IT/OT Cyber Theory: Espionage vs. Sabotage
January 6, 2026
The post IT/OT Cyber Theory: Espionage vs. Sabotage appeared first on Waterfall Security Solutions.
]]>IT/OT Cyber Theory: Espionage vs. Sabotage
Andrew Ginter
The second-generation of OT security advice started to emerge in 2012-2016. At the time, the difference between the second and first gen advice was a bit confusing. In hindsight, one important difference has become clear – the difference between preventing cyber-sabotage vs. cyber-espionage. We do not prevent sabotage the same way we prevent espionage. **50** year old cybersecurity theory (wow – we’ve been at this a long time) makes the difference clear. Bell / La Padula’s theory is how we prevent espionage, while Biba’s theory is how we prevent cyber-sabotage.
Let’s look at each of these theories and at how they define one of the fundamental differences between our approach to OT vs IT security.
First Gen Security Advice
First-gen OT security advice said, loosely:
- Information is the asset we protect, so
- Assure the confidentiality, integrity and availability (CIA) of the information assets.
And of course, we muttered at the time a bit about CIA vs AIC vs IAC as priorities, but we all agreed, however hard the concept seemed at the time, that information was the asset we were protecting. This was and is, back of the envelope, exactly what we still do on IT networks. After all, when engineering teams first started looking at cybersecurity, who were the experts we could call on for help? There were no OT security experts back then, and so we called on IT experts. It is therefore no surprise that first-gen OT security advice was close to indistinguishable from IT security advice.
The theory backing up preventing theft of information was defined by Bell and La Padula. The theory had its roots in timeshared computers – 50 years ago, large organizations had only small numbers of computers with hundreds of users each. And in some organizations, like the military, it was really important that we prevent low-classification users from reading high-classification national secrets. Bell / La Padula theory mandated that, to prevent espionage:
- A “subject” or “actor” at a given security level must never be able to read information from a higher security / classification level, and
- That actor must never be able to write information to any lower security level.
Rule (1) is obvious to most people encountering the theory for the first time. (2) often seems a little strange. To make sense of (2), imagine that malware has established a foothold in a classified user’s account. If the user can write sensitive classified information into less-sensitive areas of the computer, then so can the malware. In the worst case, the information may be steganographically encoded – such as spreading the information through the low-order bits of pixels in images. To prevent all information leakage, we must forbid any information flowing from high-security to low-security users and systems, because steganographic encoding is always possible, at least in theory.
Second-Gen OT Security
Second-gen advice said, loosely, that in most OT systems, information is not the most important asset we protect, but rather:
- Safe, reliable and efficient physical operations are what we protect, and
- All cyber-sabotage is (by definition) information, so to protect physical operations, we must control the flow of attack information into high-consequence automation systems and networks from lower-consequence networks.
At the time this advice came out, (a) made a lot of sense to a lot of engineering teams. They had never been comfortable with the idea that information was the asset they were trying to protect. (b) seemed a bit strange at first to a lot of people but made sense if you thought about it for a day or two. Nobody can deny that cyber-sabotage is information – the only way an automation system can change from a normal state to a compromised state is if attack information enters the system, somehow. Controlling the flow of information therefore makes sense – and if we think about first-gen OT security advice, such as the IEC 62443-1-1 standard, a good half of that first standard was focused on network segmentation – controlling the flow of attack information.
The theory backing up this second-gen perspective was defined by Biba, not Bell and La Padula. Biba’s theory also had its roots in timeshared computers for the military, but was focused on preventing sabotage, not preventing espionage. Eg: think the difference between preventing re-targeting of nuclear weapons, vs. preventing the theft of the knowledge of how to build those same weapons. Biba’s theory mandated that, to prevent cyber-sabotage:
- A “subject” or “actor” at a given security level must never be able to read information from a lower security level, and
- That actor must never be able to write information to any higher level.
Rule (2) is easier to understand for most people encountering the theory for the first time – a malicious actor must not be able to write malware into a higher security level (eg: to change the missiles’ targets). In Biba’s theory, (1) is the strange one. To make sense of it, imagine that malware has established a foothold in a less-secured, less-sensitive network, like the Internet. If a sensitive network pulls information from the Internet, we risk pulling malware, which if activated, can wreak havoc.
Second-gen advice therefore generally forbade any online transfer of information from less-secure networks into high-consequence safety-critical or equipment-critical networks.
Data Diodes + Unidirectional Gateways
Data Diodes were the military’s answer to Bell / La Padula and Biba. Unidirectional Gateways were OT security’s answer. The difference?
- Data Diodes send information into confidential military networks and are physically unable to leak any national secrets back out.
- Unidirectional Gateways send information out of OT networks into IT, and are physically unable to leak cyber-sabotage attacks back in.
There are secondary differences as well. For example, data diodes typically transmit a very limited number of data types into military networks through custom-engineered software, while unidirectional gateways replicate OPC, historian and many other kinds of servers out to IT networks using off-the-shelf software components.
And every rule has exceptions. Many manufacturing operations use trade secrets that they cannot afford to have stolen, for example. And most industrial operations need some very small, very select data to flow back into the system from time to time.
Both Bell / La Padula and Biba’s theories provided for these exceptions, and demanded that any data flow that violated the primary principles be minimal, simple, understandable, and deeply scrutinized to ensure that the primary objective (preventing espionage, or sabotage, respectively) was not compromised by these secondary objectives and data flows.
Resilience
Third-gen OT security advice, FTR, is still emerging and is focused on resilience. The theoretical framework behind resilience is more engineering practice than mathematics, but we are working on it. The most thorough, most widely-used resilience framework today is Idaho National Laboratory’s (INL’s) Cyber-Informed Engineering (CIE). CIE is positioned as “the big umbrella.” CIE encompasses cyber-relevant parts of safety engineering, protection engineering, automation engineering, and network engineering, as well as most of the cybersecurity discipline, including all of Bell / La Padula and Biba’s theories.
Using This Knowledge
An important difference between IT and OT networks is the difference between preventing espionage and preventing sabotage. First-gen advice seemed a hard fit for OT, in part because that advice tried to apply the language and concepts of preventing espionage to the task of preventing sabotage. In hindsight, second-gen advice corrected this, though neither generation of advice used the words “espionage” nor “sabotage,” nor did they reference 50-year-old theory.
Today our terminology is maturing, and OT security’s connections to the theoretical foundations of cybersecurity are becoming clearer. Clarifying this understanding and terminology helps a lot when trying to get our engineering and enterprise security teams to work together. If we are to cooperate effectively, we need to understand foundational differences between the assets and networks we protect, and we need a terminology to express those differences as we design our joint security programs.
Digging Deeper
This is one of the topics that will be covered in Waterfall’s Jan 28 webinar Bringing Engineering on Board and Resetting IT Expectations. Please <click here> to register.
About the author
Andrew Ginter
Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share
Trending posts
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post IT/OT Cyber Theory: Espionage vs. Sabotage appeared first on Waterfall Security Solutions.
]]>The post Ships Re-Routed, Ships Run Aground appeared first on Waterfall Security Solutions.
]]>Ships Re-Routed, Ships Run Aground
Andrew Ginter
“Everyone” has heard of the 5-week shutdown of Jaguar Land Rover by a cyber attack. That attack is the obvious headline for Waterfall’s up-coming webinar “Top 10 OT Cyber Attacks of 2025” that I’m currently researching. But – is this attack the most interesting of 2025?
Here are a couple other incidents for consideration:
- Container ship MSC Antonia runs aground due to GPS spoofing
- Bulker Meghna Princess carrying 25,000 tons of fertilizer runs aground due to GPS spoofing (occurred in Dec 2024, but was disclosed only in Mar 2025),
- 15-year old teen hacks maritime route of oil tanker and other vessels
While details of the investigations into these events have not been published, on the surface the three incidents seem evidence of the importance of evaluating residual risk when we design automation and cybersecurity systems.
GPS Spoofing
A bit of background first: GPS Spoofing (as opposed to simpler GPS jamming) is when false geolocation signals are transmitted, either directionally to affect a specific target, or broadcast in a region to affect indiscriminately all nearby receivers. GPS satellite signals are comparatively weak, and it does not take a very powerful transmitter to overwhelm legitimate signals. GPS spoofing has become fairly common in kinetic conflict areas such as the Middle East (the Red Sea in particular), the North/South Korean border, the Black Sea and Baltic Sea, Northern Europe, and anywhere near Ukraine and western Russia. All of which means that anyone who cares about where they are in these and other regions really cannot rely exclusively on GPS.
Rerouting Tankers
The original report of the teenager’s hack of ship routes included graphics with the appearance of an Electronic Chart Display and Information System (ECDIS), which is a shipboard system that regulators allow as a substitute for paper charts. ECDIS display the position and heading of vessels automatically, pulling information from the ship’s GPS, other location systems, as well as Automatic Identification System (AIS) broadcasts from nearby ships detailing those ships’ location, speed, heading and other navigational data. Some (all?) these ECDIS can also steer ships by auto-pilot, once a route is entered. While the news report’s ECDIS-looking graphic was entitled “Maritime traffic in the Mediterranean” and subsequent reports claimed the teenager in fact hacked into one or more ECDIS, these reports may not be accurate. It seems more plausible, to me at least, that the individual hacked into a shore-side system that managed route planning for multiple ships, rather than hacked into multiple ships at sea and modified their shipboard systems to bring about the diversions.
Assessing Residual Risks & Consequences
Managing cyber risk to physical operations involves more than blindly deploying a bunch of OT security controls, dusting our hands off, and walking away. It’s easy to say “Hah! They should have had two factor!” or some such, but 2FA isn’t going to help with GPS spoofing is it?
Once we’ve deployed an automation or security system, we need to evaluate residual risk – what’s left over? The right way to do this is not just to produce a list of missing patches in our PLC’s. The right way is to look at a representative spectrum of credible attacks – attacks that are reasonable to believe may be leveled against us, the system, or someone much like us or the system, within our planning horizon. Evaluate these credible attacks against our defensive posture and determine what are credible consequences – what consequences are reasonable to expect when a credible attack hits us? And when those consequences are unacceptable (eg: ship runs aground, oil tanker is diverted into environmentally sensitive waters), we need to change something.
