Colonial Pipeline changed everything for mid-stream oil and gas companies. Shortly after that devastating cyber attack that crippled the entire Eastern Seaboard for 5 days, TSA issued a regulatory mandate (SD-O2C) that was updated on July 27, 2023 that includes fines for up to $14,950 per incident per day for non-compliance. Risk and Compliance Managers need to make sure a cybersecurity implementation plan has been created and submitted to TSA for approval, an incident response plan is in place and a cybersecurity assessment program has been submitted for approval.
Network Segmentation - Implementing network segmentation policies and controls to ensure that Operational Technology (OT) systems can continue to safely operate in the event that an Information Technology (IT) system has been compromised and vice versa
Secure Remote Access - Implementing secure access control measures that prevents unauthorized access
Patch Risk Reduction - Reduce the risk of exploitation of unpatched systems by patching and updating operating systems, applications, drivers, firmware in a timely, risk-based methodology
Continuous Monitoring - Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations
Accomplishing those 4 objectives can be difficult in any environment, but in OT environments, like those that you rely on, it can be almost impossible because HMI’s, SCADA servers, Data Historians, RTU’s, etc. are simply not running up-to-date, modern operating systems. In addition, meeting these requirements can be extremely costly in terms of personnel and downtime.
The Good News Is There Is an Effective Answer With BlastShield That Specifically Addresses OT Systems:
BlastShield delivers seamless segmentation without the need for expensive firewalls.
Drag-and-drop simplicity eliminates complex rule conflicts
No ongoing downtime for installation.
One reason OT environments aren’t easily segmented is that, in most cases, HMI’s, SCADA servers, Data Historians, RTU’s, etc. are simply not running up-to-date, modern operating systems. They are typically running Windows 7, Windows 2000, Windows XP, Windows 98, 95, etc. You simply can’t load an agent on these devices, so the only viable mechanism to segment an OT network is by adding firewalls. Adding firewalls are expensive and invariably set up firewall rule conflicts that are extremely difficult to maintain as pipeline needs evolve. And, it’s not only the cost of buying and installing these firewalls, but the cost of having to hire staff to manage them on an ongoing basis. BlastShield can deliver segmentation in OT at one-third or less the cost of firewalls and eliminate the need to hire these hard to find network specialists because the solution is drag and drop simple.
Below Are a List of Alternatives for Network Segmentation:
*OT focused peer-to-peer, software defined perimeter
High Replacement Costs
BlastShield makes devices virtually undiscoverable, providing protection against unpatched system vulnerabilities.
Reduces reliance on patch availability for compliance.
Vendors, partners and employees need access to their respective devices and systems. Remote access allows all parties to manage those systems without incurring expensive travel costs. Once remote access has been enabled for some, it can be an obvious insertion point for adversaries. The requirement is to institute remote access in a way that prevents unauthorized access. There are many ways to achieve remote access, but only BlastShield gives the granular control to minimize the risk of unauthorized access.
Secure Remote Access Alternative for OT Environments
Limited Access Control
BlastShield enforces zero-trust policies for secure remote access.
Granular access control minimizes unauthorized access risks.
Another particularly challenging hurdle for risk managers to deal with is the requirement to reduce risk associated with unpatched systems. In Enterprise IT environments, this is fairly straightforward. In OT environments like midstream oil and gas, those legacy operating systems create another problem. Those operating systems are unsupported, so any vulnerabilities that get discovered can be exploited with impunity. BlastShield makes all of your devices undiscoverable to adversaries. If a hacker runs a network scan, they will see absolutely nothing. By contrast, your security teams will have perfect visibility into each attempted network request, the number of bytes of data transferred, and a log of who did what when, from where. This is asymmetric visibility. So if a patch isn’t or won’t be available, as is commonly the case, your environment is protected and in compliance.
Many companies have scanning tools that can identify critical systems and perform continuous monitoring. Using a SIEM or SOAR tool, of which there are many, can handle the continuous monitoring requirement. Claroty, Nozomi, Dragos, etc. can deliver this functionality for OT environments out of the box. Staffing the SOC or outsourcing to an MSSP can be the last remaining step to deliver incidence response on top of the monitoring which is important for reacting to the highest priority anomalies.
BlastShield provides 3 out of the 4 compliance requirements in one easy-to-deploy, easy-to-use package that eliminates the need to hire extra staff and saves you money. Finally, many compliance and risk managers report through the CFO organization which is responsible for insurance. Cyber insurance has gotten almost prohibitively expensive with premiums going up over 100% in the last year. BlastShield also checks the boxes cyber insurance carriers want to see, leading to reduced premiums or, in some cases, being able to get insurance instead of being denied. Compliance with the TSA SD02D can be challenging, given the unique OT requirements that are not addressed by the major IT solutions. Segmentation and patching in OT are particularly problematic. BlastShield can make it easy and cost effective to address three out of the four requirements (and two that really can’t be addressed in any other cost effective way). On top of the compliance, BlastShield also saves money spent on personnel, other more expensive products, and reduced insurance premiums.
Schedule a Demo: https://go.blastwave.com/schedule-a-demo
Start a Free Trial: https://www.blastwave.com/free-trial
Getting started with BlastShield is easy and free. Follow the three steps below and get up and running fast.
Create a Free Trial
Download the BlastShield Authenticator & Client
Make Your Host Invisible