It's been a busy few weeks, and I've fallen a bit behind. Even though this ZDNet article is from mid-February, it doesn't diminish the importance of what happened here.

"a cyber threat actor used a spearphishing link to obtain initial access to the organization's information technology (IT) network before pivoting to its operational (OT) network."

Holy cow. That's absolutely terrifying. From a phishing email, negative actors gained access to the corporate infrastructure of a compressed natural gas (CNG) facility. From there, they performed reconnaissance until they gained ingress to their OT environment, at which point they distributed and then engaged an easily obtained ransomware package, effectively shutting down all operations.

In theory, OT and IT should be separate. Everyone tries their best to make that happen. But all it takes is a lack of visibility into data flows that cross an intended air gap, and you're in trouble. 

Visibility is everything. Knowing what's supposed to be talking and what's not is impossible without it. You can do your very best to separate OT and IT, but how do you really know unless you start from scratch on both sides?

Once you've got that visibility, how do you ensure that any potential ingress is quickly detected, remediated, and reported? By knowing your application infrastructure, locking it down using Zero Trust principles, and using all of your other security tools (SIEM, vunerability scanners, etc.) to aggregate those events, then create a response workflow to bring clarity and definition to recognition, mitigation, and reporting of potential issues. 

It's not infallible. They only have to get lucky once, and we have to be right every single time. But if you can be proactive rather than reactive, that's a huge advantage. 

Thanks for reading!