ICS

QILIN also known as “Agenda” is a Ransomware Group that also provides Ransomware as a service (Raas). Qilin’s ransomware-as-a-service (RaaS) scheme earns anywhere between 80% to 85% of each ransom payment, according to new Group-IB findings. It was first discovered in 2022 when it attacked Australia’s leading Information technology service organization.  Qilin Targets its victims by sending phishing emails that contain malicious links to gain access to their network and exfiltrate sensitive data, as soon as Qilin completes initial access, they commonly circulate laterally across the victim’s infrastructure, attempting to find crucial statistics to encrypt. After encrypting the data Qilin leaves a Ransom note “Your network/system was encrypted, and the encrypted file has a new file extension” and asks for the ransom to pay for the decryption key Ransomware Details & Working  It drops pwndll.dll, detected as a Trojan.Win64.AGENDA.SVT, in the public folder and injects this DLL into svchost.exe to allow continuous execution of the ransomware binary. It takes the advantage of safe mode to evade detection and proceed with its encryption routine unnoticed. Malware is written in Rust and The Rust variant is especially effective for ransomware attacks as, apart from its evasion-prone and hard-to-decipher qualities, it also makes it easier to customize malware to Windows, Linux, and other OS.  Here are some pointer’s to be noted:  Victim Selection   First, it was Randomly targeting the organizations, but Now It seems like they are Mostly Interested in Critical Infrastructure, the OT Companies. In the year 2023, they have targeted 21 companies which include 5 OT victims. Recently in Jun 2023, they Attacked the Dubai Based OT company which specializes in comprehensive industrial and commercial water treatment (Clarity Water Technologies, LLC) and have targeted 6 other companies and leaked some of their data.   As per our Dark web analysis, the Victims they have targeted till now are from different countries which include Argentina, Australia, Brazil, Canada, Colombia, France, Germany, Japan, New Zealand, Serbia, Thailand, The Netherlands, UAE, UK and United States.  Fig1: Victim Countries  As per the Screenshot of the post which was written in the Russian language by Qilin Recruiter for recruiting “teams of experienced pentester for their affiliate program,” the group doesn’t work in CIS countries.  Darkweb Analysis  of Qilin Ransomware Qilin maintains a dedicated dark web page where they publish all the information and details about the Victim which includes the Victim’s name, Date of attack, Description of the victim, some images related to the victim’s sensitive data, and when the ransom is not paid, they also leak victim’s data on their dark web site.   They have Posted about 22 Victims on their Onion sites and some victim’s data has also leaked on their page.   Also Read: How to get started with OT security Let’s go through their Darkweb site  Qilin Darkweb front page where they publish the information about their victims.   Login page present in the Qilin ransomware site  They Normally leak two files; one has the data, and another has the list of all the sensitive files. (As shown in the image)  IOCs  76f860a0e238231c2ac262901ce447e83d840e16fca52018293c6cf611a6807e  fd7cbadcfca84b38380cf57898d0de2adcdfb9c3d64d17f886e8c5903e416039  Mitigation For Securing OT Environment:  Remediations  Reference  https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html https://www.trendmicro.com/en_in/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html https://www.group-ib.com/blog/qilin-ransomware/ Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert. See our IoT and OT security solution in action through a no-obligation demo Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio This research report is attributed to Dipanjali Rani and Akshay Jambagi from Sectrio’s threat research team.

