secure datacenter – Waterfall Security Solutions https://waterfall-security.com Unbreachable OT security, unlimited OT connectivity Mon, 21 Jul 2025 18:20:03 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.2 https://waterfall-security.com/wp-content/uploads/2023/09/cropped-favicon2-2-32x32.png secure datacenter – Waterfall Security Solutions https://waterfall-security.com 32 32 Step 2 Addressing OT Cyber Risk: Asset Inventory & Dependencies https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/ot-cyber-risk-step-2/ Thu, 07 Dec 2023 15:21:24 +0000 https://waterfall-security.com/?p=14397 Managing OT Cyber risk takes on different approaches and expertise depending on the potential consequences of compromise to a particular system. This is why it is important to delve into the distinction and importance of an engineering-centric approach to managing OT cyber risk.

The post Step 2 Addressing OT Cyber Risk: Asset Inventory & Dependencies appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsStep 2 Addressing OT Cyber Risk: Asset Inventory & Dependencies

Step 2 Addressing OT Cyber Risk: Asset Inventory & Dependencies

Managing OT Cyber risk takes on different approaches and expertise depending on the potential consequences of compromise to a particular system. This is why it is important to delve into the distinction and importance of an engineering-centric approach to managing OT cyber risk.
Picture of Waterfall team

Waterfall team

Step 2 - Addressing Cyber Risk

Moments after the discovery of a ransomware attack on the IT network of the North American Colonial Pipeline, company management responded with shutting down all physical operations out of “an abundance of caution”. As a result of this shutdown, Colonial lost 6 days of operation at 2.5 million barrels per day and paid nearly $5 million in ransom payment. The precautionary shutting down of operations reflected a degree of uncertainty in the cybersecurity controls in place at the time protecting the OT network from cyber attacks propagating through the IT network. The US Transportation Security Administration (TSA) responded by releasing a series of security directives following this event, with a common thread repeated through the series of directives: implement a cyber defense strong enough that, if the IT network is compromised, the OT network can continue operating at necessary capacity. The Colonial attack represents the present-day OT cyber risk scenario that industrial enterprises can no longer avoid; OT networks must be sufficiently protected from attacks arriving via more-exposed or less-consequential networks.

Designing a strong defensive posture to minimize OT cyber risk is a multi-step process, and one of the first places to start is by taking a thorough inventory, not only of industrial and cyber assets, but also of data flows and interdependencies. Physical assets and operations are what we need to protect, but data flows can be the means through which cyber sabotage attacks travel, and interdependencies must be discovered and understood as they complicate the task of how and what we need to protect. Let’s look at each of these in more detail.

“The precautionary shutting down of operations reflected a degree of uncertainty in the cybersecurity controls in place at the time protecting the OT network.”

Inventory Network Assets and Associated Vulnerabilities

In our previous article on step 1 of an OT Cyber Risk Management plan we identified the who; assigning responsibility for OT cyber risk management. Step 2 is identifying the what. This step in managing OT cyber risk is creating and maintaining an accurate asset inventory: the most accurate representation of the physical network. This exercise involves recording both assets and vulnerabilities/attack opportunities. Assets help us understand criticality and vulnerabilities help us understand exposure. An asset assessment accomplishes the goal of considering the worst-case consequences of compromise of each asset and subsequently assigning it a level of criticality. Once criticality is determined, it informs the strength of a security program needed for a system or network.

Taking an asset inventory can be manual (very labor intensive) or automatic. Automatic asset assessments are either passive “sniffing” or active “probing”. Each option has advantages and disadvantages and the type we choose will depend on staffing requirements, budget and the geographical expanse of our industrial sites. Documenting an entire operations network can be challenging, as industrial assets may not stand up well to network and device scanning. After all assets (both hardware and software), applications, endpoints and user accounts and any associated documentation such as vendor information and serial numbers have been recorded and inventoried, they should be grouped and organized in a manner that makes sense from a network architecture, functionality, and criticality perspective. The Purdue Model can serve as a useful starting point.

