Tag Archive for: Operational Technology

From Reactive to Proactive: Transforming Healthcare Cybersecurity Post-Change Healthcare Attack

Change Healthcare, a major player in the healthcare technology sector, fell victim to a ransomware attack in February and is quickly heading towards a billion dollars in loss. The breach disrupted its operations and potentially compromised sensitive patient data. The attackers, ALPHV, also known as BlackCat and Noberus, exploited vulnerabilities in the company’s IT infrastructure, likely through phishing emails or other means, to gain unauthorized access to their systems. This breach not only posed a significant threat to patient privacy but also raised concerns about the integrity of healthcare data and the reliability of essential services.

In the landscape of healthcare, where interconnected IT, operational technology (OT), and Internet of Things (IoT) networks are the norm, it’s inhumanly difficult to understand the whole attack surface.  This is why experts and regulators advise adopting a proactive approach to security with best practices including segmentation – keep separate things apart, so that an attacker cannot easily spread from one place to another.  Defenders of healthcare networks need automated assessment of their defensive posture, to uncover gaps and ensure good hygiene ahead of the next attack.

Healthcare administrators must fortify network infrastructure with stringent policies, including robust password enforcement, firewall configurations, and access controls. Vigilant monitoring and configuration of all connected devices, from medical equipment to personal devices, are imperative. Employing strong encryption further enhances data security, deterring cyber intrusions.

Another best practice is implementing a framework such as NIST and MITRE ATT&CK as part of your comprehensive cyberdefense efforts. Take for example another high-growth healthcare organization. Managing 20,000 clinicians and 150,000 medical devices, taking a proactive approach to network visibility and vulnerability prioritization is critical. As cyberattacks have become more sophisticated, healthcare organizations must be proactive and adopt best practices to, as this health system’s cybersecurity expert put it, “prepare the battle space.” In addition to having a dynamic map of their environment, the health system relies on the MITRE ATT&CK (adversarial tactics, techniques, and common knowledge) framework, a comprehensive knowledge base that gives security personnel key insights into attacker behavior and techniques, to help it prevent potential attacks and keep patient information, payment information, and other key data secure.

Click here to read the full case study

Regular attack surface scans are essential for proactive risk mitigation, providing crucial insights for informed decision-making in cybersecurity strategy development. Prioritizing rigorous testing of all software and device updates is crucial to preempt vulnerabilities.

Secure your healthcare network comprehensively with RedSeal. Our network exposure analytics platform offers dynamic visualization of network ecosystems, empowering organizations to identify and address vulnerabilities efficiently. Partnering with leading infrastructure suppliers, we deliver unparalleled network security solutions and professional services, ensuring robust protection against evolving threats.

Reach out to RedSeal or schedule a demo today.

Tales from the Trenches: Network Backdoors — Lions, and Tigers, and Bears…

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.

One of the greatest concerns for professionals in Network and Security Operations is the potential existence of a backdoor in their network—let alone the presence of numerous backdoors! Identifying backdoors can be a daunting challenge, as they might exist beyond the confines of the configured routing table or take a longer path than the optimized routing path typically followed by traffic. Consequently, conventional traffic mapping tools seldom uncover the presence of a backdoor.

RedSeal is unique in its ability to identify and display all paths through a network, regardless of routing protocols and network address translation (NAT)—therefore exposing all potential backdoors.

While working with a power generation company that managed many extremely remote renewable energy sites, I performed RedSeal data collections on network device configurations across the organization, including company headquarters. From there, I began to perform RedSeal data collections on the power generation farms networks. With this data, I was able to model their network and gain visibility into all the access across their network fabric.

Once all data was collected, we initiated an examination of access vectors into the local generating networks. While engaged in this process, one individual began discussing how the heightened global threat levels had prompted the implementation of a company policy mandating a firewall at each site. This measure aims to safeguard Operational Technology (OT) devices and SCADA Systems. SCADA (Supervisory Control and Data Acquisition) is a software application used for controlling industrial processes by gathering real-time data from remote locations to control equipment and conditions.

As we began verifying that access controls were in place, we concluded there were indeed firewalls present with Access Control Lists (ACLs) blocking and filter inbound traffic. However, because RedSeal shows ALL access vectors, we also noticed that each generation site had two available paths to the internal network—one controlled and limited by the firewall and another that was wide open through the on-site router — a backdoor!

Through RedSeal’s security methodology of “Discover, Investigate, Act” we were able to uncover the backdoors and found that though we started with a small sample of sites, we now knew what to look for and each one had backdoors into the power generation network.