Recent reports about the appearance of a new generative AI tool point to the levels of maturity that hackers have attained as far as leveraging AI is concerned. In the latest edition of our IoT and OT threat landscape report, we had predicted this trend with supporting data. Our prediction on the use of AI covered these points: If you wish to read more and understand how things got this far, I would encourage you to check out the AI section in this report available for free download. Now that that is out of the way, let’s focus on why we should look beyond just the tools to understand how hackers are preparing themselves for launching new waves of AI-powered cyberattacks. We will also look into ways to prepare our infrastructure to withstand these waves and continue operations without disruption. Not merely a tool for script kiddies and lazy hackers AI-based tools, while lowering the entry barriers for hackers, are also enabling them to reuse data that they used to sell or simply discard earlier. This data includes network access credentials, traffic baselines, packet composition, asset vulnerabilities, bandwidth usage patterns, and more. Such data can now be used to derive the best windows for a cyberattack or even figure out how to confuse security mechanisms by generating lots of false positives.       SOC operations and data on incident response frameworks can also be derived from the stolen data using AI. Generative AI can place these predictions in buckets and then craft a cyberattack tool armed with the relevant know-how to conduct another attack on the same victim in case they have not changed their processes and tools much (which is often the case). Here are a few more ways in which hackers will leverage AI-based tools to further their disruptive agenda: AI-based reconnaissance AI tools can also be used to run reconnaissance campaigns more effectively. A typical AI campaign could involve guised packets that could hide modular reconnaissance malware that could assemble itself within the network of the victim or on a device running on their network. The net result will be a clearer view of the victim’s network including weak points and unguarded threat surfaces. This also increases the level of situational awareness for the hacker or the group.   Supply chain manipulation AI-based tools can also be used to carve a path for adding embedded malware at various points in the supply chain. Using such tactics, the hackers can open up multiple points for embedding malware or snooping payload in the supply chain and enable it to travel upstream or downstream. Visit our compliance center to download free compliance kits New models and frameworks for hacking    With AI-based tools, hackers are also able to try out new breach tactics faster and eliminate tactics that do not work or work partially or may take much longer to succeed. Successful tactics can be further refined and fine-tuned. Co-opting insiders through campaigns   Hackers can run large-scale campaigns to target susceptible insiders across channels, platforms, and apps. This could lead to more such campaigns turning successful and providing hackers with a new avenue for high-quality data exfiltration. AI can also be used to identify susceptible profiles that can be targeted through persistent campaigns. AI-driven bot farms AI can also be used to manage bot farms that can run large-scale targeting across geographies. AI can also be used to minimize the footprint and signatures of individual bot farms to obscure them. Such bot farms can also be turned on and off sequentially to minimize the load on individual bots. This can have significant implications for projects and businesses that use the Internet of Things (IoT) in their infrastructure.  Asset profiles, vulnerabilities, and Zero Days    AI can profile OEMs and their components to discover Zero Days through a systemic study of design principles and production processes to determine flaws and unpatched vulnerabilities. This can make a big difference to Operational Technology security measures implemented at a plant/unit level.  These are just a few use cases related to the use of AI by hackers. What we are seeing now is just a preview of how things will evolve in the days to come. With greater attention and resource involvement, hackers will be able to gain a clear upper hand when it comes to breaching targets with ease. How to defend your IoT and OT infrastructure against AI-powered cyberattacks The following steps can be taken to secure against AI-powered cyberattacks: Interested in learning more about AI-powered attacks and ways to prevent them on your networks? Talk to our security expert. See our IoT and OT security solution in action through a no-obligation demo Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio

You may also be interested in reading: Industrial control systems (ICS) refer to control systems used in a wide range of industrial processes. It’s a component of operation technology that involves hardware, software, and systems that help manage industrial operations. Some basic aspects of ICS include sensors, controllers, local supervisory systems, business systems, and management systems. The need for remote access connectivity for industrial control systems has never been greater as it allows businesses and industries to enjoy more efficient and reliable operations. But for successful remote access, businesses have to establish network connections between the ICS infrastructure and the remote user. This comes with its own set of security risks. Cybercriminals constantly target remote users to steal sensitive information, gain financial advantages, or blatantly cause damage. The consequences of such security breaches can be devastating as they lead to operational disruptions, reputational damage, financial losses, and data corruption. This is why organizations must