Supporting the Mental Health of Cybersecurity Professionals

Last week, our founder Patrick Kelley had the privilege of presenting on a topic often overlooked in our industry: the mental health challenges facing cybersecurity professionals.

The presentation, now featured by the EMC cooperative group (NRECA), highlighted the relentless stress, burnout, and emotional toll that defending critical infrastructure can bring. We talked about how protecting the grid goes beyond patching vulnerabilities and watching alerts; it also means protecting the people who stand watch.

Kelley says IT and cyber workers are susceptible to blaming themselves when they feel burned out and thinking it’s their responsibility for “unburning out” themselves. He encouraged attendees to lean on their colleagues in the program the way operations crews do during outages and mutual aid events.
“The way that we move forward is to be more like the linemen in those trucks,” he said. “We need to support each other like they do.”

The Problem We’re Facing

Cybersecurity teams in cooperatives are under constant, high-stakes pressure. With limited staff, evolving threats, and 24/7 vigilance, it’s easy to lose sight of the human cost of protecting member communities. Fatigue, anxiety, and burnout can lead to mistakes—mistakes that attackers are waiting to exploit.

The Conversation We Need

During the presentation, Patrick emphasized that acknowledging and addressing mental health isn’t a weakness—it’s a strategy. We need to normalize the conversation, reduce stigma, and build workflows that allow cybersecurity professionals to sustain their mission without sacrificing themselves in the process.

Practical Steps We Shared

  • Curate threat feeds to reduce noise and alert fatigue.

  • Set clear boundaries for after-hours work and incident escalation.

  • Integrate wellness resources into your incident response plans.

  • Provide training and awareness around mental health just as we do phishing or ransomware.

  • Build a culture where asking for help is seen as responsible, not weak.

Moving Forward

The fact that NRECA chose to highlight this presentation shows how cooperatives are leading the way in prioritizing both operational resilience and human resilience. We’re honored to support their mission and to help co-ops find a balance between strong cybersecurity and strong people.

If your organization is ready to have this conversation, we’re here. Because at the end of the day, protecting the grid means protecting the people who protect it.

Read More

FERC’s New Visibility Mandate: What CIP-015-1 Means for Critical Infrastructure Security—and How Léargas Helps

On June 20, 2025, the Federal Energy Regulatory Commission (FERC) finalized a new cybersecurity requirement that could fundamentally change how electric utilities defend their operational technology networks. This new standard—known as CIP-015-1—introduces a mandatory requirement for Internal Network Security Monitoring (INSM). And it’s not a suggestion—it’s a shift in the way we approach security inside critical systems.

At Léargas Security, we view this as a crucial step forward in helping critical infrastructure operators gain much-needed visibility into their environments. Here’s what the new rule means, why it matters, and how our platform is purpose-built to help utilities stay compliant and secure.

What Is CIP-015-1 and Why Now?

The energy sector has long relied on “perimeter-first” defenses—tools like firewalls, VPNs, and access control systems—to keep cyber threats at bay. But attackers have adapted. They know how to breach these barriers and move laterally inside trusted networks, often undetected until damage is already done.

CIP-015-1 directly addresses this blind spot. For the first time, NERC and FERC are requiring asset owners to implement continuous monitoring of internal network communications. This means tracking east-west traffic within electronic security perimeters (ESPs), detecting suspicious or anomalous behavior, and protecting the integrity of that monitoring data.

In short: the regulators are no longer asking, “Are you guarding the gates?” They’re asking, “Can you see what’s happening inside the walls?”

What’s Required Under CIP-015-1?

The new standard is built around three core requirements:

1. Deploy INSM Technologies and Processes (R1)

Organizations must implement tools and workflows to detect unauthorized or unusual activity on internal networks. These tools may include passive network sensors, flow collectors, intrusion detection systems, or anomaly detection engines—so long as they don’t interfere with real-time operations.

2. Retain Monitoring Data Until Investigations Are Closed (R2)

If suspicious activity is detected, the data associated with those events must be preserved for the duration of the investigation. This ensures that any forensic analysis or root cause reviews are based on verifiable evidence.

3. Protect INSM Data from Tampering (R3)

It’s not enough to collect and store data—you must also ensure it’s protected from unauthorized modification or deletion. Think log integrity, access controls, and verifiable audit trails.