During our investigation we discovered that the secondary wide open access had been set in the case of a site lockout on the firewall. I have seen networks set up like this in the past, although not quite at this scale. It is not terribly uncommon in remote locations to set up a backdoor enabling remote access – however, we learned that with this set up even a firmware upgrade would cause problems. I explained how RedSeal could help verify changes before deployment and then verify implementation with ongoing monitoring for the entire generating network to ensure all sites were always in compliance and no backdoors were in place.  I like to think of it as an always on, always up-to-date audit.  Thus, avoiding any “negative compliance drift” between yearly scheduled audits.

In summary, RedSeal was able to show all the paths through the network—not just the ones that traffic is currently traveling on.  For each path of interest, in this case the backdoors, RedSeal shows every device along the path (hops), and all the ports and protocols that are available for traffic to transit.  Finally, such access can be monitored on an ongoing basis to ensure it does not stray from company policy.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.

Expert Insights: Building a World-Class OT Cybersecurity Program

In an age where manufacturing companies are increasingly reliant on digital technologies and interconnected systems, the importance of robust cybersecurity programs cannot be overstated. While attending Manusec in Chicago this week, RedSeal participated on a panel of cybersecurity experts to discuss the key features, measurement of success, and proactive steps that can lead to a more mature OT (Operational Technology) cybersecurity posture for manufacturing companies. This blog provides insights and recommendations from CISOs and practitioners from Revlon, AdvanSix, Primient, Fortinet, and our own Sean Finn, Senior Global Solution Architect for RedSeal.

Key features of a world-class OT cybersecurity program

The panelists brought decades of experience encompassing a wide range of manufacturing and related vendor experience and the discussion centered around three main themes, all complemented by a set of organizational considerations:

  • Visibility
  • Automation
  • Metrics

Visibility

The importance of having an accurate understanding of the current network environment.

The panel unanimously agreed – visibility, visibility, visibility – is the most critical first step to securing the network. The quality of an organization’s “situational awareness” is a critical element towards both maximizing the availability of OT systems and minimizing the operational frictions related to incident response and change management.

Legacy Element Management Systems may not be designed to provide visibility of all the different things that are on the network. The importance of having a holistic view of their extended OT environment was identified in both proactive and reactive contexts.

The increasingly common direct connectivity between Information Technology (IT) and Operational Technology (OT) environments increases the importance of understanding the full scope of available access – both inbound and outbound.

Automation

Automation and integrations are key components for improving both visibility and operational efficiency.  

  • Proactive assessment and automated detection: Implement proactive assessment measures to detect and prevent segmentation violations, enhancing the overall security posture.
  • Automated validation: Protecting legacy technologies and ensuring control over IT-OT access portals are essential. Automated validation of security segmentation helps in protecting critical systems and data.
  • Leveraging system integration and automation: Continue to invest in system integration and automation to streamline security processes and responses.

Metrics

Measuring and monitoring OT success and the importance of a cybersecurity framework for context. 

One result of the ongoing advancement of technology is that almost anything within an OT environment can be measured.

While there are multiple “cybersecurity frameworks,” the panel was in strong agreement that it is important to leverage a cybersecurity framework to ensure that you have a cohesive view of your environment.  By doing so, organizations will be better-informed regarding cybersecurity investments and resource allocation.

It also helps organizations prioritize and focus on the most critical cybersecurity threats and vulnerabilities.

The National Institute of Standards and Technology (NIST) cybersecurity framework was most commonly identified by practioners in the panel.

Cybersecurity metric audiences and modes 

Different metrics may be different for very different roles. Some metrics are valuable for internal awareness and operational considerations, which are separate from the metrics and “KPIs” that are consumed externally, as part of  “evidencing effectiveness northbound.”

There are also different contexts for measurements and monitoring:

  • Proactive metrics/monitoring: This includes maintaining operational hygiene and continuously assessing the state of proactive analytics systems. Why would a hack want to get in? What is at risk and why does it matter to the organization? 
  • Reactive metrics/monitoring: Incident detection, response, and resolution times are crucial reactive metrics. Organizations should also regularly assess the state of reactive analytics systems. 
  • Reflective analysis: After incidents occur, conducting incident post-mortems, including low-priority incidents, can help identify systemic gaps and process optimization opportunities. This reflective analysis is crucial for learning from past mistakes and improving security. 

 Organizational Considerations 

  1. Cybersecurity risk decisions should be owned by people responsible, and accountable for cybersecurity.
  2. Collaboration with IT: OT and IT can no longer operate in isolation. Building a strong working relationship between these two departments is crucial. Cybersecurity decisions should align with broader business goals, and IT and OT teams must collaborate effectively to ensure security.
  3. Employee training and awareness: Invest in ongoing employee training and awareness programs to ensure that every member of the organization understands their role in maintaining cybersecurity.