For example, given the prevalence of GPS spoofing in many regions, and the prevalence of GPS jammers in many more, it seems reasonable to me that anyone (operating a ship, an aircraft, or a locomotive) who needs to know their precise position or even the precise time needs multiple, independent sources of that information. And we need alarms to sound when those independent sources disagree materially, and we need manual or other fall-back procedures when we detect such disagreement.
Another example – given the importance of a big vessel’s route, it seems reasonable that when the route changes for any reason, the captain should be notified of the change, and the change logged in an indelible / WORM ship’s log. It also seems reasonable that captains or acting captains are trained to examine unexpected route changes to make sure they make sense – not just because of potential attacks, but because of potential errors and omissions of shipboard or on-shore personnel. Note: I’m not an expert on shipboard systems – for all I know all this happens already and is how the teenager’s hack was detected? One can hope.
Reasonable Responses to Credible Threats
When we make decisions about other people’s safety, we have ethical and often legal obligations to make reasonable decisions. For that matter, when we make decisions about other people’s money, especially large amounts of it, we have similar obligations. OT security is more than OT putting our head in the sand and saying “Ship route planning is an IT system.” It is more than IT putting their head in the sand and saying “Not running aground is the captain’s responsibility.” Every business has an obligation to make reasonable design, training and other decisions about the safety of the public and workers, and reasonable decisions about the large amounts of money invested in physical processes like large ships.
More generally, we study attacks to understand what is reasonable to defend against. And we study breaches and defensive failures to try to understand whether our own management processes would really have prevented analogous breaches and failures.
About the author
Andrew Ginter
Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share
Trending posts
Bringing Engineering on Board and Resetting IT Expectations
December 25, 2025
We can’t – and shouldn’t – fix everything – Episode 147
December 17, 2025
Medical Device Cybersecurity Is Tricky – Episode 146
December 11, 2025
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post Ships Re-Routed, Ships Run Aground appeared first on Waterfall Security Solutions.
]]>The post New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting appeared first on Waterfall Security Solutions.
]]>New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting
Andrew Ginter
The most recent CISA, CCCS et al alert / advice on pro-Russian hacktivists targeting critical infrastructures is a lot of good work, with one or two exceptions. The alert documents poorly resourced hacktivists connecting with ICS gear over the Internet and hacking it. That gear tends to control critical infrastructures in the smallest, poorest and weakest of critical infrastructure installations – infrastructures most in need of simple, clear advice.
To its credit, the guide documents threats and tactics, and provides advice to both owners / operators and device manufacturers. However, the guide misses the mark in the section “OT Device Manufacturers.” I find this language very misleading:
“Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of OT device manufacturers to build products that are secure by design.”
And,
“By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.”
When I read these words, the message I get is “If device manufacturers would only do their job better, then critical infrastructure owners and operators could ignore security and go forth to connect as much of their control systems as they wish to the Internet.”
This is of course nonsense.
We can configure “secure” products into hopelessly insecure systems, just as we routinely (with a bit of care) configure “insecure” ICS products into “secure” systems. That manufacturers should “take ownership of security outcomes” does not mean they can or should ever take sole ownership of such outcomes. A sentence or two to this effect would help readers better understand the relative responsibilities of manufacturers vs. owners & operators.
By analogy, automobile manufacturers can build all the seat belts, turn signals and rear-view mirrors they want into their vehicles, owners and operators still need to be taught to use these features to improve their driving safety. More specifically, owners and operators of the smallest, poorest and most vulnerable critical infrastructures need to hear that it is never reasonable for them to deploy safety-critical nor reliability-critical HMIs on the Internet, no matter what “secure” by design features have been built into these products.
And again, while I commend these organizations for doing the work of putting out the alert / guidance, a second feedback is that their advice to owners and operators missed the mark. It is not that the advice is wrong – it the wrong audience. The advice is appropriate for larger “medium-sized” infrastructures with a larger workforce, some of whom are knowledgeable in basic computer and cybersecurity concepts. The hacktivist attacks we’re talking about are targeting the smallest, poorest and least well-defended of critical infrastructures globally. These are organizations that uniformly suffer from STP Syndrome – Same Three People.
There is nobody no staff in these organizations who will understand the carefully phrased, completely general and abstract language of the guide’s 8 major recommendations and 17 sub-recommendations. These smallest organizations need the simplest advice possible. Eg:
- Don’t connect any of your OT systems on the Internet. Ever.
- Don’t enable remote access into any of your OT systems. Ever.
- Auto-update all of your ICS firewalls, and religiously replace these devices every 3 years, because let’s face it, some time after that the manufacturer is going to stop providing updates, and when they do, you’re not going to notice are you?
- Lock the doors to rooms containing your OT gear, and change the locks annually to control who has access to the space, because again, let’s face it, you’re going to lose track of who has those keys aren’t you?
- Make sure you have backups and spare equipment to restore those backups into when your main equipment breaks, or when that gear is hacked irrecoverably.
- Buy insurance from a reliable provider who can send someone who knows what they’re doing to your site when you have an emergency, to clean up the mess and restore your systems.
Again – I commend these organizations for making the effort. Securing the smallest, least-capable critical infrastructures is a hard problem to solve. This document is much better than nothing but would benefit from clearer and stronger guidance targeting owners and operators of the smallest critical infrastructure control systems, not just manufacturers of the control devices in those systems.
About the author
Andrew Ginter
Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share
Trending posts
Hardware Hacking – Essential OT Attack Knowledge – Episode 145
November 26, 2025
Top 10 OT Cyber Attacks of 2025
November 24, 2025
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post New CISA, CCCS et al Alert | Advice on Pro-Russian Hacktivists Targeting appeared first on Waterfall Security Solutions.
]]>The post Bringing Engineering on Board and Resetting IT Expectations appeared first on Waterfall Security Solutions.
]]>Bringing Engineering on Board and Resetting IT Expectations
Join our webinar for a revealing deep dive into the real causes behind the dysfunctional relationship between IT security and OT engineering teams—and discover actionable strategies to build trust, alignment, and true cooperation.
Join us on January 28, 2026 | 12PM New York Time
In many organizations the relationship between IT/enterprise security and OT/engineering teams is dysfunctional. These teams work in the same organization, support the same mission, and even address many of the same threats, but when they sit down together it sounds like they need relationship counseling. Much has been written about the problem. Most of that writing misses the point, focusing on symptoms, not root causes. In this webinar we dig into causes, solutions and how to ask the right questions to guide the relationship into healthy cooperation.
In this webinar you will learn:
Consequence is one root cause of OT/IT differences – we cannot restore human lives and damaged equipment from backups
Another root cause – we defeat OT sabotage with many of the same tools as we defeat IT espionage, but we must use those tools differently
Who manages OT equipment is less important than how that equipment is managed
We need to avoid common mistakes regarding inertia, criticality, credibility, and consequences
About the Speaker
Andrew Ginter
Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Register Now
Share
The post Bringing Engineering on Board and Resetting IT Expectations appeared first on Waterfall Security Solutions.
]]>The post We can’t – and shouldn’t – fix everything – Episode 147 appeared first on Waterfall Security Solutions.
]]>We can’t – and shouldn’t – fix everything – Episode 147
We know there are problems in our security systems, but we can't and shouldn't fix everything. What do we fix? Who decides? How do we explain what's reasonable to people who do decide? Kayne McGladrey, CISO in Residence at Hyperproof, joins us to explore risk, communication, and a surprising role for insurance.
For more episodes, follow us on:
Share this podcast:
“We have new intel. The threat has changed, the probability has changed, the impact has changed, whatever it might be. Do we still feel good about our previous judgment of this?” – Kayne McGladrey
Trending posts
Top Oil and Gas Security Challenges and Best Practices for Protection
November 11, 2025
Security by Design- The New Imperative for Rail Systems
November 4, 2025
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post We can’t – and shouldn’t – fix everything – Episode 147 appeared first on Waterfall Security Solutions.
]]>The post Medical Device Cybersecurity Is Tricky – Episode 146 appeared first on Waterfall Security Solutions.
]]>Medical Device Cybersecurity Is Tricky – Episode 146
Yes the device has to be safe to use on patients, and yes it has to produce its results reliably, but patient / data confidentiality is also really important. Naomi Schwartz of Medcrypt joins us to explore the multi-faceted world of medical device cybersecurity - from MRI's to blood sugar testers.
For more episodes, follow us on:
Share this podcast:
“I would estimate that somewhere between 30 and 50% of medical devices that are submitted to FDA today qualify as a cyber device per the Food, Drug and Cosmetic Act.” – Naomi Schwartz
Trending posts
Managing Risk with Digital Twins – What Do We Do Next? – Episode 144
October 20, 2025
IT & OT Relationship Management
October 20, 2025
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post Medical Device Cybersecurity Is Tricky – Episode 146 appeared first on Waterfall Security Solutions.
]]>The post Hardware Hacking – Essential OT Attack Knowledge – Episode 145 appeared first on Waterfall Security Solutions.
]]>Hardware Hacking – Essential OT Attack Knowledge – Episode 145
If you can touch it, you can hack it, usually. And having hacked it, you can often more easily find exploitable vulnerabilities. Marcel Rick-Cen of Foxgrid walks us through the basics of hacking industrial hardware and software systems.
For more episodes, follow us on:
Share this podcast:
“Security doesn’t stop at the network interface and also the PCB, the hardware level should be taken into consideration. And in general, I think OT security needs more curious minds that are looking under the hood.” – Marcel Rick-Cen
Hardware Hacking – Essential OT Attack Knowledge | Episode 145
Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.
Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions, who’s going to introduce the subject and guest of our show today. Andrew, how’s it going?
Andrew Ginter
I’m doing very well. Thank you, Nate. Our guest today is Marcel Rick-Cen. He is the founder and lead instructor at Fox Grid International. And our topic is hardware hacking, picking apart the hardware, finding the vulnerabilities, arguably essential attack knowledge. We need to understand how we’re going to be attacked if we’re going to design effective defenses. So that’s that’s the topic for today.
Nathaniel Nelson
Then without further ado, here’s your conversation with Marcel.
