Why Preventing OT Attacks is the Most Profitable Investment You’ll Ever Make

In the world of critical infrastructure, there is a "before" and an "after." For the U.S. energy sector, that line was drawn in February 2020. It was an event that helped influence the future of BlastWave (along with Colonial Pipeline) because it showed me that BlastWave had the answer to a problem that was about to affect critical infrastructure worldwide.

A natural gas compression facility owned by US Gas became the site of the first confirmed operational technology (OT) shutdown via ransomware in our nation’s history. It wasn’t a Hollywood-style breach of a high-security vault; it started with a single, humble phishing email. But that email was the spark that ignited a wildfire, exposing the dangerous reality of IT/OT convergence.

The Anatomy of a Shutdown: From Phishing to Policy

The attack followed a playbook that has become tragically common (one that I see in so many prospects that have been hacked):

1. Initial Access: A spear-phishing link gave attackers a foothold in the corporate IT network.
2. Lateral Movement: Because the IT and OT environments weren't properly segmented, the ransomware "pivoted." It didn't just stay in the office; it leaked into the control room.
3. OT Impact: The ransomware encrypted Windows-based systems used for Human Machine Interfaces (HMIs), data historians, and polling servers.
4. The Shutdown: While the attackers didn't control the pipeline directly, the loss of visibility and control forced a manual, two-day controlled shutdown of the entire pipeline asset.

This event, along with the subsequent Colonial Pipeline attack, was a primary driver of the TSA's 2021 Pipeline Security Directives. 

Not long after this hack, COVID hit, and BlastWave faced its 2nd existential crisis in the company’s history. I had to make the gut-wrenching decision to shut down our hardware division and lay off 70% of the company to survive. This hack played an important role in helping shape the playbook we used  over the next few years. I knew that if we could “Kill this Kill Chain”, BlastWave would be able to PREVENT OT cyberattacks, something that no other company was really doing at that time. But I also wanted to make sure we could make an economic argument as well as a technical one, so I reviewed the math of the hack.

The Real Cost: Ransom vs. Resilience

When we talk about the "cost" of a hack, the industry often focuses on the ransom. But the ransom is just the tip of the iceberg. For the gas hack, you have to factor in:

• Two days of zero productivity and revenue.
• Massive incident response and forensic fees.
• The cost of replacement equipment and manual restoration.
• The regulatory scrutiny and compliance overhead that follows a major public failure.
• The potential loss of customer trust and PR damage. 

Downtime estimates for these sectors can reach hundreds of thousands (if not millions) of dollars per hour.

Now, let’s talk about the cost of BlastWave.

When I tell CEOs that the cost of deploying our BlastShield solution is "minuscule" compared to the cost of a hack, I’m not being hyperbolic. We are talking about a fraction of the cost of a single day’s downtime.

"Investing in proactive microsegmentation isn't an expense; it's an insurance policy where the premium is lower than the cost of a single hour of a total system blackout."

Why BlastWave Stops the Pivot

Peter Alm and I designed our architecture specifically to prevent the "lateral movement" that doomed that gas facility.

• Phishing Resistance: Our passwordless, multi-factor authentication (MFA) ensures that even if a worker clicks a malicious link, the attacker can’t use those credentials to gain access to the BlastShield network.
• Invisible Infrastructure: We use Network Cloaking to make OT assets invisible to unauthorized users. If an attacker gets into your IT network, they can’t pivot to the OT side because they literally cannot see it. There is no IP address to ping, no port to scan.
• True Microsegmentation: We create peer-to-peer encrypted tunnels, using our proprietary ultra-high-performance protocol. Even if a device inside the OT network is compromised, the attacker is trapped in a "cell of one." They cannot move east-west to other critical controllers.

Moving Forward

The 2020 gas hack showed us that the "old way" of doing security (relying on legacy firewalls and "hope" as a segmentation strategy) is dead. The TSA directives now mandate the very things we’ve been preaching: better incident reporting, dedicated security coordinators, and, most importantly, robust segmentation.

We can’t stop every phishing email from being sent, but we can make sure that when one lands, it doesn't take the whole pipeline down with it. The cost of prevention is a rounding error compared to the cost of a shutdown.

The question isn't whether you can afford to secure your OT; it's whether you can afford to stay visible to those who want to shut you down.

‍

‍

— Tom Sego, CEO, BlastWave