ensure secure remote access (SRA) for industrial control systems. In this article, we’ll explore some of the best ways to ensure secure remote access for industrial control systems (ICS) Best Practices for Secure Remote Access for Industrial Control Systems Remote users should authenticate with multi-factor authentication (MFA) Multi-factor authentication (MFA) is a form of added security measure that requires users to provide several ‘pieces’ of verification before being granted access to an account. Examples of MFA authentication include one-time passwords (OTPs) and biometric data like fingerprints, voice recognition, or iris scans For most accounts, users require only a password when logging in. But an MFA system combines multiple authentication factors, including a password and other confirmation processes. This adds an extra layer of security, making it hard for unauthorized people to access an account. To ensure secure remote access for industrial control systems, consider a multifactor authentication system done over a secure channel. But when doing so, be careful, as some multifactor solutions can be ineffective because of the speed or process control reliability requirements. Ensure secure communication through encryption tools and tunneling techniques Encryption protocols and secure tunneling techniques ensure the information exchanged between the remote user and the ICS remains confidential and protected from unauthorized access. For example, Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols establish secure encrypted connections between client and server applications. They provide authentication and data encryption. And this is just one example of encryption protocols and secure tunneling techniques. Implementing such protocols ensure secure communication channels for remote access to ICS. Consider dedicated client hardware and software It’s standard for organizations looking for remote access solutions to empower their users with both the software and hardware required to connect. However, even in doing so, cybercriminals still remain a huge concern as they typically target such users. As part of the remote access solution, your organization should issue personal computers or laptops. This PC or laptop should have the appropriate cyber security countermeasures, such as host-based intrusion detection systems and antivirus software. But perhaps one effective solution that has profited most organizations involves using VPNs for secure remote access. The best VPNs establish a secure and encrypted connection between the user and the ICS network. They create a secure “tunnel” over an insecure network, such as public wifi, ensuring that sensitive information remains protected. Employing dedicated client hardware, such as laptops, and dedicated software, such as VPNs and antivirus, ensures that organizations can effectively establish secure remote access for industrial control systems Session Termination Session termination is a fundamental concept when discussing remote access. Session termination is paramount when establishing a remote access solution because it terminates the link between the remote user and the internal network or system. It’s an essential and non-negotiable element of a secure remote access solution. Because of this, organizations need to ensure that sessions are promptly terminated, either upon request or automatically based on system configurations. Conduct regular patching and updates Regular patching and updates are essential in discovering vulnerabilities and security weaknesses in software systems. By promptly applying security patches, you will easily address the vulnerabilities and protect the entire ICS infrastructure from potential cyberattacks. Through proper patch management, it will be easy to close security gaps and strengthen the entire security of the system, significantly reducing the risk of unauthorized access and disruptions. Since ICS is highly critical for an organization, you must be keen to plan and execute updates to minimize disruption of operational continuity. The best approach is to conduct the process in phases, whereby you will test the patch in an isolated environment before distributing it to the entire ICS infrastructure. Ensure you also adopt a redundant architecture and backup system to provide uninterrupted operations. Gain Ample visibility into your network and identify gaps today, Sign up for a comprehensive asset discovery with vulnerability assessment today from Sectrio Outline definitive remote access policies and procedures Most organizations fail to define and communicate clear policies pertaining to rules and procedures for remote access to ICS. It’s important to outline who can access the system clearly, define the circumstances, and indicate the necessary authentication mechanisms. For example, a good place to start would be to adopt a role-based access control (RBAC) policy. This policy framework regulates access to resources and equipment within an organization based on roles. In an RBAC policy, users are assigned specific roles that determine their level of access to systems, applications, and data. As an administrator, you should ensure all users looking to connect remotely use a named account. And not only that, but remote access users should only access systems that are directly associated with their line of work and nothing more. Compliance Kit: OT/ICS Cyber Security Policy template by Sectrio You should go further and assign specific access privileges remote workers require to carry out their duties. This limits accessibility based on job functions and needs. It’s essential in reducing the risk of insider threats and maintaining the overall security of the ICS environment. Schedule security awareness and training sessions A big part of security