Andrew Ginter
Hello, Marcel, and welcome to the podcast. Before we get started, can I ask you to introduce yourself, please? Tell our listeners a little bit about your background and about the good work that you’re doing at FoxGrid.
Marcel Rick-Cen
Yeah, thank you, Andrew. Hi, everyone. My name is Marcel Rick-Cen, and if I would introduce me in one sentence, I am an automation engineer turned OT security nerd. To my background, I have a master’s in automation engineering.
I have global experience in commissioning automation systems, as well as programming, planning, industrial operations. Now, during my day job, I am an OT and IIoT security consultant and a product owner of our in-house OT remote access solution.
During my nighttime, I am a hacker, or if you want to put it more formal, I am an independent OT security researcher that looks at what makes and breaks OT devices. Coming from that, I also founded FoxGrid, where I want to teach industrial cybersecurity and safety to newcomers.
Andrew Ginter
Thank you for that. And our topic is hardware hacking. Can we start with an example? You’ve got a couple of reports out. Can you pick one? Can you tell us about, a concrete example of what what is that?
Marcel Rick-Cen
Yeah, let’s talk about hardware hacking that led to a CVE that I found last year, where I found hard-coded root credentials hidden deep in the device’s firmware memory.
Andrew Ginter
Okay, so you know can you can you go a little deeper? What was the device? How’s it supposed to work? And you know how important is what you found?
Marcel Rick-Cen
So the device is a remote access gateway that machine builders usually built into the electric cabinet, so which connects the machine to the service provider.
In case there’s an unplanned interruption or any other operational bug or coming up, the service provider can directly connect over the cloud portal to this Edge device and start troubleshooting.
Andrew Ginter
So if I may, this is something that’s used in manufacturing. When you say the manufacturer, you mean someone who’s building a robot, someone who’s building a stamping machine, someone who’s building, I don’t know, a conveyor. Is is is that the use case here?
Marcel Rick-Cen
This basically can be used in any operation, from your maybe water treatment plant to your manufacturing to your building automation. Like there are really no limits. This really a network connection from the service engineer’s laptop directly into the heart of the device or into the heart of the operation.
Andrew Ginter
Okay, so it’s not just used for for like a robot, for a manufacturer of equipment. It might also be used by a service provider, by the know the engineer who’s responsible for for you know occasionally coming in and servicing oh parts of a water treatment system. it’s It’s used to access systems as well as devices is is what I’m hearing.
Marcel Rick-Cen
Yes, correct. So this acts as the gateway tu the machine or operational network.
Andrew Ginter
Okay, and so you found the default credentials. Does that mean that any fool who wants to can connect to the cloud, connect into this thing? Or how would you use those default credentials?
Marcel Rick-Cen
Luckily, the attack vector is really narrow. These default credentials, they grant root access to the device, and you only can get root access when you are physically connected to the device. So luckily, the cloud attack surface or the cloud is not exposed to this vulnerability.
Nathaniel Nelson
Okay. Andrew, I don’t know if I just missed it, but what is the actual device that we’re talking about here?
Andrew Ginter
It is an Ixon device, I-X-O-N. I forget the exact name of it, but its it’s physically it’s a little device about you know six inches square and an inch thick. And in my understanding, it’s a remote access device. You can connect into it from the cloud. Who uses this?
The sense I have is that it’s used in manufacturing. If you’re building a a laser cutter or a stamping machine, you might build one of these into the thing so that when the customer calls you up and says, your machine isn’t working, something is worn out.
You can remote into it, do the diagnostics and say, I think it’s this part, replace this part, see if if if the problem is solved. Because, moving parts wear out. Friction is the is the enemy of moving parts.
Andrew Ginter
But, when I asked the gentleman, Rick, he said, yeah, manufacturers of physical equipment use it so they can maintain the equipment or diagnose the equipment remotely.
But It’s remote access. A service provider, an engineer who’s responsible for keeping the automation running at a dozen small water utilities in the geography, might well buy a half dozen of these and drop one of them into each water system to access the HMI and the automation and whatnot.
So it’s remote access. The sense I have is it is used frequently engineers. manufacturers of equipment that’s used in manufacturing, but it could be used by service providers as well.
Nathaniel Nelson
And I think it’s the remote access thing that has me a little bit confused here. We’re talking about hard-coded credentials as vulnerability, something I’m rather used to in the IT space, right? Like a public repository or a server that’s been incorrectly configured will leak credentials to the web that then hackers could use to get in. And we’re talking about a romantic remote access device And yet, I think he mentioned there that you can only actually exploit this vulnerability if you have local physical access to the machine. So can you help me explain that gap?
Andrew Ginter
We go into this in sort of more detail later in the interview, but let me let people know kind of what’s happening. There are basically two user interfaces to the device.
One is the remote access user interface with users configured and blah, blah, blah. That’s not where the vulnerability is. The other interface is if you touch the device and you connect to it, I don’t know, I was a little weak on the details. If you connect through the USB port or if you connect, pins, you’re to electrically to pins sitting bare on the on the on the circuit board, if you open the device up, you can get access to the operating system of the device.
And it’s the operating system credentials that were leaked. So in order to use those credentials, they don’t work on the remote user interface. They work locally when you’re when you’re able to physically touch the device and plug stuff into it.
The CVE was 2024-577990. It was given 5 or a 5.9 or something like this, not a 10. This is not a remote code execution vulnerability. You can’t do this remotely. You have to be local. It’s a local escalation of privilege for vulnerability.
Nathaniel Nelson
And that explanation makes a lot of sense to me, but why is it that Like, how can you even leak credentials to somebody who’s physically using a computer, right? Like any credentials on my computer that get leaked to me doesn’t matter because I’m the user. So what I suppose I’m asking attack scenarios, are we worried about with this vulnerability?
Andrew Ginter
Actually, we didn’t go into that, but as far as I know, the scenario is that you’re there locally touching the device. Now, normally, you look at the device, it’s got network ports, it’s got one of the ports is is connected out to to the world, you come in remotely, it does its thing.
There is no other supported user interface. But if you touch the device, you can get in there, you can tamper with the the firmware, you can tamper with stuff, you can you could presumably create credentials that you could use remotely. You’d need a little bit of skill to do that, but you could brick the device. So it’s, again, if you’re standing there with a hammer, you could also brick the device.
This is why it was given a lower priority. Yes, technically it’s a vulnerability. It’s not a really alarming one. What’s interesting is how did you find it? Because the way that he found it, the technique is what he teaches at Fox Grid. You can also use to find more interesting stuff.
Andrew Ginter
Okay, so so this is something that is is is a local vulnerability. It’s not a remotely exploitable thing, which, yeah, is is lower priority. But still,
What I wanted to ask you about is, we’ve never had someone one on the show who picks things apart like this, or maybe we did once about three years ago, but it’s been a long time.
You know, can you talk about the process? How did you find this? How does one pick these things apart? What is, what does that mean
Marcel Rick-Cen
Yes, absolutely. If I would just describe it to you maybe in a pub or over coffee, this really is like hardware and digital scavenger hunt because you have to look at so many things. You also go down a rabbit hole, see it’s the wrong way, turn around, and then keep digging.
And to find this, I just needed tools for about 30 euros. So a multimeter screwdriver, prying tools, a USB logic analyzer, and USB U-RAT interface was all I needed to find this vulnerability.
Andrew Ginter
So, I mean, can you give me a little more detail? Those are the parts I’ve never used a logic analyzer. I mean, How technical is that? Do I need to be an engineer to use a logic analyzer? How did, how did you go about this? What, can you, can you tell us a story? what did you start with? What do you do next? What does that mean? And, a blind alley went down. How did, how did it work?
Marcel Rick-Cen
Yeah, I can walk you through the all the six or seven steps that led to root access from opening up to the device until I was greeted with the root banner, okay? And before anyone gets started with hardware hacking and picking a device, or before anyone gets started with taking a device apart, here are four electrical safety rules that you should follow because your own life is more important than your curiosity.
And never ever open wall-plugged devices because if they’re directly plugged into the socket, this means that hazardous voltage is inside the PCB, inside the device, and there’s the risk that you can touch a live wire and that’s you risk well you risk an electric shock. Therefore, use devices that have external power adapters only so that the voltage conversion happens outside the area where you’re working with. Also avoid mixing power sources. This is important, for example, if you really go into firmware extraction and of course preventing short circuits because this will fry your PCB and then you have a very expensive brick.
But if you stick to these rules, you can open up the device and first start with the hardware reconnaissance where you just take a look on what chips are on there. And many industrial embedded devices, they run on a so-called system on chip and they have somewhere close to the system on chip the flash memory firmware chip.
So this is basically where the brains and all information are stored and once a is and once the system is powered on, the system on chip pulls the firmware information from the firmware memory chip. If you identified these, then you take a look around the board, are there any debug interfaces and on this device I found a so-called UART debugging interface.
So with these, we can move to the next steps. And first we do some electrical measurements just to prevent that our USB, USB UART and USB signal analyzers get fried because they are very sensitive to voltage. And first things first, we first confirmed the common electrical ground on the debug interface we identified. Once we identified the common ground, we know where we well connect the ground wire of our USB logic analyzer. Then UART interface usually has two more pins, RX and TX, which stands for receive and transmit.
And then we turn on the power and then measure these pins against the electrical common ground. And in most cases, we will find a voltage range between three volts and five volts, which means these devices are communicating on the so-called transistor-transistor logic level. When this is identified, we can move on with the logic analyzer. Power off the device, connect the logic analyzer, we connect the logic analyzer’s ground to the board’s ground, and then the RX and TX wire.
Although, The Rx and Tx pin are already labeled and we only could connect to the Tx. It’s always good to connect to all pins that we have a full picture of what’s going on. Because, Andrew, at this board, this was easy mode. The pins are already labeled, but that’s not always the case. Sometimes you just have a three, four, five pins sticking out, and you don’t know what they mean.
Then you also do the same procedure. You measure for the electric common ground and then start measuring the voltage levels, and this gives you at an idea if you can find logical signals going on.
