Network Cloaking with BlastShield

Scenario:

A transnational oil and gas company has a complete operational lifecycle, from an upstream drilling operation to the midstream transport of resources to the final downstream delivery of fuel oils and finished petroleum products. They rely on operational technology (OT) to keep their operations running smoothly. Any infrastructure disruption affects every step in their supply chain and causes financial, reputational, and human costs for the nations where they supply their products. Unfortunately, their network has thousands of legacy OT devices with known unpatchable vulnerabilities, yet they must be monitored in real-time to ensure their continuous operation. The CISO for OT is looking for a solution that doesn’t require millions of dollars of hard-to-manage Firewalls and VPNs that need to be managed by their IT staff and are looking for alternatives. They deploy BlastShield, and their OT devices are immediately shielded without disrupting their existing network architecture.

Industry Perspective:

The oil and gas industry relies on a secure network infrastructure to manage an intricate web of global energy operations. The revenue generated by the industry makes it an enticing target for cybercriminals, jeopardizing the security and safety of critical operations. In 2022, oil and gas companies were the verified target of 21 ransomware attacks and 32 cyber breaches, placing it in the top ten assaulted industry sector list. The fallout from the Colonial Pipeline attack highlights the danger to oil and gas companies and the consumer markets that depend on their product for continued operation.

The Department of Energy’s (DoE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) created the Cybersecurity for the Operational Technology initiative to highlight the expectations of the oil and gas industry in cybersecurity. It emphasized the importance of cyber visibility and the susceptibility of critical energy systems and networks to potential cyber-attacks. This requirement for continuous monitoring eliminates the option of air gap systems as a likely solution for the industry. It also makes its legacy systems a key target for highly sophisticated cyber attackers. The CESER calls on the industry to proactively secure OT systems to protect the energy infrastructure’s survivability and resilience.

BlastShield: Network Cloaking for Proactive Oil and Gas Cybersecurity

BlastShield delivers the only peer-to-peer software-defined perimeter (SDP) cybersecurity solution for the oil and gas industry through network cloaking, answering the CESER’s call for proactive OT security. It secures the network infrastructure for the entire oil and gas industry lifecycle, from upstream exploration and drilling to downstream refining and distribution. BlastShield’s SDP cloaks the legacy critical infrastructures like PLCs, IEDs, RTUs, and other IoT devices that are integral to operations but represent a security risk because they remain in service for decades without vendor support or updates. 

With BlastWave’s Network Cloaking technology, devices behind a BlastShield Gateway are invisible to remote users without an initial authentication. Users must authenticate with multi-factor authentication (MFA) and can leverage biometrics similar to Apple or Google Pay to increase protection from bad actors. Since MFA does not rely on passwords, it eliminates a significant security vulnerability common even among the leading VPN solutions on the market: phishing attacks.  BlastShield ensures continuous and secure operations, safeguarding the industry's vital infrastructures and contributing to a robust digital defense posture. Network Cloaking also addresses the limitations of perimeter-based defenses, like VPNs and firewalls, which are becoming obsolete in the face of advanced threats, edge-to-cloud applications, and the evolving workforce. With BlastShield, oil and gas companies can embrace digital transformation securely, reducing downtime and complying with industry standards and guidelines such as NIST 800-53, IEC 62443, and CFATS.

Scenario: 

A large city has a decades-old water facility that supplies millions of citizens with clean water. Their operational technology (OT) network consists of a mix of legacy and new systems that all share one major problem - they are all vulnerable to cyber-attacks and malware. Since they operate a flat OT network, an attacker could take down their entire network or hold it for ransom if a malware, phishing, or credentials attack succeeds on any of their systems. The SCADA Superintendent is seeking an alternative to their firewall and VPN-based security solution, as it has become too complicated to manage with limited resources and personnel. They deploy BlastShield to reduce the administrative challenge for their overworked administrators, and their OT network is now undiscoverable by hackers, protecting the city’s water supply.

Industry Perspective:

The digital revolution in the water and wastewater industry has delivered significant operational benefits and also introduced new vulnerabilities. Recent cyber incidents, like the ones in the San Francisco Bay Area and Oldsmar, Florida, highlight the vulnerabilities of outdated software, shared login credentials, and a lack of network segmentation. CISA reports that there are over 153,000 public drinking water systems (80% of the US population) and more than 16,000 publicly owned wastewater systems (75% of the US population) in the US and that safe drinking water is a prerequisite for protecting the public health and all human activity. Significant risks highlighted in this sector are network segmentation, secure remote access to prevent lateral movement, and ensuring that no part of the OT systems connects directly to the internet.