Establishing a world-class OT cybersecurity program for manufacturing companies is an evolving process that requires collaboration, automation, proactive measures, and continuous improvement. By focusing on visibility, collaboration, and a commitment to learning from incidents, organizations can build a strong foundation for cybersecurity in an increasingly interconnected world.

Contact RedSeal today to discuss your organizational needs and discover how RedSeal can provide unparalleled visibility into your OT / IT environments.

IT/OT Convergence

Operational Technology (OT) systems have decades of planning and experience to combat threats like natural disasters – forces of nature that can overwhelm the under-prepared, but which can be countered in advance using well thought out contingency plans. Converging IT with OT brings great efficiencies, but it also sets up a collision between the OT world and the ever-changing threats that are commonplace in the world of Information Technology. 

A Changing Threat Landscape 

The security, reliability, and integrity of the OT systems face a very different kind of threat now – not necessarily more devastating than, say, a flood along the Mississippi, or a hurricane along the coast – but more intelligent and malicious. Bad actors connected over IT infrastructure can start with moves like disabling your backup systems – something a natural disaster wouldn’t set out to do. Bad actors are not more powerful than Mother Nature, but they certainly are more cunning, and constantly create new attack techniques to get around all carefully planned defenses. This is why the traditional strategies have to change; the threat model is different, and the definition of what makes a system “reliable” has changed. 

In the OT world, you used to get the highest reliability using the oldest, most mature equipment that could stay the same, year after year, decade after decade. In the IT world, this is the worst possible situation – out of date electronics are the easiest targets to attack, with the most known vulnerabilities accumulated over time. In the IT world of the device where you are reading this, we have built up an impressive and agile security stack in response to these rapidly evolving threats, but it all depends on being able to install and patch whatever software changes we need as new Tactics, Techniques and Procedures (TTP’s) are invented. That is, in the IT world, rapid change and flexible software is essential to the security paradigm. 

Does this security paradigm translate well to the OT world?

Not really. It creates a perfect storm for those concerned with defending manufacturing, energy, chemical and related OT infrastructure. On the one hand, the OT machinery is built for stability and cannot deliver the “five nines” reliability it was designed for if components are constantly being changed. On the other hand, we have IT threats which can now reach into OT fabric as all the networks blend, but our defense mechanisms against such threats require exactly this rapid pace of updating to block the latest TTP’s! It’s a Catch-22 situation. 

The old answer to this was the air gap – keep OT networks away from IT, and you can evade much of the problem. (Stuxnet showed even this isn’t perfect protection – humans can still propagate a threat across an air gap if you trick them, and it turns out that this isn’t all that hard to do.) Today, the air gap is gone, due to the great economic efficiencies that come from adding modern digital communication pathways to everything we might need to manage remotely – the Internet of Things (IoT).

How do we solve this Catch-22 situation?

So, what can replace the old air gap? In a word, segmentation – it’s possible, even in complex, blended, IT/OT networks to keep data pathways separate, just as it’s essential for the same reason that we keep water pipes and sewer pipes separate when we build houses. The goal is to separate vulnerable and critical OT systems so that they can talk to each other and be managed remotely, but to open only these pathways, and not fall back to “open everything so that we can get the critical traffic through”. Thankfully, this goal is achievable, but the bad news is it’s error prone. Human operators are not good at maintaining complex firewall rules. When mistakes inevitably happen, they fall into two groups:

  1. errors that block something that is needed
  2. errors that leave something open

The first kind of error is immediately noticed, but sadly, the second kind is silent, and, unless you are doing something to automatically detect these errors and gaps, they will accumulate, making your critical OT fabric more and more fragile over time. 

One way to combat this problem is to have a second set of humans – the auditors – review the segmentation regularly. Experience shows, though, that this just propagates the problem – no human beings are good at understanding network interactions and reasoning about complex systems. This is, however, a great job for computers – given stated goals, computers can check all the interactions and complex rules in a converged, multi-vendor, multi-language infrastructure, and make sure only intended communication is allowed, no more and no less.

In summary, IT/OT convergence is inevitable, given the economic benefits, but it creates an ugly Catch-22 scenario for those responsible for security and reliability – it’s not possible to be both super-stable and agile at the same time. The answer is network segmentation, not the old air gapped approach. The trouble with segmentation is it’s hard for humans to manage, maintain and audit without gaps creeping in. Finally, the solution to resolve this Catch-22 is to apply automation – using software such as from RedSeal to automatically verify your segmentation and prevent the inevitable drift, so that OT networks are as prepared for a hacker assault as they are for a natural disaster.