I’m scheduled to join @jimsciutto on @CNN at 10am Eastern to talk about ransomware and intrusions into our industrial infrastructure in context of the Colonial Pipeline incident. Join me if you can and thanks for tuning in.
In my opinion there’s some bad takes out there but overall it’s completely reasonable that folks are paying attention. This is the most disruptive incident we’ve seen on US energy infrastructure from cyber intrusions. Colonial Pipeline is the victim and has done a lot right.
They contacted a top tier incident response firm (FireEye/Mandiant) for the enterprise compromise (only IT impacted it seems) to lead the response. They informed the USG who had great folks from CISA/FBI/DOE supporting. They focused on safety and took operations down proactively.
Congress and others will reasonably ask: “if a criminal can do this, what more could a state adversary could do?” While we should avoid hype this is a very reasonable question. The reality is our infrastructure is undergoing a rapid digital transformation.
While the ransomware was confined to IT this could have been much worse if it had hit OT and at Dragos we have handled such cases and they candidly suck. As our industries change the historical mindset of “segment and disconnect OT” just isn’t practical in most cases.
75%+ of many of the standards/regulations/frameworks/etc. push for preventive controls (segmentation, authentication, anti malware, patching, etc.) all good controls but that leaves an under investment in detection and response. As our infrastructure changes so will our threats.
What we see most commonly is without visibility and monitoring in OT networks the preventive controls are not applied everywhere and atrophy over time unknowningly to the defenders.
Many realize this though. The current White House administration has rightfully pushed for a 100 day action plan to encourage visibility, detection, and response enhancements in OT in the electric sector and likely following suit in water and natural gas to raise awareness
To the practitioners out there thinking about their OT networks I would encourage engaging firms with OT/ICS incident response experience. Conduct a TTX to rehearse. Use burn down to do an Architecture Review of what you have today and it’s state. Then move into monitoring in OT
For the executives out there realize your IT and Security staff are usually already under invested in. Picking up a whole new mission set with focus (OT) requires additional resources. Elevate the conversation in your org and invest in your people to enable your business.
You can follow @RobertMLee.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more