Operational Technology (OT) security controls include the measures, workflows and procedures put in place to protect various OT systems from cyber threats. OT systems are used to control, run and monitor critical infrastructure, such as those in power plants, water treatment facilities, and transportation systems. As these systems become increasingly interconnected, they turn more vulnerable to attack. In addition to vulnerabilities, there are also threat actors who are constantly scanning networks connected to OT to gain access to such networks. Many critical infrastructure operators that use OT rely on a mix of OEM support and internal OT security governance policies to secure OT. Such policies often are not aligned with the growing threats in the wild and increasing threat surfaces in these organizations (that result from the use of untested and/or legacy systems that simply cannot be patched). Thus in order to ensure disruption-free operations, organizations using OT need to deploy more measures to secure OT and the allied networks. Here are 12 effective measures that are relatively easy to deploy and improve OT security to a large extent 1. Network Segmentation in IT-OT Networks OT networks should be segmented to build a moat around critical control systems from other networks, including corporate or public networks. This prevents unauthorized access and contains potential breaches, limiting the impact of a breach event. Segment your network at the most granular level: Learn more about Sectrio Micro Segmentation. 2. Access control Strong access controls help restrict and manage user access to OT systems. This includes utilizing unique user accounts, identity, and access management using strong passwords, need-based access, multi-factor authentication, and role-based transaction-specific access control to ensure that only authorized personnel can access and make changes to the OT systems. This also helps reduce the insider threat. 3. Patch management Regularly applying security patches and updates to OT control systems (patch discipline) is crucial to addressing known vulnerabilities and preventing them from being exploited. However, patching in OT environments presents a daunting challenge due to concerns about system accessibility, stability, and downtime. Proper testing and validation procedures should be followed to ensure patches do not disrupt operations at any level. Know more: 10 Best Practices for an OT patch management program 4. Security monitoring Implementing robust monitoring capabilities is essential for detecting and responding to security incidents promptly. This includes monitoring network traffic, system logs, and security event information to identify suspicious activities or anomalies. 5. Deploying security solutions Such as those from Sectrio helps detect, contain and block known attack patterns and behaviors in real-time. Such OT Security systems can provide early warning of potential security breaches and automatically take action to prevent or mitigate the impact of an attack. 6. Security sensitization, awareness and training Employees and operators should receive regular training on OT security best practices, including recognizing and reporting suspicious activities, handling security incidents, and adhering to security policies and procedures. 7. Leverage global repositories and understand the landscape MITRE ATT&CK® which is cited as a globally-accessible knowledge repository of adversary tactics and techniques based on real-world observation should be used to strengthen the organization’s security posture. Have a holistic view of emerging threats, adversaries, and exploits to take action against them, early on. Check out: The Global OT and IoT Threat Landscape Assessment and Analysis Report 2023 8. Secure Remote Access If remote access to OT systems is necessary, it should be implemented using secure methods such as virtual private networks (VPNs) and encrypted communication channels. Multi-factor authentication should be enforced to ensure that only authorized individuals can access the systems remotely. Contact us: Find out how Sectrio can help you with a Secure Remote Access Solution 9. Incident response and recovery planning Conceptualizing and running an incident response plan is crucial for effectively managing and recovering from security incidents. This includes defining and publishing roles and responsibilities, activating communication channels, documenting processes, and conducting regular drills and simulations to ensure preparedness to deal with any threat or risk. 10. Implement a Zero trust framework Trust should be portioned and earned. Micro Segment your network and deploy granular policies that allow you to adopt Zero Trust Network Architecture.   11. Vendor and supply chain visibility and security Proper diligence should be conducted when selecting OT control system vendors (OEMs), ensuring they have robust security practices in place and that they procure components from credible and secure vendors. It is important to assess the security of third-party components and software used in OT systems to minimize the risk of supply chain attacks and embedded malware. 12. Continuous risk assessment Regularly conducting risk assessments, flash audits, and vulnerability scans helps identify, prioritize, and address potential weaknesses in OT control systems. This allows organizations to prioritize security investments and make informed decisions to improve the overall security posture of their OT environments. Sign up now: Comprehensive Asset Discovery with Vulnerability and Threat Assessment OT control security needs a holistic approach from the word go that combines technical controls, process improvements, and organizational awareness. It should be run as an ongoing effort that adapts to evolving threats, security priorities and technologies to ensure the resilience and safety of critical industrial processes.