Andrew Ginter
So thanks for that. I mean, that’s giving giving us some insight into the the mechanics of of dealing with a device. I mean, I’m um’m a software guy. I never have to worry about electrocuting myself if I bring up a compiler on my laptop. But let me ask, you’ve talked about two sort of devices here that that seem to ring a bell with me. There’s the UART, which – so quick question. Is the UART USB or is it RS-232?
Marcel Rick-Cen
This is an RS232 connection to USB. So this basically converts the signal, converts this logic serial signals to USB so that your machine, your computer can work with that.
Andrew Ginter
Nate, real quick here, I had a a very short sort of interaction with with Rick there asking about the difference between USB and RS-232. For anyone who didn’t quite track that, RS-232 is a very old hardware signaling protocol. I mean, I remember using RS-232 back in the day to to connect, this was 30 years ago, to connect to 300 bits per second modems, okay? Ancient, ancient technology.
Why would there be such an ancient interface on this modern device? Is roughly what I asked him. and He said there isn’t. What there is, is a USB port. It turns out that what he connected to the TX and RX he connected to were signaling USB. And when he looked at the signals, he discovered that the messages coming across the USB were RS-232 over USB.
So he looked around, he said, well, I have a a dongle that can can take USB and gives me RS-232 and he connected to it and there he can see the messages coming across. So that’s what’s going on there. It’s a USB connector on the device that connector on the device but the signaling RS-232 over USB.
Andrew Ginter
The other one that that that struck me, and again, I’m a software guy, you mentioned the flash chip. to me, if I get what’s on the flash, I can start looking at instructions, I can start running my disassembler. Is it possible to to sort of go under the nose of the device and just read the flash chip? Or do you have to go through the front door? Do you have to go through the CPU in order to get access to the flash?
Marcel Rick-Cen
No you don’t, you also can basically perform a chip off of the flash chip and then read out the contents with a programmer. This is also possible, but at but at the time of my research I didn’t have such equipment here, so I went through the front door.
Andrew Ginter
Okay, that’s fair. So please carry on. you’re You’re talking about the UART. I interrupted you finish Finish the story here. how how are we How did you get in?
Marcel Rick-Cen
Okay, the logic analyzer revealed that indeed a logical data is transmitted over the TX pin. So this means we can connect our USB UART interface and open a serial console to that.
Andrew Ginter
That’s fair. I didn’t realize that USB was, I mean, I knew USB was serial. That’s what it means, universal serial bus.
Andrew Ginter
But I guess I never put two and two together that you could just, I don’t know, connect an RS-232 to it.
Marcel Rick-Cen
Well, you always need this interface device that you plug between that you plug into your USB socket and then on the other end of the device you can connect to the target device. So once the USB UART interface is connected and I started the terminal on, and I started the serial console on my Linux machine, then I powered up the device again I and could see the boot log flashing in front of the screen.
You know, it was a basic Linux boot lock, and at the very end, there was a login prompt to log into this device. And this is really where it got interesting, and here my curiosity was really on fire because I really wanted to get into this device and I started to look at the boot lock itself first.
Here I learned that the firmware memory is partitioned into several partitions and if you look at the common IoT hardware hacker courses, then they always tell you to go for the rootfs file system because that’s where all the binaries are stored of this Linux device.
But there was another partition that was interesting for me. This was the so-called factory partition. Scrolling further up in the boot lock, there was also a brief prompt to press space bar to enter the bootloader. But Andrew, the timing for this was so narrow that it was almost impossible to hit the timing right to enter the bootloader.
You you can imagine I was jamming the, I was hammering the space bar like a lunatic. And then maybe at the fourth or fifth time I succeeded to get the timing right and then I was presented with the next option to choose the operation. And here a very interesting option was presented to me by pressing the number four, I would be able to enter the boot command line interface.
And this was something what I was interested in and wanted to go, but with this narrow timing, I turned to chat GPT asking it, it this way is there a way that I can automate the key presses and can send a space bar press and a number four press at rapid speed? The AI gave me a five-line shell script code which uses an onboard tool of Kali Linux to send spacebar and number 4’s.
And this immediately landed me into the boot shell. And the boot shell of this device is based on the uBoot bootloader. And all the hardware hackers out there that are familiar with uBoot would immediately see that this is already a very stripped down and secured restricted version of uBoot. There was almost no way of manipulating the device, but they left in the so-called SPI command, which enabled me to read the content of the factory partition.
So that’s what I did. I issued the command to read the factory partition and then its and then it printed out the content of the factory partition in the hexadecimal format. And here’s something really strange occurred to me that the data was not always represented in two hexadecimal digits. that hexadecimal data always needs to have two digits.
If not, the data gets misaligned and then gets corrupted. So the problem I was facing here is that some digits were, or some data was represented with single digits, missing the second digit. So the data was not usable for me. Then I used another script to align the data and then convert the text hexadecimal data back into binary hexadecimal data.
And then I was able to view the binary data and the ASCII interpretation of that. And here’s something really interesting stood out. There were basically three strings of data that at first made not really sense to me but somehow felt familiar. And suddenly I realized this is the information which is also printed on the device’s label on the side. Suddenly I could see that in this partition of the factory, the version number, the serial number, the device version, and the login password for the web management surface for the web management interface was stored.
But there was another string that also kept me guessing and puzzling for quite a while, but this unknown string had the same characteristics as the web login password. It had 10 characters, capital and lowercase letters, and numbers. And I tell you, this had to be another password. So I restarted the device again, and at the very end of the boot process, I was prompted for the login once more. I entered the username root and entered This data I found inside the memory and this gave me root access to the device.
Nathaniel Nelson
Andrew, it’s not that anything that Marcel said at any point there wasn’t clear, but we’ve now gone a while and he’s expressed a lot of technical steps. Can you just give me the big picture summary, what we’re talking about here, what he achieved and why it’s important?
Andrew Ginter
Absolutely. He, he real quick, managed to connect to the boot shell with the space for script constantly blasting. And he got in and discovered there was almost nothing he could do there, but he could look at this one tiny partition. And he managed to get the data, decode the data. And he looked at it and said, this looks like a serial number.
It looks like a password. And so he said, well, let’s try it. And he reboots the device again. He doesn’t do the space for this time. He lets it completely boot. And it comes up and says, OK, I’m ready. Log in. You want to log in? And he said, yeah, let’s log in as root. And it says, well, what’s the root password? And he says, well, here’s the string that I saw in the partition. He enters it, and he’s in.
And now he’s in as root.
Andrew Ginter
Cool. So it’s not like you looked at the file system and said, oh here’s files. Look, there’s a file with the name password. it It wasn’t nearly that obvious.
Marcel Rick-Cen
No it was very well hidden, but I think also on purpose because there’s nothing written in this memory area before or after this partition. You really just find the version number, the serial number, the web management password, and well, the root password. So somewhere in production when the device gets, so to speak, gets the breath of life and the data for the label, At this moment, the data must be flashed into this firmware memory chip.
Andrew Ginter
Okay, so so this is a very small partition then. We’re not talking tens of megabytes. We’re talking tens of kilobytes.
Marcel Rick-Cen
Yeah, it was very small indeed.
Andrew Ginter
Okay, cool. So you found the vulnerability. And then I assume, there’s something called a responsible disclosure process. I assume you contacted the vendor, you contacted the government.
Marcel Rick-Cen
Right
Andrew Ginter
What was the next step there?
Marcel Rick-Cen
So the next step was to contact the security contact of this company and luckily I was already in contact with him on LinkedIn. So on a Sunday morning I sent him a screenshot of, hey Mr. XYZ, I got root access to your OT gateway.
And within two hours, he replied and said, okay, this is very concerning. Please send your findings and everything you have to our security email address and we will look into this first thing Monday morning.
then I wrote a quick report attached to screenshots and the proof of concept video. And around Monday lunchtime, they replied, said, yes, this root password is uniquely generated per device and inserted here during production. But since everything is uniquely, they kind of hinted at that they are accepting the risk so that the probability of this being exploited is rather low. They also said if machine builders, integrators, operators stick to their security requirements, they do not see really a risk of this being exploited.
Andrew Ginter
Okay, so the vendor said, it’s a low priority because, people are expected to have physical security. No fool off the street can come in take one of these devices, walk away with it, pick it apart, bring it back. That’s not a realistic threat. Do you agree with that?
Marcel Rick-Cen
Yes, totally, I agree with that. From all my experience on the shop floor and in the field, you cannot just walk up to an electric cabinet, take out a device, screw it open, extract the root credentials, in and then put it back in with a backdoor you implanted, right? This would hopefully catch some attention.
Andrew Ginter
Okay. and can you Can you finish the the the thought? I mean, you wound up with a CVE for this. you’ve You’ve interacted with a vendor, then then what? how do you How do you finish the process?
Marcel Rick-Cen
Then I contacted Mitre to file a CVE, also reported the things I found and the implications for this and after two months the CVE was assigned.
Andrew Ginter
And at that point, you’re able to disclose publicly. Is that right?
Marcel Rick-Cen
Yes.
All that being said, there is a tiny, tiny risk that you may receive the backdoor device, but then someone really must be targeting your operations. They need to know that you are operating such device. And if you’re expecting a new shipment, they could intercept the shipment, open up the device, extract the root credentials, implant the backdoor, pack it back up and ship it forward to your operations. So for that, if you are operating something critical, or if you’re operating, or if you’re having critical infrastructure and operations, you should definitely opt for temper detection and protection. You know, some devices, they have this little sticker on there, warranty void if removed.
Andrew Ginter
So fascinating stuff, at least at least to me. I’d always wondered, how some of this this hardware hacking was done. But, as far as I know, you don’t get paid to do the hardware hacking unless, I don’t know, there’s a bounty or something. You know, how does this relate to to making a living for you?
Marcel Rick-Cen
Yeah, no, this is not my day job and I also don’t get paid to find these vulnerabilities. Let’s just say this is a very expensive hobby. I’ve been in the I’ve been in the domain of automation systems for half of my life and after my work, I’m still interested, especially in what makes and breaks these devices.
And that’s also how my trainings got born. I took all the experience I made from, well, breaking these devices and turned them into training.
Andrew Ginter
Okay, and this is what you do at FoxGrid. Can you go a little deeper? I mean, if I if I sign up for one of these courses, what are you going to lead me through?