BlastShield: Network Cloaking for Water / Wastewater to Shield the Lifeblood of a City

Network cloaking technology mitigates two of the water industry's most significant risks: network segmentation and direct internet connectivity for water-based industrial control systems (ICS). BlastShield also addresses the third major issue by limiting a user's ability to move laterally within the network and removing stolen credentials as a security vulnerability. 

BlastShield's Gateway ensures that critical yet outdated legacy infrastructure such as PLCs, sensors, and pumps—becomes invisible to external threats. Rather than just obfuscating these systems, they do not appear in any scans or probes from a hacker. Due to BlastShield’s secure network segmentation, they also lack the credentials to execute lateral movements to wreak havoc in water OT systems. With BlastShield, water systems operators ensure security and compliance with industry standards and guidance like NIST 800-53, 800-207 (Zero Trust), and IEC 62443.

Scenario: 

A bustling manufacturing plant producing a high-value product grinds to a halt as all of its systems go offline. Cybercriminals have penetrated the facility's systems, shutting down the production line and demanding a ransom from the manufacturer. With ransoms in the manufacturing industry rising to over $2M per incident, the CISOs for IT and OT are looking for a new solution to protect them from the widespread hack that turned off their operational technology (OT) systems. Their existing firewall and VPN systems could not prevent the stolen credentials and unpatched OT systems that led to the hack, and a new approach is needed going forward. They deploy BlastShield, and their OT network is no longer vulnerable to credential theft or lateral movement.

Industry Perspective:

The rapid digitization of the manufacturing sector, with Industry 4.0 technologies like IoT and AI at the helm, has drastically improved productivity. However, Verizon's 2022 Data Breach Investigations Report throws a spotlight on the grim reality - a majority of cyber incidents in manufacturing are driven by motives of financial gain and facilitated through tactics like social engineering, system intrusion, and web application attacks. High-profile breaches, such as those suffered by OXO International, Hanesbrands, and DuPont, underline the multifaceted threat. With the potential financial implications of an attack and 61% of manufacturing and production businesses reporting increased cyberattacks, finding the right solution for top-notch cybersecurity to provide a software-defined perimeter is paramount for manufacturing businesses.

BlastShield: Network Cloaking as a Digital Shield for Manufacturers

In a manufacturing environment, if you can’t see an OT system, you can’t hack or attack it. Network cloaking is the industry’s best opportunity to prevent hacks. IT/OT administrators cannot patch legacy systems; zero-day vulnerabilities are even in VPN products. BlastShield cloaks the manufacturing supply chain with a software-defined perimeter (SDP) that is invisible to hackers, providing a layer of defense that is impossible with firewall or VPN solutions today. BlastShield protects against inbound attacks, lateral movements, and diverse cyber threats, including stolen credentials and malware delivery, enhancing operational integrity. With BlastShield, crucial manufacturing components like workstations and building management systems remain uninterrupted and secure from outside threats.

Scenario:

An electrical power station provides power to millions of consumers in a metro area but has thousands of legacy systems and connected components used to monitor the health of the power grid. The power station cannot patch these systems and cannot go offline without affecting power in the local area.  Some monitoring and control systems use operating systems that no longer have official support from their vendors but cannot be replaced because of their unique capabilities and lack of available upgrades. The Plant Manager struggles to keep their existing firewall system policies current as more segmentation is done to minimize network risk. Their VPN solution has had many zero-day defects, and they experienced a minor breach when a user fell victim to a spear phishing attack and their password was compromised. Fortunately, they were able to prevent any damage from that attack, but they are now looking for a better solution. BlastShield is deployed, and they no longer have to worry about their VPN solution being compromised since they have strong multifactor authentication to enhance their security. Their network is fully cloaked, and their known vulnerabilities cannot be discovered, much less exploited.

Industry Perspective:

Since 2017, cyber attackers have rapidly increased their attacks on the energy industry, with 2022 reaching an all-time high for the number of attacks in a single year. With the growing dependence on digital systems to manage operations in the sector, CISA has published a Sector-Specific Plan for Energy, which guides energy providers in reducing risk and vulnerability to cyberattacks through several investment priorities. The reliance of virtually all industries on electric power and fuels means that all sectors have some dependence on the energy industry. The cybersecurity landscape for energy and utility companies has become increasingly complex, not just due to escalating geopolitical issues. New cyber threats highlight the inherent vulnerabilities of this critical infrastructure, which was never designed with digital transformation in mind. Some power transmission systems are so sensitive that even a ping sweep could take them offline, so they must be protected from external traffic while maintaining internal monitoring connectivity.

