These are separate. I can't
really stress that enough. Every news report I keep
reading over the weekend. It makes it sound as if this ransomware
incident has completely impacted everything that is within
an I, an OT environment. Welcome back to CISOlife. I'm Brian, Haugli your hosts brought
to you by side channel. You can find us all around myself, down
in social media, LinkedIn, Twitter, or anything around with
hashtag Cecil. Life. Want to look at me back
a lot of discussion this
weekend about a little hack going on down in the Southern
part of the United States, uh, colonial pipeline recently made the
news and I found it really interesting, kind of the news hype that
is around and, uh, you know, this incident in particular. And it feels as though there's a kind of
misconceptions about what happens when critical infrastructure, like this
is attacked. Now what we do know, um, and I'm not going to
speculate about anything else. All we do know is that they have
stated that they were impacted, um, their systems had to come down. I think believed because they
purposely took them down. Um, people were speculating or sources have
come out and said that it is something to do with ransomware. Um, but it has now impacted 45%
of the fuel flow through the North, uh, up through the
Northeast of the United States. What I feel is really interesting and a
lot of people don't understand is how R I T O T or information technology and operational technology systems
set up inside of plants like this manufacturing and these kinds of spaces. There are many other smarter
people than me on this topic. Um, but I wanted to give a basic breakdown
because I think there's a misconception that is happening where the
OT systems are being in or directly impacted to some degree. And I just don't believe that's the case
based on the nature of how ransomware and attackers are infiltrating,
um, organizations. So
let me just walk through, uh, a basic setup of what an it OT, uh, structure would look like for an
organization such as colonial. So you've got your traditional
it infrastructure, you know, within your corporate group,
whatever you've got sales, you got business developed, you've
got accounting, you've got finance, you've got the CEO, you've got all of
that. All of that is sitting, you know, and structured and
connected to the it, uh, infrastructure within an organization. This ideally somehow connects
up to the internet to get access to on any of their SAS
solutions that they may have. Okay. Like maybe they're using Salesforce
who knows whatever it is. Uh, maybe they're using office three
65. Okay. That's probably true. Um, what's happening right?
Is that malware right? Is now somehow maybe it's
delivered through, through email. And that email, um, is being accessed by somebody
within the it infrastructure. And unfortunately they
are now having a bad day. So ransomware impacts their system. It spreads through the other
parts of the organization. And now the organization's
it infrastructure is
saddled with a ransomware event. These systems are being shut
down or encrypted. What have you, right? This is very straightforward stuff
like this is happening quite a bit. And this is how this usually unfolds,
right email, um, there's, you know, a lack of blocks, um,
happening to, to, you know, properly vet sandbox detonate
check for this email. Maybe there's not even an email security
solution wrapped around their email provider, who knows what those
control failures are that led to this. But chances are really high that this
is how this was delivered, right? Somebody was fished,
accessed, ransomware, right? Bad guys getting in doing this. The difference here is that this
is what is probably happening, but this is what's being reported
on as if this environment is also connected down to the OT environment. Okay. And the OT environment, this
is where you've got, you know, your plant, your processors, all your other systems that are happening
and managing to a pipeline, right? So the pipeline operations, all of that are being controlled
by engineers. Um, you know, this is really very
system level type of work. This is traditionally
even in some of the worst, uh, organizations out
there separate from the it organization and the it infrastructure, all we know is that this is
probably what's happening, but what's being conveyed in the news.
It's as if this impacted down here, we don't, we don't know that for
sure. But these organizations, these parts of infrastructure are
traditionally separated. Okay. And that separation is really key. So the other piece to
remember is that ransomware, as it's developed for it is
purpose built to impact certain types of systems take advantage of
certain types of vulnerabilities, use certain types of processes in
operating systems that doesn't just immediately translate to how OT
systems are constructed. Sure. There are, you know, windows and Linux boxes and systems
that run and allow us inside of here to run things like HD, uh,
you know, uh, [inaudible] um, uh, control other systems within
this, but the actual PLCs, the actual componentry that is
running and making this infrastructure available, it's not based on
windows. It's not based on Linux. It's proprietary to, uh,
Siemens, Rockwell, Honeywell. Uh, any of these types of manufacturers
are out there. Uh, Schweitzer has, uh, there's four, um, the
electrical space. Um, it's, it's important to know
that these are separate. I can't really stress that enough. Every news report I keep reading over
the weekend makes it sound as if this ransomware incident has completely
impacted everything that is within an, uh, uh, an OT environment. And I just have a hard time
believing that that's the case. So I wanted to just walk through when
you hear about these ransomware or these impacts to critical infrastructure, just
keep in mind how these are separated. There's a model called the
Purdue model, which is, you know, an architecture type to enforce a
proper way to segment and structure OT in itself, also away from it. But there's just this traditional
separation between these two. So keep that in mind. Don't
let the hype cycle, uh, get ahead of itself and, and sway
your thinking into what's going on. Just listen to the reports, listen to
what's coming out from the government. Let's listen to things that are coming
from groups like SISA and DHS about the impacts as the federal government is
making their resources available and just stay tuned to what's going on.
And, um, watch for the speculation. If the information that you're reading
is buried that far down into an article, chances are, it's just speculation
at this point. So anyway, thought this was an interesting idea. Definitely hear a lot of people talking
about it. Hope this was helpful. I'm Brian Hughley with CISOlife
brought to you by side channel. Again, you can follow us down I myself, or any of us around via hashtag
CISOlife. I'll catch you next time. Be safe out there.