Marcel Rick-Cen
If we stay with hardware hacking, you could sign up to Industrial Embedded Systems Hardware Penetration Testing, where you will also go through these six or seven steps from investigating the PCB to hopefully getting root access. But this course has a unique approach because if you look at the IoT hardware hacking courses, you usually hack some IoT camera or home router, but it’s almost impossible to hack an industrial device because there is an entry barrier problem.
First of all, this hardware is really expensive. You usually pay $500 or more, and it’s risky because you can brick it and then you wasted $500. To get around this, I built a custom firmware for a cheap ESP8266 microcontroller that mimics the behavior of an industrial device and introduces the student to the same challenges I faced.
Andrew Ginter
Okay, so that’s the hardware hacking. Have you got other courses?
Marcel Rick-Cen
Yes, I have my flagship course, Practical Offensive Industrial Security Essentials, which gives students from diverse backgrounds, whether they’re automation engineers, IT professionals, or total newcomers, an holistic introduction to industrial cybersecurity.
Of course, there are some gaps that needs to be filled, but anyone with so anyone with enough curiosity will get through this course. or will have success with the course and then get a holistic understanding of industrial cybersecurity.
Andrew Ginter
So if I can take you sort of on a side trip real quick here. throughout this interview, I have been surprised by you personally. I mean, I had always had a stereotype in mind for people who found vulnerabilities, who hacked stuff, hardware, software, whatever. the the The stereotype that I had in mind was sort of somebody with a big ego, somebody with an ego saying to themselves, I’m smarter than you are. I can find these problems. You, and you you the vendor, have have messed it up.
I always thought you needed a that kind of attitude to be able to go in and tackle know the vendors defenses in and incorporated the product I always thought you needed attitude but what’s coming across from you is something different can you talk about who what do you need sort of in your brain in your personality to be successful here?
Marcel Rick-Cen
Well, to make it short, you just need curiosity and persistence. I think people with a big ego, they are more successful in finding more vulnerabilities But like I said earlier, this is more an expensive hobby for me, so I do not really have the pressure to find vulnerability after vulnerability. For me, it’s more, well, being on this scavenger hunt to go away that, or find a way to operate the device it was not intended to, and then really find a way in. And to be honest, I also have a whole box of scrap electrical, scrap OT devices where I did not find a vulnerability.
So this is where we come back to the expensive hobby. So I think if someone is, understanding a bit of the domain these devices are operated in and have enough curiosity and then persistence to stick to it, they can definitely find some vulnerabilities or if not, well, they can at least learn a lot about the devices, how they operate and how they interact with other devices in the OT domain.
Nathaniel Nelson
So Andrew, we’ve been talking hardware vulnerabilities.
Nathaniel Nelson
It seems relatively serious, but bring it to a practical level for me. If I’m running industrial site and I discover ah a hard coded issue in one of my gateways, and am I running around red alarms ringing? To patch immediately or am I more focused on the systems and data flows around it that enable sort of legacy technologies to occasionally have vulnerabilities like this? How would you interpret it in the grand scheme of things?
Andrew Ginter
Well, in the grand scheme of things, there’s sort of a couple of different questions. let’s let’s Let’s pick it apart. What we’ve been talking about primarily is how to find these vulnerabilities. Once you’ve found a vulnerability, now you’ve got to ask the question, A, can I patch the system? Because if it’s a vulnerability in your safety system, well, I’m sorry, the testing cost of the new version is going to be prohibitive.
It’s just really hard to patch some things. Other things are easier to patch. So can I patch it? Second question is, do I need urgently to patch it? And that’s sort of a different skill set. It’s one skill set to find the vulnerability. It’s a different skill set to say, well, how would an attacker, so it’s an imagination thing. Imagine how would an attacker use this against me?
And, we talked about two scenarios for this vulnerability. One is physically walking up and stealing the device and taking it apart and putting it back, which seems not a very credible threat because you’re going to be discovered. The second scenario was, someone with much more resources discovers that you’ve just ordered 50 of these, intercepts the shipment, bribes the driver to go take a long coffee break, breaks into, five or 10 or 15 of these devices, inserts malware, packages them all up again. Again, is that a credible threat? It’s a credible threat for some people – very high value targets. Is it a credible threat for a small bakery? probably not. So, first step is find it. Second step is figure out, can I even patch it? Third step is how would a bad guy exploit this?
Are there credible threats? Is there a third scenario that we haven’t imagined? So it’s a, it’s a, a question of imagination and studying what people have done in the past. And then, the the the decision, part part of it is, how easy is this to exploit? So we’re talking about devices generally. We’re also talking about cloud connected devices, because a lot of the devices that Marcel is focused on, that he teaches you about is industrial internet devices. They’re connected out to the cloud.
So that’s more internet internet connected, more internet exposed. But really what he looked at here was an OT, cloud remote access device. It’s arguably the most exposed piece of technology in the OT network. It’s the technology that gives internet-based users access to the OT system. So normally you would set these things on automatic update. Why? What if they blue screen? Well, nobody cares if they blue screen. It’s inconvenient if they blue screen. If the bad guys get in, they can work whatever they want, sabotage on your OT network. So, um, normally people pay a lot of attention to defects in their, to, to vulnerabilities in their OT remote access.
This one, we just, we couldn’t imagine a credible attack scenario for mere mortals. Um, it might not be that worry that that big to worry about, but generally speaking, this is the kind of device you want people like Marcel picking apart the most thoroughly, because this is the device that has to be the most thoroughly protected.
Andrew Ginter
Well, thank you so much. I mean, I learned something this episode. Before we let you go, can I ask you to sum up for our listeners? What should we take away from this? what What’s important to to to know about this stuff and and how do we use it going forward?
Marcel Rick-Cen
Okay, looking at the vulnerability I found, this was a prime example that just one part of security was completely overlooked. When you look at the device from a network perspective, you see a very fortified device.
But security doesn’t stop at the network interface and also the PCB, the hardware level should be taken into consideration. And in general, I think OT security needs more curious minds that are looking under the hood. For example, if you’re an engineer, you already understand the industrial processes.
And here I just can recommend you to level up your cybersecurity skills. And this this is exactly what I’m doing with FoxGrid. This platform exists to teach industrial security in an affordable and practical way. The flagship course, practical offensive and Practical Offensive Industrial Security Essentials, comes with an open source lab where you not only learn about penetration testing tools, but also how you can use them on simulated industrial controllers. And that way, you also can understand how your real devices would behave under such conditions. So for the next steps, if you’re curious, check out Fox Grid for resources and connect with me on LinkedIn. And of course, keep pushing OT security forward.
Nathaniel Nelson
So that seems to just about do it for your interview, Andrew, with Marcel Richtsen. Do you have any final thoughts that you’d like to share before we leave today?
Andrew Ginter
I guess so. I mean, I had always been curious, how people do this stuff. What surprised me about the the interview here was that I actually followed what he did. I kind of understood it. I thought it’d be harder than that. And I suppose it could be if you have to, if you don’t have a small amount of information to look at, it if you got to look at the entire firmware and start, I don’t know, disassembling megabytes of firmware looking for vulnerabilities.
That would strike me as harder. This seemed really straightforward. I don’t know if I don’t know if I’m curious enough about how this stuff works that I would do the work myself, but I sure wouldn’t mind another two or three guests like this to to walk us through how they did the hard work so that we can satisfy our curiosity.
-14:48
<insert bit from the end of the commentary>
Andrew Ginter
And beyond my curiosity, I agree with Marcel, we need people tracking down vulnerabilities. That’s, it’s because that’s the good way to persuade vendors to invest more in security, to, make these devices more secure to begin with is to point out afterwards, they’ve got problems. And, the next time around, hopefully they will be more careful. The bad way is to wait for the bad guys to find the vulnerabilities and exploit them and take advantage of us. So, we need more of the good guys. we need more more technical, curious people out there fighting the fight. So, thank you to Marcel.
Nathaniel Nelson
Well, thanks to Marcel for satisfying our curiosity. And Andrew, as always, thank you for speaking with me.
Andrew Ginter
It’s always a pleasure. Thank you, Nate.
Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.
Trending posts
Analyzing Recent NIS2 Regulations – OT security is changing
October 5, 2025
Doing the Math – Remote Access at Wind Farms
September 22, 2025
I don’t sign s**t – Episode 143
September 10, 2025
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post Hardware Hacking – Essential OT Attack Knowledge – Episode 145 appeared first on Waterfall Security Solutions.
]]>Top 10 OT Cyber Attacks of 2025
In this webinar Andrew Ginter takes us through the most unusual and most consequential cyber attacks thus far in 2025 targeting critical infrastructures around the globe.
Watch the webinar for a comprehensive review of the cyber incidents that shaped the industrial landscape in 2025. We will analyze the year’s most disruptive attacks, breaking down the operational downtime, financial costs, and impacts on public safety. Beyond the damage reports, we will explore the specific targeting methods used by adversaries as documented in the public record. The session concludes with a first look at the preliminary findings from Waterfall’s highly anticipated 2026 OT Threat Report.
In the fading days of 2025, we look back at cyber attacks that impaired operations in heavy industry and critical industrial infrastructures in the year thus far. We look at:
The most consequential incidents in terms of downtime and dollar cost
Incidents affecting public safety and infrastructures
What is in the public record about how these systems were targeted
About the Speaker
Andrew Ginter
Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.
Share
Trending posts
Secure Industrial Remote Access Solutions
August 28, 2025
NIS2 and the Cyber Resilience Act (CRA) – Episode 142
August 18, 2025
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
The post Top 10 OT Cyber Attacks of 2025 appeared first on Waterfall Security Solutions.
]]>Digital Transformation Exposes Manufacturing to New Cyber Risks
The Fourth Industrial Revolution has fundamentally transformed manufacturing through the integration of digital technologies like Industrial IoT, artificial intelligence, cloud computing, and advanced automation. These innovations enable data-driven decision making, predictive maintenance, and flexible production capabilities that provide competitive advantages. However, this digital transformation simultaneously exposes manufacturing operations to cybersecurity risks that traditional industrial environments never had to confront.