In addition to the inventory of physical hardware and software assets, taking an inventory of software vulnerabilities and exploitative opportunities helps us assess exposure. Software vulnerabilities can introduce compromise to the information being processed, stored, or transmitted by OT systems. Stolen credentials, weak permissions, weak passwords and other security configuration weaknesses can also be exploited. Assessing exposure to attacks tells us what opportunities attackers have to exploit.

Inventory Data Flows

In addition, if an attacker wants to mis-operate OT systems, he has to connect to those systems to mis-operatre them. Connectivity is how cybersabotage attacks reach targets – all data flows are potential attack vectors. Data flows include both physically carrying the attack information into the site (offline attacks) and exploiting digital connections through remote means (online attacks). Taking an inventory of data flows provides an understanding of how cyber-sabotage attack information can reach the systems we need to protect. The only way OT networks can experience cyber sabotage is for attack information to enter the system, somehow.

A useful way to document data flow inventories is to develop (and maintain) a network data flow diagram. The goal is not to document every data flow in a complex system – such a diagram would be complex beyond understanding. Major internal data flows should be documented or illustrated, but all online and offline data flows through physical or cyber perimeters to less-critical networks must be documented. It is data flows that permit attacks to cross criticality boundaries, such as the IT/OT network perimeter, that most urgently must be documented and understood.

The diagram should indicate bidirectional and unidirectional data flows, inputs/outputs, data storage, and again, data flows through which information and potential attack information from outside the OT network can pass to the inside. Many asset inventory solutions have diagram generating capabilities that can assist in changes to the network environment across time. This will prove advantageous both in designing and implementing appropriate cyber protections as well as in the case of incident response and recovery efforts following an attack.

Talk to an OT security expert

Inventory Data Flows

Next, the OT cyber risk team must get a handle on network and other dependencies. For the purposes of assessing attack exposure, we must know about all the ways OT assets and physical operations depend on services from more-exposed IT, Internet or cloud networks. More difficult to determine, but just as essential, is that we must understand those tricky dependencies that exist even without communications between IT and OT assets and networks, such as procedural or logistical dependencies. These dependencies are important because IT assets are low hanging fruit for attackers. Even when OT systems or physical operations are the ultimate target of an attack, most OT network attacks begin with compromising IT systems. IT/OT interconnections and dependencies must be identified, protected and the data flow controlled to properly manage OT cyber risk.

For example, Active Directory systems are a common data flow dependency. In many organizations, OT systems need to connect to IT Active Directory servers to enable users to log in. In this scenario, if OT systems cannot connect to Active Directory servers residing in the IT network, OT is crippled. Subtler dependencies can exist; not all dependencies are reflected in information flows.

For example, during the NotPetya cyber attack, Maersk, the world’s largest container shipping company, suffered an operations outage because of a procedural dependency that was not evident in IT/OT information flows. The Notpetya malware crippled the database on the IT network that instructed truck drivers where to transport containers that were unloaded from ships in port. Since the tracking system was down, the drivers were unable to deliver the containers. Sometimes dependencies are complicated and the best way to investigate them is to assemble all stakeholders together to ask and understand – if all IT systems were shut down, could physical operations continue, and if not, why not?

Dependencies on IT systems are one reason that so many ransomware attacks result in outages of OT networks. Ransomware attacks impair IT networks more often than they do OT systems, and if OT networks have multiple dependencies with IT systems that ransomware has impaired, physical operations cannot continue. While it can be very difficult to eliminate all OT dependencies on IT systems, we cannot simply ignore any dependencies that must remain in place. Instead, we must recognize that IT systems which are essential to continued physical operations are in fact reliability-critical components. These reliability-critical systems may be hosted on the IT network instead of the OT network but must be managed and secured in many of the same ways that OT systems are managed and secured.

Wrapping it up

Documenting an asset inventory is a first step in the direction of determining the criticality of OT assets and contributes to understanding of exposure. Data flow inventory, especially of data flows permitting external info into OT networks document exposures (or attack vectors) that need to be eliminated or controlled. Dependencies expose OT systems to external attacks – not because the attacks reach OT systems, but because OT needs to shut down if IT systems that OT depends upon are crippled. The next step in an OT cyber risk assessment, assigning asset criticality, will be much more streamlined if the asset inventory step is carried out successfully.