With the increasing digitization and connectivity of operational technology (OT) networks, the threat landscape has expanded, making it imperative for organizations to proactively hunt for potential cyber threats. Threat hunting in OT networks involves actively and continuously searching for signs of compromise or malicious activity that traditional security measures might miss. This article dives deep into the concept of threat hunting in OT networks, its significance in protecting critical infrastructure, and effective strategies to unleash proactive cybersecurity. Understanding Threat Hunting in OT Networks Threat hunting in OT networks is a proactive approach that aims to identify and mitigate advanced threats, including sophisticated attacks, zero-day exploits, and insider threats. It involves leveraging both human expertise and advanced technologies to detect anomalies, patterns, and indicators of compromise (IOCs) within the OT environment. By proactively seeking out threats, organizations have the ability to stay ahead of adversaries and minimize risks to operational continuity. The Importance of Threat Hunting in OT Networks Threat hunting in OT networks offers several key advantages 1. Detection of Advanced Threats Traditional security measures often struggle to identify sophisticated attacks targeting OT systems. Threat hunting fills this gap by actively seeking out signs of compromise, enabling early detection and response to emerging threats. 2. Reduction of Dwell Time Threat hunting reduces the dwell time, which is the duration that adversaries remain undetected within the network. By shortening the dwell time, organizations can minimize the potential damage and disruption caused by an ongoing cyber attack. 3. Mitigation of Insider Threats Insider threats pose a significant risk to OT networks. Through threat hunting, organizations can proactively identify any abnormal or suspicious behavior exhibited by employees or contractors, mitigating the risk of insider threats. 4. Enhanced Incident Response By adopting a proactive approach, threat hunting equips organizations with actionable OT/ICS specific threat intelligence and insights necessary for effective incident response. This allows security teams to rapidly contain, eradicate, and recover from any security incidents, minimizing the impact on critical operations. Also Read: Complete Guide to Cyber Threat Intelligence Feeds Strategies for Effective Threat Hunting in OT Networks To conduct successful threat hunting in OT networks, organizations should implement the following strategies: 1. Define Clear Objectives Establish clear goals and objectives for threat hunting activities, aligned with the organization’s risk tolerance and operational priorities. 2. Leverage Threat Intelligence Utilize OT/ICS specific threat intelligence feeds and external sources to gain insights into the latest attack techniques, indicators of compromise (IOCs), and threat actor behaviors specific to OT environments. 3. Use Advanced Analytics and AI Employ advanced analytics, machine learning, and artificial intelligence (AI) techniques to analyze vast amounts of OT data in real-time. These technologies enable the detection of anomalies, patterns, and potential indicators of compromise. 4. Combine Human Expertise with Automation Human analysts with deep knowledge of OT systems should collaborate with automated tools and technologies. This combination enhances the effectiveness of threat hunting by leveraging human intuition and expertise alongside the scalability and speed of automation. 5. Adopt Endpoint Detection and Response (EDR) EDR solutions play a crucial role in threat hunting by providing real-time visibility into endpoint activities, enabling proactive threat hunting and faster response to potential threats. 6. Conduct Regular Red Team Exercises Simulate realistic attack scenarios through red team exercises to test the effectiveness of existing security measures and identify any potential weaknesses or blind spots in the OT network. Compliance Kit: Cybersecurity Tabletop Exercise Planning Manual Overcoming Challenges in Threat Hunting for OT Networks While threat hunting in OT networks brings significant benefits, it also presents certain challenges that organizations must address. 1. Lack of OT-Specific Expertise Finding skilled personnel with expertise in both OT systems and cybersecurity can be challenging. 2. Access to Comprehensive OT Data Gathering and analyzing comprehensive data from OT networks can be complex due to various legacy systems, proprietary protocols by the OEMs, and limited visibility into OT environments. To find out how Sectrio’s solution can help get over this challenge, watch us in action now: Request a Demo 3. Integration with Existing Security Infrastructure Ensuring seamless integration between threat hunting activities and existing security infrastructure, such as security information and event management (SIEM) systems and intrusion detection systems (IDS), can pose challenges. 