Smart Factory Vulnerabilities: Where Digital Meets Physical
The modern smart factory contains numerous potential entry points for cyber attackers that simply didn’t exist in previous generations of manufacturing facilities. Programmable Logic Controllers (PLCs) that directly control machinery were once isolated systems but now often connect to enterprise networks for performance monitoring and remote management. These critical control devices frequently run proprietary firmware with minimal built-in security controls, creating significant vulnerabilities when exposed to network access.
Human-Machine Interfaces (HMIs),the touchscreens and operator panels that control production equipment,represent another substantial vulnerability point. Often running outdated operating systems like Windows XP or Windows 7, these interfaces typically lack endpoint protection, are rarely patched, and frequently use default passwords. Despite their critical role in production operations, HMIs have become favorite targets for attackers seeking to manipulate manufacturing processes.
Manufacturing-Specific Cyber Attack Patterns and Techniques
Cyber attacks against manufacturing targets have evolved into specialized techniques designed to exploit the unique characteristics of industrial environments. Understanding these manufacturing-specific attack patterns is essential for developing effective defense strategies.
Ransomware’s Evolution to Target Production Systems
Ransomware attacks against manufacturers have evolved dramatically from early variants that primarily targeted IT systems. Modern manufacturing-focused ransomware specifically targets operational technology, with attackers demonstrating sophisticated knowledge of industrial control systems. Recent campaigns have included specific capabilities for encrypting engineering workstations, PLC project files, and SCADA databases, elements that are unique to industrial environments.
These specialized attacks often begin with reconnaissance phases where attackers map OT networks and identify critical production chokepoints. By targeting systems like manufacturing execution systems (MES) or production scheduling databases, attackers can maximize operational disruption while encrypting a relatively small number of systems. This strategic approach increases pressure on victims to pay ransoms quickly to restore production.
Industrial Espionage: Stealing Manufacturing Secrets and Intellectual Property
Manufacturing environments contain valuable intellectual property that makes them prime targets for espionage operations. These attacks focus on exfiltrating data rather than causing disruption and often maintain persistence for extended periods to capture evolving proprietary information.
Sophisticated threat actors target manufacturing process data including machine parameters, formulations, production sequences, and quality control methodologies. This information can allow competitors to replicate manufacturing capabilities without the substantial R&D investment required to develop them. In highly competitive sectors like pharmaceutical manufacturing or advanced materials production, these trade secrets often represent the company’s most valuable assets.
Sabotage Attacks: When Adversaries Target Production Quality and Safety
Perhaps the most concerning attack pattern involves sabotage operations designed to manipulate manufacturing processes to degrade product quality, damage equipment, or create safety incidents. These attacks specifically target the integrity of production systems rather than their availability or confidentiality.
Sabotage attacks often focus on manipulating process parameters to introduce subtle defects that may go undetected until products reach customers. By changing temperature settings, timing parameters, or ingredient proportions by small amounts, attackers can cause quality issues that damage a manufacturer’s reputation and potentially create product liability concerns. These attacks are particularly dangerous because they don’t immediately announce themselves through system outages.
| Industry Segment | Attack Types | Common Entry Points | Average Recovery Time | Business Impact |
| Automotive | Ransomware, IP Theft | Supplier Connections, Remote Access | 7-10 days | $1.5M+ per day |
| Pharmaceuticals | IP Theft, Process Manipulation | Regulatory Reporting Systems, Research Networks | 14+ days | FDA Compliance Issues, Formula Theft |
| Food & Beverage | Ransomware, Sabotage | Remote Monitoring, Logistics Systems | 3-5 days | Product Recalls, Spoilage |
| Electronics | IP Theft, Supply Chain Attacks | Design Systems, Contract Manufacturers | 5-8 days | Counterfeiting, Design Theft |
| Defense | Nation-State Espionage | Contractor Networks, Email Phishing | 30+ days (classified systems) | National Security Implications |
| Chemical Manufacturing | Safety System Targeting, Sabotage | Process Control Networks, Safety Systems | 10-14 days | Environmental Incidents, Regulatory Fines |
The Real-World Consequences of Manufacturing Cybersecurity Failures
The business impact of cyber incidents in manufacturing environments extends far beyond immediate IT recovery costs. Manufacturing-specific effects can damage competitive positioning, compromise product quality, and even create physical safety risks. Understanding these real-world consequences is essential for properly evaluating security investments and prioritizing protection measures.
Production Line Cybersecurity Incidents: Analyzing Recovery Time and Costs
Manufacturing cyber incidents impose immediate financial penalties through production downtime that directly impacts revenue and customer commitments. The average manufacturing cyber incident now results in 8.2 days of production disruption, with full recovery taking significantly longer. At average downtime costs of $1.1 million per day for large manufacturers, these incidents create immediate financial damage that far exceeds typical recovery expenses.
Recovery from manufacturing cyber incidents involves unique challenges not present in other sectors. Production equipment often requires precise calibration and validation before operations can safely resume. Quality control procedures must verify that affected systems will produce conforming products once restored. These manufacturing-specific recovery requirements significantly extend the impact period beyond initial containment.
Case studies illustrate the substantial operational impact these incidents create. A 2023 ransomware attack against a major automotive parts supplier resulted in production stoppage at three manufacturing facilities for 11 days. Beyond the immediate $12 million in lost production value, the company incurred significant overtime costs during recovery and faced contractual penalties from OEM customers whose production lines were affected by component shortages.
When Cyber Attacks Become Safety Incidents in Manufacturing
The potential for cyber attacks to compromise safety systems represents a unique risk in manufacturing environments where physical processes can create hazardous conditions if improperly controlled. Unlike purely digital environments, manufacturing cyber incidents can directly threaten human safety and environmental protection.
Several documented cases illustrate this dangerous convergence. In 2019, a safety incident at a chemical manufacturing facility was linked to a cyber intrusion that had disabled certain alarm functions, preventing operators from receiving early warnings about an abnormal reaction. While no injuries occurred, the incident resulted in a product batch destruction and a regulatory investigation.
More concerning are targeted attacks against safety instrumented systems (SIS) that provide critical protection against hazardous conditions. The TRITON/TRISIS malware specifically designed to compromise Schneider Electric safety controllers, demonstrates that threat actors are actively developing capabilities to undermine these critical protections. By disabling or manipulating safety systems, attackers could create conditions for serious incidents while simultaneously removing the safeguards designed to prevent them.
Supply Chain Ripple Effects from Manufacturing Cyber Disruptions
The interconnected nature of modern manufacturing magnifies the impact of cyber incidents far beyond the initially affected organization. When a manufacturer experiences operational disruption, the effects propagate through supply chains in both directions, creating cascading impacts across multiple companies.
Downstream impacts affect customers who rely on the manufacturer’s output as inputs to their own processes. In tightly coordinated supply chains, even short disruptions can halt downstream production lines when critical components become unavailable. The 2021 ransomware attack on a major automotive supplier forced five OEM assembly plants to temporarily suspend operations due to component shortages, illustrating how manufacturing cyber incidents can create multiplier effects that far exceed the direct impact on the targeted company.
Building Manufacturing-Optimized Security Architecture
Effective manufacturing cybersecurity requires architectural approaches specifically designed for industrial environments. Generic IT security solutions often fail to address the unique operational requirements, legacy systems, and specialized protocols found in manufacturing facilities. A manufacturing-optimized security architecture acknowledges these differences while providing robust protection.
Securing Manufacturing Zones: The Industrial DMZ Approach
Zone-based security architecture provides the foundation for effective manufacturing protection by establishing clear boundaries between networks with different security requirements and operational purposes. This approach implements the Purdue Enterprise Reference Architecture’s concept of hierarchical security zones to control communication between business systems and operational technology.
The industrial demilitarized zone (DMZ) serves as a critical security boundary between IT and OT environments. This intermediary network segment hosts systems that need to communicate with both business and manufacturing networks while preventing direct connections between these environments. Properly implemented industrial DMZs include data historians, OPC servers, and middleware applications that facilitate necessary data flows while limiting potential attack paths.
Within manufacturing environments, further segmentation creates protection zones based on operational function and criticality. Critical safety systems receive the highest protection levels, while monitoring systems may operate in less restricted zones. This functional segmentation prevents an attack that compromises one manufacturing area from spreading throughout the entire operational environment
OT Visibility: You Can’t Secure Manufacturing Systems You Can’t See
Comprehensive asset visibility represents a fundamental challenge in manufacturing environments where diverse equipment from multiple vendors often operates with minimal network monitoring. Many manufacturing organizations lack complete inventories of their operational technology assets, creating significant security blind spots.
Effective manufacturing security requires specialized OT asset discovery tools that can safely identify industrial control systems without disrupting their operation. Unlike IT scanning tools that might crash sensitive OT systems, these solutions use passive monitoring and protocol analysis to build comprehensive asset inventories without sending potentially disruptive active probes.
Beyond basic inventory, manufacturing security requires visibility into system configurations, connections, and communications patterns. Baseline documentation should include PLC programming, HMI configurations, and control system parameters to enable effective change detection. Deviations from these documented baselines often provide the first indication of potential compromise.
Continuous monitoring of industrial network traffic enables early threat detection while providing operational benefits through improved troubleshooting capabilities. Modern OT monitoring solutions use protocol-specific decoders to analyze industrial communications, identifying both security and operational anomalies. These systems can detect unauthorized command sequences, unusual data transfers, or configuration changes that might indicate compromise while helping identify operational issues before they impact production.
The visibility challenge extends to understanding the complex interdependencies between manufacturing systems. Documentation should capture which systems depend on others for normal operation, which safety systems protect specific processes, and what communication paths are necessary for production. This mapping of dependencies enables both more effective security controls and more resilient recovery plans.
Authentication and Access Control in Shared Manufacturing Environments
Manufacturing environments present unique identity and access management challenges due to shift operations, shared workstations, and the frequent need for vendor access to specialized equipment. Traditional IT access controls often fail to address these operational realities, leading to either security compromises or workflow disruptions.
Effective manufacturing access control begins with role-based approaches that align permissions with operational responsibilities. Rather than managing access for individual users, this approach defines permission sets for roles like machine operator, maintenance technician, or process engineer. This simplifies administration in environments with rotating staff while ensuring consistent security controls.