BlastShield: Network Cloaking to Reduce Attack Surfaces for Energy

BlastShield’s Network Cloaking is ideal for energy companies to reduce the attack surface. It makes the OT infrastructure undiscoverable by hackers by positioning all assets behind an MFA-protected gateway. Devices behind a BlastShield Gateway are invisible to remote users without an initial multi-factor authentication (MFA) and can leverage biometrics similar to Apple or Google Pay to increase protection from bad actors. Since MFA does not rely on passwords, it eliminates a significant security vulnerability that is common even among the leading VPN solutions on the market: phishing attacks. BlastShield also prevents lateral movement within the network, as users can only see and connect to their authorized systems after their passwordless, phishing-resistant MFA succeeds.

Scenario:

A large data center CISO struggles to maintain an internal cybersecurity posture as cyber threat complexities increase daily. Every paying customer represents a potential threat vector when accessing their systems for management. He needs thousands of IOT and automation devices in addition to his servers fully operational to keep his business running smoothly, and any system failure could cascade throughout his entire company. He has seen stolen credentials and compromised VPN systems affect the operations of his competition and does not want to expose his operation to those same threats. He wants to market to his customers that he has complete control of his infrastructure and to offer the most secure access for system management as a differentiation in the marketplace. By deploying BlastShield, he differentiates his offering by giving users a user experience like Apple Pay for access and administration and removes the risk of lateral threats if a single system is compromised.

Industry Perspective:

Data centers are a rising target of cyber attacks, with multiple data centers reporting hacks of the credentials used by those managing the data centers and customer credentials as recently as 2023. Cybercriminals know that accessing the management network in a data center can grant lateral access to the customer data of potentially millions of consumers. The proliferation of insecure IoT devices further exacerbates the risks for the physical plant of the data center since the operating environment is critical to keep the servers running smoothly. 

BlastShield: Network Cloaking To Enhance Data Center Cybersecurity

BlastShield revolutionizes data center cybersecurity, integrating traditional software-defined perimeter (SDP) with sophisticated network cloaking. This innovative approach ensures unparalleled defense against cyber threats like stolen credentials, phishing, and man-in-the-middle attacks. BlastShield creates a secure, vendor-agnostic network environment, empowering data center managers to regain control over their security protocols. By employing network cloaking, BlastShield renders critical components such as building automation, HVAC, and power management systems invisible to cyber adversaries, ensuring the integrity and continuity of core operations. This enhances the security posture of data centers and significantly reduces downtime and operational costs, eliminating the need for conventional security measures like VPNs, firewalls, and data diodes. With BlastShield, data centers proactively prevent attacks while ensuring compliance with industry standards like NIST 800-53.

Scenario:

A building management office runs multiple office buildings in a large metropolitan area. Each building has deployed a Building Automation System (BAS) that adds significant value for tenants. However, this system introduces a larger attack surface and cybersecurity risk for the building management company, as a hack could open their business and all of their tenants to significant losses. Vulnerabilities in Building Automation Systems (BAS), a profusion of interconnected IoT devices, and the dangers of human error are risks the CISO needs to mitigate. Their current VPN and firewall systems are becoming unmanageable as tenants, and the number of IOT devices has skyrocketed, and a new approach is required. They deploy BlastShield, and all remote access to each tenant’s enclave can be managed through a simple, intuitive user interface. 

Industry Perspective:

Smart Building’s potential to enhance productivity, optimize energy usage, and streamline processes has positioned it as a growth market for the future. Reports and Data forecast the global Smart Building market will surge to $189 billion by 2030 from $72.6 billion in 2021. This boom significantly increases the attack surface for this industry, and rapid growth often multiplies risks for overtaxed IT staff. For instance, the notorious Target hack of 2013 demonstrated the potential of a single HVAC contractor’s vulnerability to compromise critical customer data through lateral movement. With IoT devices, API integrations, and frequent use of contractors, the attack landscape for hackers is vast. Each building may have thousands of unpatched devices and vulnerable systems that malicious operators can easily hack. 

BlastShield: Network Cloaking to Secure Smart Buildings

The entry point to most BAS is the Building Management Systems (BMS). The BMS connects to the outside world for remote access and bridges to every automated system inside the building. BlastShield cloaks these systems from the outside world, introducing a software-defined perimeter incorporating a zero-trust architecture and network cloaking to fortify defenses and simplify system management. BlastShield’s network cloaking capabilities protect building automation, HVAC, fire and safety, surveillance, and access control systems from digital threats. With BlastShield, IT organizations gain secure remote access, network segmentation, and device cloaking, rendering critical systems undiscoverable to attackers and mitigating the risk of unauthorized access. This architecture also ensures compliance with industry standards such as NIST 800-53. As a result, building managers can maintain optimal security posture, reduce downtime, and ensure the safety of their systems, all while streamlining operational costs by up to 90%, eliminating the dependency on outdated solutions like VPNs and firewalls. With BlastShield, building management enters a new era of cybersecurity, ensuring robust protection and simplified management in the face of evolving cyber threats.