4. Balancing Security and Operational Requirements OT environments prioritize operational continuity, which can sometimes conflict with the security measures implemented during threat hunting. Striking a balance between security and operational requirements is crucial to prevent disruptions while maintaining robust cybersecurity. 5. Adapting to Evolving Threats Threat actors continually evolve their tactics and techniques, necessitating constant updates and adjustments to threat hunting strategies and methodologies. Sectrio eBook: OT Security Challenges and Solutions Real-Life Examples of Threat Hunting in OT Networks Illustrating the effectiveness of threat hunting in OT networks, here are a few real-life examples 1. Identifying Malware Infections Through threat hunting, an energy company discovered signs of malware infection in their OT network. By proactively investigating the anomalies, they were able to isolate and remove the malware before it caused any operational disruption. 2. Detecting Insider Threats During a threat hunting exercise, an industrial manufacturing company identified suspicious activities indicating a potential insider threat. The timely detection allowed them to investigate further, identify the compromised user account, and mitigate the risk before it led to significant damage or data exfiltration. 3. Uncovering Hidden Vulnerabilities By conducting thorough threat hunting activities, a transportation organization discovered previously unknown vulnerabilities in their OT systems. They promptly patched the vulnerabilities, reducing the risk of exploitation by threat actors. 4. Mitigating Advanced Persistent Threats (APTs) A critical infrastructure provider proactively engaged in threat hunting to identify indicators of an advanced persistent threat (APT) targeting their OT network. Through continuous monitoring and analysis, they were able to detect the APT’s presence, gather intelligence, and collaborate with law enforcement agencies to mitigate the threat effectively. For CISOs: Simplify the RoI for an OT Threat Hunting program Getting buy-in from the board can always be tough, here are a few pointers on the ROI that can be

Micro segmentation is a proven security strategy that works by dividing a network into much smaller and more secure segments. This helps in limiting the spread of a cyberattack in case of a breach thereby containing the event and its implications. Microsegmentation involves creating security zones around individual devices, applications, or services within an OT network thereby isolating them from other parts of the network. At its heart microsegmentation involves security via access denial.  In an OT environment, micro segmentation can be used to secure critical infrastructure systems including power plants, water treatment facilities, and manufacturing plants. 4 key benefits of having Micro segmentation in an OT environment 1. Enhanced Security micro segmentation significantly improves security by shrinking the attack surface area. In a worst-case scenario where an attacker manages to breach one segment, they would face additional barriers to gain access to other segments. Thus the mobility of a hacker or malware is significantly limited. 2. Improve operational efficiency By segmenting network traffic and limiting the many broadcast domains, micro segmentation can lead to improved network performance and reduced congestion. It ensures the availability of dedicated bandwidth and resources to critical OT resources thereby optimizing their performance. 3. Compliance Micro segmentation enables security teams to deploy security policies at a granular level. This improves their ability to comply with standards such as IEC 62443 and NERC-CIP. By segregating sensitive systems and data, organizations can easily demonstrate compliance and even meet audit requirements. 4. Adaptability and Scalability Micro Segmentation offers flexibility in adapting to and managing evolving network architectures. When new devices or services are added, they can be assigned to appropriate segments, thereby ensuring a secure, dynamic, and scalable network infrastructure. Planning for implementing micro segmentation in an OT environment Implementing micro segmentation in an OT environment requires careful planning, network (awareness and) visibility, and a thorough understanding of the operational requirements. To begin with, complete a thorough assessment of your OT environment and inventorize all your OT assets and segregate them based on criticality. Follow these steps once the OT asset inventorization bit is complete 1. Understand the OT Architecture Understand the interdependencies and communication patterns of all key systems and map them 2. Define segmentation policies Using the initial assessment, determine the segmentation policies and access controls needed for each segment. Consider various factors such as security requirements, operational needs, compliance mandates, and any network or asset restrictions. Define rules for communication within and between segments to ensure a smooth flow of data. The policies should be so defined to improve network visibility and efficiency while minimizing any scope for latency.  