Shared workstation environments require authentication solutions that balance security with operational efficiency. Manufacturing-optimized approaches include badge-based authentication systems that allow quick user switching without disrupting operations. Some facilities implement proximity-based authentication that automatically locks HMI screens when operators move away and grants access when authorized personnel approach with appropriate credentials.
Manufacturing Cybersecurity Without Disrupting Production
The imperative to maintain continuous operations creates unique constraints for security implementation in manufacturing environments. Effective manufacturing security strategies must work within these constraints, enhancing protection without compromising production excellence.
Testing Manufacturing Security Without Risking Operational Disruption
Validating security effectiveness poses particular challenges in manufacturing environments where testing on production systems risks operational disruption. However, leaving security controls unverified creates risks of either inadequate protection or unexpected operational impacts when security systems respond to actual threats.
Digital twin approaches provide a sophisticated testing methodology for manufacturing security. By creating virtual replicas of production environments, organizations can conduct realistic security testing without risking impact to operational systems. These environments allow red team exercises, vulnerability assessments, and security control validation using the same configurations present in production.
Test labs with physical equipment matching production systems provide another validation path, particularly for testing security controls on older equipment that might not be accurately represented in virtualized environments. These test environments should replicate network configurations, control system versions, and communication patterns found in production to ensure realistic testing results.
When direct testing on production systems becomes necessary, careful test scoping and scheduling minimizes risks. Tests should be limited to specific network segments, conducted during periods of lower production criticality, and include explicit backout plans to quickly restore normal operations if unexpected impacts occur. Manufacturing security testing should always include operations personnel who understand production requirements and can immediately identify potential production impacts.
Security Patches and Updates: Managing Risk in Production Environments
Patch management represents one of the most challenging aspects of manufacturing cybersecurity. Critical security updates often cannot be applied immediately due to production continuity requirements, vendor qualification processes, or concerns about potential compatibility issues with specialized equipment.
Effective manufacturing patch management begins with comprehensive risk assessment processes that evaluate both the security risk of delaying patches and the operational risk of applying them. This balanced approach acknowledges that both actions and inactions carry potential consequences in manufacturing environments. Critical vulnerabilities with active exploitation in similar environments typically justify expedited patching, while less severe vulnerabilities might be addressed during scheduled maintenance periods.
When patching must be delayed, compensating controls provide interim protection. These might include enhanced network monitoring around vulnerable systems, implementing additional access restrictions, or deploying virtual patching through intrusion prevention systems that can block exploitation attempts without modifying vulnerable systems.
Vendor management plays a critical role in effective manufacturing patch processes. Organizations should establish clear security expectations with equipment vendors, including response timeframes for critical vulnerabilities and testing processes for security updates. Leading manufacturers implement vendor security requirements during procurement processes, ensuring that new equipment includes appropriate update capabilities and security support commitments.
For legacy systems that cannot be patched, lifecycle management becomes an essential security strategy. Organizations must develop clear criteria for when security risks justify equipment replacement, incorporating security considerations into capital planning processes. This approach acknowledges that some systems simply cannot be adequately secured through updates alone and must eventually be replaced to maintain appropriate security postures.
| Security Control Type | Implementation Impact | Production Downtime Required | Effectiveness Rating | Best For |
| Network Segmentation | Medium | Minimal (phased implementation) | High | Isolating critical systems |
| Unidirectional Gateways | Low | None (parallel deployment) | Very High | Critical system protection |
| Endpoint Protection | High | Moderate (requires testing) | Medium | Engineering workstations |
| ICS Monitoring | Low | None (passive monitoring) | Medium-High | Anomaly detection |
| Access Controls | Medium | Low (staged implementation) | High | Limiting privileged access |
How Waterfall Security Solutions Safeguards Manufacturing Excellence
Manufacturing organizations face the dual imperative of enhancing cybersecurity while maintaining the operational reliability that enables production excellence. Waterfall Security Solutions has developed specialized technology that addresses this challenge, enabling robust protection without compromising the performance, availability, and reliability requirements of industrial environments.
Unidirectional Security Technology: Protecting Manufacturing Without Performance Penalties
Waterfall’s unidirectional security gateway technology provides a fundamentally different approach to manufacturing protection compared to traditional IT security solutions. Rather than relying on software-based controls that can be misconfigured or compromised, these gateways use hardware-enforced security to physically prevent attacks from reaching sensitive manufacturing systems.
Conclusion
As manufacturing evolves toward increasingly connected and data-driven operations, cybersecurity becomes an essential element of production excellence rather than a separate consideration. The threats targeting manufacturing environments continue to grow in both frequency and sophistication, requiring specialized protection approaches that address the unique characteristics of industrial operations.
The post Cyber Threats to the Manufacturing Industry: Risks, Impact, and Protection Strategies appeared first on Waterfall Security Solutions.
]]>The Evolving Threat Landscape in Oil and Gas Operations
The widespread digitalization of oil and gas operations has given rise to a sophisticated security environment where cyber threats increasingly zero in on critical infrastructure systems. Modern drilling platforms, refineries, and extensive pipeline networks now depend on advanced automation systems, Industrial Internet of Things devices, and cloud computing technologies to optimize their operations. While these technological advances have dramatically improved efficiency, they have also expanded the potential attack surface exponentially.
Recent Security Incidents in the Oil and Gas Sector
The industry has experienced several devastating high-profile security incidents that underscore just how severe these threats have become. The 2021 Colonial Pipeline ransomware attack stands as perhaps the most prominent example, forcing the complete shutdown of a massive 5,500-mile pipeline system that typically supplies 45% of the East Coast’s fuel supply. This single incident caused widespread disruption and fuel shortages across multiple states, demonstrating how vulnerable these critical systems can be to determined attackers.
Saudi Aramco has also faced numerous cyberattacks over the years, including the notorious 2012 Shamoon malware incident that destroyed over 30,000 computers throughout its network. More recently, the company has dealt with cloud-based attacks specifically targeting their valuable operational data, showing how threat actors continue to adapt their tactics to exploit new vulnerabilities.
The problem extends well beyond major corporations and affects smaller operators too. Throughout 2022, several midsize oil and gas operators reported ransomware attacks that specifically targeted their industrial control systems, with attackers displaying remarkably sophisticated knowledge of operational technology environments. These incidents resulted in production shutdowns lasting several days and, in some particularly concerning cases, compromised safety systems that could have led to catastrophic accidents.
Key Threat Actors Targeting Oil and Gas Infrastructure
Oil and gas facilities face threats from a diverse range of adversaries, each with its own distinct motivations and capabilities. Nation-state actors frequently target these facilities to gain geopolitical advantage, conduct economic espionage, or establish persistent access to critical infrastructure that could potentially be weaponized during future conflicts. Several countries with advanced cyber capabilities have been linked to extensive reconnaissance operations designed to map vulnerabilities in energy infrastructure worldwide.
Criminal organizations have increasingly recognized the significant profit potential in targeting oil and gas companies, particularly because these organizations face tremendous pressure to restore operations quickly during any outage. This business reality has led to the emergence of specialized ransomware operations that explicitly target industrial control systems, with ransom demands frequently exceeding $10 million for larger operations.
Additionally, hacktivists and environmental extremists represent a growing and unpredictable threat vector, with some groups motivated primarily by ideological opposition to fossil fuel operations. These actors typically focus on service disruption or data theft to embarrass companies and generate negative publicity rather than seeking direct financial gain, making their attack patterns significantly less predictable than profit-motivated criminals.
| Year | Attack Type | Target System | Impact | Financial Loss |
| 2021 | Ransomware | Colonial Pipeline IT systems | 6-day pipeline shutdown | $4.4 million ransom |
| 2022 | Malware | European oil terminal OT systems | Disrupted loading operations at multiple ports | Undisclosed |
| 2023 | Supply chain | Pipeline monitoring software | Backdoor access to SCADA systems | $30+ million (estimated) |
| 2024 | Zero-day exploit | Offshore platform control systems | Production shutdown for safety concerns | $75+ million (estimated) |
| 2025 | Insider threat | Refinery control systems | Near-miss safety incident | $15 million (remediation) |
Critical Security Challenges Facing Oil and Gas Companies
The oil and gas industry confronts several unique security challenges that significantly complicate protection efforts across its operations. Understanding these specific challenges becomes crucial for developing effective security strategies that are properly tailored to address the sector’s particular operational requirements and constraints.
Convergence of IT and OT Security
Perhaps the most significant challenge facing the industry today involves the rapidly accelerating convergence of information technology and operational technology systems. Traditionally, industrial control systems operated in complete isolation from corporate networks, but ongoing digital transformation initiatives have increasingly connected these previously separate environments to enhance operational efficiency, enable remote monitoring and operations, and facilitate advanced data analytics capabilities.
This convergence creates dangerous security gaps where traditional information technology security approaches prove completely inadequate for operational technology environments. Operational technology systems prioritize availability and safety above all other considerations, making common IT security practices like regular patching schedules and frequent system updates highly problematic for continuous operations. Many security teams currently lack personnel with the specialized expertise spanning both domains, which inevitably leads to significant protection gaps in the critical interfaces between IT and OT networks.
The risks become even more magnified by the expanding use of Industrial Internet of Things devices that frequently lack built-in security controls yet connect directly to critical operational systems throughout the facility. Each new smart sensor or networked controller potentially introduces fresh vulnerabilities that could provide determined attackers with valuable access to essential production systems and processes.
Legacy System Vulnerabilities
The oil and gas industry operates extensive legacy infrastructure that was originally designed and deployed decades before cybersecurity became a significant operational concern. Many production facilities continue to use industrial control systems and SCADA equipment that have been in continuous operation for twenty years or more, running outdated operating systems that vendors no longer actively support with security updates.
These aging legacy systems present substantial and ongoing security challenges throughout the industry. They often cannot be patched with security updates, rely on obsolete communication protocols that completely lack modern authentication mechanisms, and were originally designed with the fundamental assumption of complete air-gapping rather than any network connectivity whatsoever. Replacing these systems involves prohibitive costs that can reach millions of dollars per facility, along with potential production disruptions that could last weeks or months, forcing companies to develop creative compensating security controls instead.