Initially, these requirements apply to high- and medium-impact Bulk Electric System (BES) Cyber Systems that have routable connectivity outside the ESP. However, the rule also instructs NERC to expand these requirements to include Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) within the next 12 months.

Key Deadlines to Watch

Here’s the timeline you need to keep in mind:

- June 2025: FERC approves CIP-015-1. The countdown begins.
- Within 12 months: NERC must expand the standard to include EACMS and PACS.
- Within 36–60 months: Full implementation period ends. By this point, organizations must have technology and processes in place and fully documented.

While this may feel like a long window, implementation and tuning of monitoring technologies across segmented OT networks is not something that can—or should—be rushed.

How Léargas Security Bridges the Gap

At Léargas, we’ve long believed that visibility is the foundation of security. Our Unified XDR platform was designed from day one to address the exact kinds of challenges that CIP-015-1 now brings to the forefront.

Here’s how we help organizations not only meet these requirements but strengthen their overall security posture in the process:

- OT-Friendly Monitoring

We deploy passive sensors and non-intrusive agents tailored for sensitive control system environments. This ensures critical operations are not disrupted while still delivering full-spectrum visibility.

- Baselining and Anomaly Detection

Our platform builds a behavioral baseline for your network and flags deviations in real-time. You’ll know immediately if lateral movement, command injection, or unusual peer-to-peer communication occurs within your ESP.

- Investigation-Ready Data Retention

We maintain full-fidelity network data with immutable logs and detailed metadata, helping your teams comply with retention and audit requirements.

- Built-In Integrity Controls

All collected data is protected by default using cryptographic integrity mechanisms. Tamper-evidence, data validation, and access auditing are all baked in.

- Scalable Coverage for EACMS and PACS

As CIP-015-1 expands to include access control systems, Léargas ensures your monitoring capabilities grow with it—without the need for re-architecting.

- Expert Guidance and Documentation

We don’t just drop a tool into your network and leave. Our engineers help craft policies, document procedures, and prepare you for NERC audits with clarity and confidence.

Why This Matters Now

The intent behind CIP-015-1 is clear: to bring accountability and transparency to the parts of the network that have too often been in the dark. It’s not just about compliance—it’s about resilience. Visibility is the key to early detection, fast containment, and smarter recovery.

Whether you’re an electric utility trying to get ahead of the curve or a critical infrastructure operator anticipating similar mandates in your sector, the time to act is now. These rules aren’t going away—and attackers aren’t slowing down.

Let’s Talk

If you’re planning your path to compliance—or just want to better understand how internal network visibility fits into your broader security strategy—we’re here to help.

Book a demo or reach out to our team today to explore how Léargas can support your goals and secure your environment from the inside out.

Léargas Security Proud to Support Ryan Vargas’ Podium Drive

This past weekend, Ryan Vargas delivered a strong podium finish in the NASCAR North America series, once again proving his consistency and determination behind the wheel of the #28 Dodge Challenger.

As an associate sponsor, Léargas Security is proud to support Ryan Vargas as he continues to showcase the focus, discipline, and adaptability that define successful competitors on and off the track.

Ryan’s performance came with its share of challenges. After qualifying, an individual unexpectedly walked onto pit road, forcing Ryan to take evasive maneuvers that damaged the clutch. Under drizzling rain and with the clock ticking, the DJK Racing team worked relentlessly to replace the clutch on pit road before the race, demonstrating the kind of teamwork and composure that mirrors the values we hold at Léargas Security.

Thanks to the guidance and mentorship of DJ Kennington and the DJK Racing team, Ryan was able to refocus and charge to the front, turning what could have been a setback into a moment of resilience and excellence.

Read about Ryan’s podium finish here

At Léargas Security, we believe in supporting individuals and teams who don’t back down in the face of adversity and who approach every challenge with preparation and determination. Ryan Vargas embodies these values, and we are honored to stand with him as he continues to build momentum this season.

Congratulations to Ryan, DJ Kennington, and the entire DJK Racing team for a weekend that showed the true spirit of racing and the power of perseverance.

