application specific risk assessment on EDI implementations.

Additionally, many of our clients have performed EDI-focused penetration testing and technical application assessments of their EDI translators and network interconnects. Some clients still utilize a Value Added Network (VAN) or other service provider for EDI transmissions, and MSI can work with your VAN to review their security program and the configuration of your interconnections to ensure maximum security and regulatory compliance.

Lastly, our team has been very successful doing tabletop incident response and disaster recovery/business continuity exercises involving modeling EDI outages, failures and data corruption. Impacts identified in these role playing exercises have ranged from critical outages to loss of revenue.

If you’d like to learn more about our EDI services and capabilities, give us a call at 614-351-1237 or drop us a line at info@microsolved.com. We’d love to talk with you about our nearly 30 years of experience in EDI, information security and critical infrastructure.