Your IT network has been compromised. Your OT network seems to be working fine, but you’re worried that the compromise will spread to OT. What do you do?
Colonial Pipeline faced this situation in 2021 when ransomware infected their IT network. Their response? Shut down the pipelines. Outsiders will never know if this was the right response. Was it required to ensure the pipelines would not be physically damaged and potentially result in loss of life and property? environmental catastrophes?
What wasn’t fully understood by insiders and outsiders was how difficult it would be to get the pipelines back up and running. They hadn’t been shut down like this in decades. Colonial Pipeline had to bring back retired employees who had experience starting up the pipeline.
There are numerous responses in OT to IT being compromised including:
- Shutting down the physical process.
- Disconnecting OT from IT to prevent the attack from reaching OT. This is often called “island mode”, and it’s getting harder to do as OT relies more on IT data and services.
- Activating emergency rules in the OT security perimeter.
- Running the physical process with less automation. Moving some high consequence systems or processes to manual mode.
- Running the physical process with reduced output.
- Further isolating and monitoring safety and protection systems.
As you determine your answer, there might be additional factors in your decision tree beyond compromise on IT. For example, you could look at the IT / OT security perimeter logs to see if there is any unusual activity. If yes, island mode. If no, increase monitoring.
The key is to develop this decision tree now and get it approved by the appropriate level of management. You don’t want to be thinking through this when your IT has been compromised.
What will you do if your IT network is compromised and there are concerns it could spread to OT?