3. Design network segments Conceptualize a network segmentation plan that aligns with your segmentation policies and overall goals. Determine the boundaries and scope of each segment, factoring network topology, physical and logical separation, and traffic flow requirements. 4. Implement access controls Deploy access control mechanisms including firewalls, switches, routers, and security appliances to enforce the segmentation policies defined in the earlier step. Configure the rules and policies to control traffic flow and restrict communication-based on the principle of least privilege in line with Zero Trust. 5. Establish adequate controls for monitoring and visibility Implement network monitoring and visibility tools to gain an in-depth view of network traffic, segment interactions, and potential security incidents. This helps in identifying anomalies, detecting unauthorized communication attempts, preventing breach attempts, and ensuring ongoing compliance. 6. Test often and validate Conduct thorough testing and validation of the implemented micro segmentation strategy frequently. Verify that the intended segmentation is working as per defined goals and principles without disrupting any critical or non-critical operations. Conduct penetration testing to discover any vulnerabilities or misconfigurations at that could impair the gains from micro segmentation. 7. Deploy segmentation controls Deploy the micro segmentation controls gradually, starting from less critical segments and gradually moving towards the more critical ones to minimize any disruption. This approach will enable fine-tuning and adjustment of controls and rollout based on real-world operational scenarios. 8. Train staff and improve security sensitivity Run training and awareness programs for OT and IT personnel involved in managing and operating the segmented network. Ensure that they understand the purpose, goals, benefits, and proper use of micro segmentation. Train them on incident response and handling procedures specific to segmented environments. 9. Monitor, maintain, and update Continuously monitor all network segments, review access control policies, and update them as needed. Regularly assess the effectiveness of micro segmentation controls and adapt them to evolving threats and operational changes. 10. Regular auditing and compliance checks Conduct regular and calendarized audits to assess the compliance of the micro segmentation implementation with relevant industry standards and regulations. Address any identified gaps or non-compliance issues promptly. There are many ways to deploy micro segmentation in an OT environment taking into account factors such as goals, size of operations, security needs, and compliance mandates. One approach is to use network segmentation devices such as firewalls and switches as per the pre-defined segmentation architecture. Organizations can also use software-defined networking (SDN) technology for micro segmentation. SDN can be utilized to create virtualized networks. These networks can then be segmented and controlled way more easily. Find out how Sectrio can help Micro Segment your OT/ICS Network: Micro segmentation The best path to micro segmentation The best approach for implementing micro segmentation in an OT environment will almost certainly depend on the specific needs of the organization and the security team involved. Based on the maturity of security practices, OT micro-segmentation can be fine to create a bigger sum of parts. Micro segmentation is most certainly a valuable security strategy and tactic that can help to protect critical infrastructure systems and improve your security posture. Request a demo and find out how Sectrio can help elevate your security posture today: Request a Demo