 

Written by Courtney Schneider

 

Talk to an OT security expert
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Step 2 Addressing OT Cyber Risk: Asset Inventory & Dependencies appeared first on Waterfall Security Solutions.

]]> NIS2 Compliance for ICS https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/nis2-compliance-for-ics/ Tue, 17 Oct 2023 11:57:28 +0000 https://waterfall-security.com/?p=12889 The NIS2 Directive is a directive by the European Parliament on the measures that need to be taken for a high common level of cybersecurity across the European Union.

The post NIS2 Compliance for ICS appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterOT security standardsNIS2 Compliance for ICS

NIS2 Compliance for ICS

What are the main takeaways from the new NIS2 Directive and what are the main requirements for compliance?
Picture of Waterfall team

Waterfall team

NIS2 compliance cheat sheet

The NIS2 Directive is a directive by the European Parliament on the measures that need to be taken for a high common level of cybersecurity across the European Union. The NIS2 Directive replaces the previous NIS Directive (EU Directive 2016/1148) and aims to improve the security of crucial services by protecting the networks and information systems of critical and important entities across the EU.

The NIS2 Directive applies to a wide range of organizations, including:

  • Essential entities: These are organizations that provide essential services, such as energy, water, transport, and financial services.

  • Important entities: These are organizations that are not essential entities, but that could have a significant impact on the economy or society if they were to be disrupted by a cyberattack.

  • 3rd parties: Providers and suppliers that want to work with entities that provide essential or important services such as the above two.

The NIS2 Directive applies to “Essential” entities, “Important” entities, and 3rd party providers/suppliers that want to work with those “essential” and “important” entities.

Cybersecurity Measures Required by the NIS2 Directive

The NIS2 Directive is a complex piece of legislation, and there are several different ways that organizations can comply with it. However, the key principles of the directive are risk management, incident response, vulnerability management, security awareness training, and supply chain security.

  • Risk management: Organizations must identify and assess the risks to their networks and information systems. This also includes a person or team that is responsible for handling the decisions that need to be made regarding risk, with the blame falling on them if something goes wrong.

  • Incident response: Organizations must have a plan in place to respond to cybersecurity incidents within 24-hours of the incident. NIS2 also requires organizations to report certain types of cybersecurity incidents to their national authorities.

  • Vulnerability management: Organizations must identify and patch vulnerabilities in their systems in a way that is appropriate for their devices and networks. This use of the term “appropriate” is somewhat ambiguous and it is probably best to err on the side of caution and provide more protection instead of less protection whenever there is any doubt.

  • Security awareness training: Organizations must train their employees on cybersecurity best practices. Sometimes the most secure networks can be compromised by an employee clicking on some phishing link or using a weak password. Avoiding these issues can be greatly mitigated if everyone with access has a good understanding of the type of threats that exist and how to avoid them.

  • Supply chain security: Organizations must also ensure that their 3rd party vendors are taking appropriate cybersecurity measures. This means that not only does the entire internal operation need to comply with NIS2, but also any 3rd party vendors that provide products or services need to comply too.

Overall, the NIS2 Directive represents a significant step forward in the fight against Europe’s cyber threats. By requiring organizations, and their supply chains, to implement stronger cybersecurity measures, the directive will help in protecting critical infrastructure and other important assets from cyberattacks throughout the European Union.

 

Get the NIS2 Compliance Guide for OT Systems
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post NIS2 Compliance for ICS appeared first on Waterfall Security Solutions.

]]> Securing Data Center OT Networks  https://waterfall-security.com/ot-insights-center/facilities/securing-data-center-ot-networks/ Tue, 05 Sep 2023 14:25:37 +0000 https://waterfall-security.com/?p=9844 What are data center OT networks? How are they different from other OT networks? What are their vulnerabilities, and what are the consequences of their vulnerabilities?

The post Securing Data Center OT Networks  appeared first on Waterfall Security Solutions.

]]>
OT Insights CenterFacilitiesSecuring Data Center OT Networks 

Securing Data Center OT Networks 

What are data center OT networks? How are they different from other OT networks? What are their vulnerabilities, and what are the consequences of their vulnerabilities?
Picture of Waterfall team

Waterfall team

Securing Data Center OT Networks

What are data center OT networks? 