The challenge extends beyond just the technical aspects to include significant documentation gaps, with many organizations lacking complete and accurate network diagrams or comprehensive asset inventories for their older systems. This makes it extremely difficult to identify potential vulnerabilities or detect unauthorized changes to these critical environments during routine security assessments.
Remote Site Security Management
The vast geographical dispersion of oil and gas assets creates substantial security management challenges that are unique to the industry. Remote facilities such as offshore drilling platforms, pipeline compressor stations, and isolated production sites often operate with extremely limited on-site IT support, making comprehensive security implementation and continuous monitoring exceptionally difficult to maintain.
These remote sites frequently depend on satellite or cellular connections that come with significant bandwidth constraints, severely limiting the effectiveness of traditional security monitoring capabilities. Physical security at these remote locations may also be considerably less robust than at major facilities, substantially increasing the risk of both insider threats and physical tampering with critical control systems.
Secure remote access remains one of the most critical challenges for the industry, as maintenance personnel, third-party vendors, and operations teams require reliable access to these systems for ongoing monitoring, troubleshooting, and maintenance activities. Each remote access pathway represents a potential attack vector that must be properly secured and continuously monitored, yet operational requirements often conflict with strict security controls.
Essential Oil and Gas Cybersecurity Best Practices
Protecting oil and gas infrastructure effectively requires a comprehensive approach that incorporates advanced technical controls, well-defined organizational policies, and proven industry best practices. The following strategies provide a solid foundation for enhancing security posture across all types of operations, from small independent operators to major integrated companies.
Implementing Defense-in-Depth Security Architecture
Defense-in-depth architecture continues to serve as the fundamental cornerstone of effective protection for oil and gas infrastructure operations. This proven approach implements multiple layers of complementary security controls throughout the organization, ensuring that if one protective layer fails or is bypassed, additional layers remain in place to protect the most critical assets and operations.
For oil and gas operations specifically, effective defense-in-depth implementation begins with conducting a comprehensive asset inventory and detailed risk assessment to properly identify the critical systems that require the highest levels of protection. Security zones should be carefully established based on operational function and criticality levels, with appropriate controls implemented at each zone boundary to manage and monitor all communications between different areas.
The architecture should incorporate robust physical security measures protecting control hardware and infrastructure, comprehensive network security controls managing all data flows between different zones, application security measures ensuring system integrity at the software level, and detailed procedural controls governing human interactions with all systems throughout the facility.
Advanced monitoring capabilities spanning both IT and OT environments enable early detection of potential threats and suspicious activities, with security information and event management solutions providing correlation across all environments to identify anomalous behavior patterns that might indicate system compromise. Increasingly, artificial intelligence and machine learning technologies enhance these capabilities by automatically establishing normal operational baselines and flagging significant deviations that warrant investigation.
Regular tabletop exercises and comprehensive incident response drills help organizations thoroughly test their defense-in-depth implementation, ensuring security teams understand how layered controls work together effectively during an actual attack scenario and identify potential gaps before they can be exploited by malicious actors.
OT Network Segmentation Strategies
Network segmentation represents one of the most effective security controls available for oil and gas environments, significantly limiting an attacker’s ability to move laterally throughout the network after gaining initial access to any system. However, effective segmentation strategies for OT environments differ significantly from traditional IT approaches and require specialized knowledge of industrial systems and protocols.
The Purdue Enterprise Reference Architecture provides an excellent framework for industrial network segmentation, logically dividing systems into distinct levels ranging from field devices at Level 0, through various control systems at Levels 1 and 2, operations management systems at Level 3, and business systems at Levels 4 and 5. Each boundary between these levels represents a valuable opportunity to implement security controls that carefully restrict and monitor communications between different zones.
Implementing properly configured demilitarized zones at the critical IT/OT boundary allows necessary data exchange for business operations while minimizing direct connections between environments that could be exploited. Within the OT environment itself, micro-segmentation based on operational function, process area, or safety criticality further limits potential attack propagation and contains any successful intrusions.
Unidirectional security gateways provide particularly strong protection at the most critical boundaries, physically enforcing one-way information flow from OT networks to IT networks while completely preventing any control signals or potential malware from traveling in the reverse direction. This hardware-enforced protection effectively eliminates entire classes of network-based attacks while still enabling essential operational data to flow to business systems for analysis and reporting.
Regulatory Compliance in Oil and Gas Security
The oil and gas industry operates within a complex and continuously evolving regulatory landscape that increasingly addresses specific cybersecurity requirements for critical infrastructure protection. Understanding and maintaining compliance with these various requirements has become essential for operational continuity and legal protection.
International Standards and Industry Guidelines
Several key frameworks provide comprehensive guidance for cybersecurity practices specifically tailored to oil and gas operations. IEC 62443 offers detailed standards for industrial automation and control systems security, providing guidance that is specifically designed to address the unique needs and constraints of operational technology environments. This framework addresses technical security requirements, organizational processes, and complete system lifecycle security considerations.
The NIST Cybersecurity Framework provides a proven risk-based approach that applies across all industries but has become increasingly referenced in energy sector regulations worldwide. For pipeline operators specifically, the American Petroleum Institute’s Standard 1164 provides detailed and practical guidance on SCADA security practices, including recent updates that address modern threat landscapes and attack vectors.
Regional regulations increasingly impact even global operators who must comply with local requirements in each jurisdiction where they operate. The European Union’s comprehensive NIS2 Directive imposes strict security requirements on essential service providers, including all energy companies, while the U.S. Transportation Security Administration has implemented mandatory security directives for pipeline operators following lessons learned from the Colonial Pipeline incident.
Building a Compliance-Oriented Security Program
Rather than treating compliance as merely a checkbox exercise to be completed annually, leading oil and gas companies successfully integrate regulatory requirements into comprehensive security programs that genuinely enhance overall protection levels. This strategic approach begins with carefully mapping regulatory controls across different frameworks to identify common requirements and streamline implementation efforts across the organization.
Successful compliance programs place emphasis on ongoing risk management activities rather than relying solely on point-in-time assessments that may quickly become outdated. They incorporate regular evaluation of security controls against evolving threat landscapes and changing operational requirements. Documentation and evidence collection become integrated into standard operational processes rather than being conducted as separate, burdensome activities that interfere with daily operations.
Third-party risk management has become an absolutely essential element of compliance programs as regulations increasingly hold operators directly responsible for maintaining security throughout their entire supply chain ecosystem. Leading organizations implement comprehensive vendor security assessment programs and detailed contractual security requirements for all partners with any level of access to operational systems.
| Framework /
Standard |
Region/Scope | Key Requirements | Implementation Timeline |
| IEC 62443 | International | Secure development lifecycle, zone/conduit models | Phased implementation |
| NIST CSF | United States/Global | Risk assessment, protection, detection, response | Continuous improvement |
| API 1164 | Pipeline operators | SCADA security controls, authentication requirements | Updated every 5 years |
| NIS2 Directive | European Union | Mandatory incident reporting, security measures | Full compliance by 2026 |
| TSA Security Directives | U.S. pipeline operators | Vulnerability management, incident response plans | Immediate implementation |
How Waterfall Security Solutions Protects Critical Oil and Gas Infrastructure
As threats to oil and gas infrastructure continue to grow in sophistication and frequency, traditional security approaches based solely on firewalls and software-based controls have proven inadequate for protecting critical operational systems. Waterfall Security Solutions addresses these complex challenges through innovative technology specifically designed to meet the unique protection needs of industrial environments where safety and availability cannot be compromised.
Unidirectional Security Gateway Technology for OT Protection
Waterfall’s flagship Unidirectional Security Gateway technology represents a fundamental paradigm shift in operational technology security, physically enforcing strict one-way information flow to protect critical infrastructure from external cyber threats. Unlike traditional firewalls that can be misconfigured, bypassed, or compromised through software vulnerabilities, Waterfall’s hardware-based approach creates an absolutely impassable barrier against any inbound attacks or unauthorized commands.
The technology utilizes a unique and innovative architecture featuring a transmitter component on the operational technology side connected to a receiver component on the information technology side through dedicated optical fiber connections. This physical configuration enables essential operational data to flow seamlessly to business systems for monitoring, analysis, and reporting purposes while making it physically impossible for malware, attack commands, or any unauthorized communications to travel in the reverse direction. This effectively creates a modern, highly functional implementation of traditional air gap protection while maintaining complete operational visibility and business intelligence capabilities.
For oil and gas operators, this approach successfully resolves the fundamental tension that has long existed between operational connectivity requirements and security imperatives. Critical production data, equipment status information, and performance metrics can flow freely to corporate networks for essential business intelligence purposes while critical control systems remain completely protected from any network-based attacks. The technology provides comprehensive support for all standard industrial protocols, including Modbus, OPC, and OSIsoft PI systems, enabling seamless integration with existing infrastructure investments without requiring costly system replacements.
Beyond the core gateway technology, Waterfall’s comprehensive solution suite includes specialized secure remote access options designed specifically for industrial environments, allowing authorized vendors and remote workers to access necessary systems when required without compromising overall security posture. The company’s industrial security monitoring solutions provide detailed visibility into operational technology network activity to detect potential insider threats or anomalous behavior patterns that might indicate compromise.
Conclusion
The security challenges facing the oil and gas industry will undoubtedly continue to evolve and become more complex as digital transformation initiatives reshape operations and threat actors develop increasingly sophisticated attack capabilities and techniques. Organizations that proactively implement comprehensive security strategies combining advanced technology, robust processes, and well-trained personnel will be best positioned to protect their critical infrastructure while still enabling the significant operational benefits that modernization can provide.
By carefully applying the proven best practices outlined throughout this article and leveraging specialized security technologies like those provided by Waterfall Security Solutions, oil and gas operators can substantially enhance their overall security posture while ensuring the reliable and safe delivery of essential energy resources to communities and industries worldwide. The investment in robust cybersecurity measures today will prove essential for maintaining operational continuity and protecting both business assets and public safety in an increasingly connected and threatened world.
The post Top Oil and Gas Security Challenges and Best Practices for Protection appeared first on Waterfall Security Solutions.
]]>