Having an OT Patch management program is critical from a security and operational perspective for industries in manufacturing or critical infrastructure. A comprehensive patch management program is an integral part of an organization’s overall risk management (and mitigation) strategy. It not only helps identify and prioritize vulnerabilities, and assess their potential impact on operations but also enables organizations to design and implement appropriate actions to remedy the associated risks. Effective patch management minimizes the likelihood of successful cyberattacks and thereby helps maintain the integrity and availability of OT systems. Here are 10 best practices that Sectrio recommends for ensuring the success of your OT patch management program: Plan and implement a patch management process Develop a formal patch management process specifically tailored for OT systems. Define roles, responsibilities, and procedures for evaluating, testing, and deploying patches. Prioritize patching as part of your overall operations Assess the criticality of each patch and prioritize the deployment based on the severity of vulnerabilities, potential impact on operations, and the availability of vendor-supplied patches. This will ensure the deployment of critical patches on priority. Test patches thoroughly OT environments often come with complex, layered, and interconnected systems spilling over into the IT environment. It is therefore advisable to perform comprehensive testing in a controlled environment (closely resembling the production environment) to ensure compatibility, stability, and functionality. Respective OEMs for selective OT devices or systems can help in this regard. Maintain system inventory Maintenance of accurate inventory of all OT assets, including hardware devices, software, and firmware is essential. Capture as much information as possible in this inventory including details such as date of addition, last patch update, criticality, OEM information and legacy information. This inventory helps in identifying the systems that require patching and tracking the status of deployed patches. Built strong vendor relationships Establish strong relationships with OT system vendors and make them partners in your patch management efforts. Make a proactive effort to stay informed about the latest security patches and updates through communication with the vendor. Engage vendors for technical support and assistance during the patching process to ensure the smooth functioning of critical systems before, during, and after patching. Secure network segmentation Network micro segmentation should be deployed to isolate critical OT systems from corporate or external networks. This practice reduces the attack surface and helps contain the impact of potential vulnerabilities and compromises  Also Read: How to get started with OT security Deploy tested backup and recovery plans Prioritize regular backups of OT system configurations and data as part of your disaster recovery and business continuity plan. In case a patch leads to unexpected issues, having backups available enables faster recovery while minimizing downtime. Develop and publish change management procedures integrate patch management strategically into your overall change management process. Make sure that all patches are deployed in a controlled, studied, and documented manner, with approvals, change tracking, and rollback plans. Such practices can be tested to improve efficiency. Consider redundancy OT systems often operate in environments that require high availability. You should therefore consider redundancy and failover mechanisms to minimize disruptions during patch deployment. Such a plan can involve redundant systems, clustering, or ‘hot’ standby configurations. Plan for, monitor, and maintain situational awareness keep an eye-on-the-glass view and continuously monitor OT systems for vulnerabilities, risks, and emerging threats. Stay updated with security advisories, specific threat information, industry forums, and vendor notifications to proactively address risks. Review, audit, and improve No patch management program can be fully effective without having a provision for constant improvement through feedback. Conduct periodic reviews and audits of the patch management process to determine areas of improvement, ensure compliance with policies and regulations, and verify the effectiveness of deployed patches. Bonus Tips from Sectrio Track vulnerabilities on a centralized console Use a centralized OT patch management solution or an OT security solution that tracks patches and CVEs. OT Patch management solution: Getting a Buy-In Help key stakeholders understand the need for a comprehensive program to get a buy-in into the program Governance Risk and Compliance (GRC) Weave the OT Patch Management Program into your institutional cybersecurity practices and policies across your plants. Tie in and actively track your compliance against various mandates such as NIST SP-800-82r2 or IEC 62443 How Sectrio can help you? Developing and running an effective patch management program is not easy. This is why you need help from our certified OT security consultants who can help you device, test, and run a comprehensive OT security program. Reach out to learn more. Sectrio’s OT security solution also comes with a powerful vulnerability management module that can help you track patches, emerging vulnerabilities, and CVEs effortlessly. Connect with our OT security analyst for a quick demo. Try our OT-specific cyber threat intelligence feeds to stay ahead of emerging threats.