Data center OT networks and systems are specialized industrial control systems that manage the physical infrastructure and systems throughout a data center. They enable real-time control and monitoring of critical functions such as power distribution, cooling, physical and access control. These OT networks are ideally isolated from IT networks to maximize security, rely on specialized OT communications protocols and often have redundant systems to ensure reliability and resilience.  

How are data center OT networks different from other OT networks? 

Data center OT networks differ from other OT networks in that many other OT systems operate critical industrial infrastructures. Data centers are generally not considered industrial infrastructure, but critical information infrastructures. In both kinds of infrastructure, yes, worker safety comes first – especially in the parts of the data center dealing with high voltage electricity or fire suppression. In data centers however, worker safety concerns and risks are more contained than in industrial infrastructures, and the big priority is the reliability of data center functions – the functions providing the informational infrastructure.  

When it comes to data centers, uptime is a very important key performance indicator.  

Read the case study about Cybersecurity for Data Centers now

Data Center Cyber Risks 

When it comes to data centers, uptime is a very important key performance indicator (KPI).  

Let’s look at major infrastructure components in data centers and how they can impact uptime: 

BMS (Building Management System): 

The BMS plays a critical role in monitoring and controlling various aspects of the data center’s physical environment, such as temperature, humidity, and airflow. Cyber risks related to the BMS can include unauthorized access, manipulation, or disruption of the system. Attackers might exploit vulnerabilities in the BMS software or hardware to gain control of critical infrastructure, potentially leading to data center downtime or equipment damage. Additionally, if the BMS is integrated with other systems, such as fire suppression or access control, compromising the BMS could have cascading effects on overall data center security and even worker safety. 

EMS (Electrical Management System): 

The EMS manages the electrical distribution and power systems in the data center. Cyber risks in the EMS can lead to power-related issues, such as disruptions to Uninterruptible Power Supplies (UPS) or failures in power distribution. Attackers could exploit weaknesses in the EMS to cause power outages, leading to data loss, service interruptions, and potential electrical hardware damage that could lead to much longer term outages. Moreover, unauthorized access to the EMS might enable attackers to manipulate power settings, increasing the rate of wear on computer components and increasing the rate of transient “glitch” style outages among computers in the data center. 

 SEC (Security Management): 

The SEC is responsible for maintaining the data center’s overall physical security posture, including access controls, video surveillance, and threat detection. Cyber risks in the SEC can result in intruders gaining unauthorized physical access to critical areas, and cyber attackers tampering with security systems, or disabling surveillance mechanisms. Moreover, if the security systems are interconnected with other data center components, an attack on the SEC might be used as a gateway for further infiltration. 

DCIM (Data Center Infrastructure Management): 

The DCIM plays an important role for optimizing the management systems of data centers. With a wide suite of tools, DCIMs empower data center administrators to monitor, analyze, and control every aspect of their facility’s infrastructure from power and cooling systems to server utilization and asset tracking. By providing real-time insights and predictive analytics, DCIM improves operational efficiency and also contributes to substantial cost savings and environmental sustainability. Any possibility of a breach into the DCIM represents a very high risk for the data center, because the DCIM controls so much. A compromised DCIM can be used to shut down the entire center, for example. 

Bottom Line:  

Overall, the interconnected nature of data center systems increases the risk of cyber attacks affecting multiple components simultaneously. To mitigate these risks, data center operators must implement a really robust cybersecurity measures, such fully segmenting OT networks from IT and updating or patching the OT systems very cautiously, after thorough testing, to minimize the risk of unexpected downtime of OT computers and the physical and electrical processes essential to data center operations. Additionally, data centers require access controls that can’t be breached.  

By having a secure OT network, data centers can significantly enhance their resilience against cyber threats, ensuring they maintain the uptime goals they strive to achieve. 

Want to learn how Waterfall Security helps protect data center OT? Read our case study Cybersecurity for Data Centers with a real-world example of a data center in the Asian-Pacific region.

Read the case study about Cybersecurity for Data Centers now
Share

Trending posts

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

Tags

The post Securing Data Center OT Networks  appeared first on Waterfall Security Solutions.

]]>