Patrick Kelley of Critical Path Security to Provide Expert Training on Zeek at Co-op Cyber Tech 2025

Léargas Security is excited to announce that Patrick Kelley, our CEO and seasoned cybersecurity expert, will deliver specialized training on leveraging Zeek for advanced cybersecurity monitoring at the upcoming Co-op Cyber Tech conference. The event, a leading technical conference addressing cybersecurity in the cooperative space, is scheduled for June 24 – 26, 2025, in Denver, Colorado.

In this highly anticipated session, titled “Zeek: Leveraging ACID and OT Protocols,” Patrick will offer practical, hands-on training tailored for critical infrastructure and operational technology (OT) professionals. Participants will gain invaluable insights into effective deployment and use of Zeek for comprehensive network visibility and threat detection across IT and OT environments.

Training Highlights Include:

  • Zeek Deployment Best Practices: Optimal sensor placement strategies (external, internal, between network segments).
  • Comprehensive Zeek Management: Mastering Zeek command-line tools and service control (zeekctl).
  • Advanced Scaling Techniques: Distributed Zeek deployment using Docker and Ansible for enhanced performance.
  • OT-Specific Protocol Analyzers: Hands-on exercises covering critical protocols such as ENIP/CIP, S7Comm, BACnet, DNP3, Modbus, and Profinet.
  • CISA ATT&CK-based Control-system Indicator Detection (ACID): Practical guidance for implementing detection capabilities for critical OT security events.
  • Integrating Zeek with AI: Leveraging Large Language Models (LLMs) and Multi-modal Command Processors (MCPs) to bridge IT and OT knowledge gaps.

Patrick Kelley brings over 25 years of experience in critical infrastructure, government contracting, and cybersecurity across various industries, including extensive experience as a Fractional CISO and within ultra-high-net-worth sectors. Recognized as an industry expert, Patrick frequently contributes insights to major news outlets including NBC, CNN, Fortune, Bloomberg, Guardian, and The Motley Fool.

Join Patrick at Co-op Cyber Tech 2025 to enhance your cybersecurity capabilities with Zeek. This training promises actionable knowledge attendees can immediately apply to fortify their cybersecurity posture.

For further details or inquiries, please contact Patrick Kelley directly at patrick.kelley@leargassecurity.com.

We look forward to seeing you in Denver!

Date: June 24 – 26, 2025
Location: Denver, Colorado

Speaking at GTBA 2025: Ransomware Threats in Telecom and Broadband

We’re pleased to share that Patrick Kelley, CEO of Critical Path Security and Léargas Security, will be speaking at the 2025 GTBA Annual Meeting of the Membership, hosted by the Georgia Rural Telephone and Broadband Association.

📍 Location: Hammock Beach, Daytona Beach, FL
📅 Dates: June 15–19, 2025
🗣 Topic: Ransomware in Telecom and Broadband: Real-World Impact and Response Strategies

Why This Talk Matters

Rural telecommunications and broadband providers have become prime targets for ransomware groups seeking to exploit infrastructure gaps and critical service dependencies. As attackers refine their tactics—often hitting operations where recovery is slow and costly—preparedness is no longer optional.

Patrick will dive into the latest ransomware attack trends, walk through recent case studies, and outline actionable steps for detection, response, and prevention tailored for rural ISPs and telcos.

What Attendees Will Gain

  • A clearer understanding of ransomware attack vectors in telecom infrastructure

  • Guidance on securing legacy and modern broadband systems

  • Tips for building layered defenses without breaking the budget

  • Real-world examples of ransomware playbooks and how to counter them

  • Discussion on insurance, legal pressure, and operational resilience

Who’s Behind the Attacks?

Several nation-state and cybercriminal groups have increasingly targeted the telecom and broadband sector:

  • VOLT TYPHON (aka FIN12/Wizard Spider): Known for high-speed ransomware operations (Ryuk, Conti) following phishing or compromised RDP. They often exploit soft targets that still deliver high-impact service disruption.

  • VOLT KAPPA (aka Sandworm/TeleBots): Notorious for disruptive attacks like NotPetya. Their recent use of tools like Prestige ransomware or Raspberry Robin makes them a concern for any org running legacy OT/ICS assets.

  • LockBit 3.0: Targets managed service providers and broadband infrastructure in double-extortion campaigns.

  • ALPHV/BlackCat: Focused on supply chain attacks with an eye toward telecom and SaaS providers.

  • Scattered Spider (VOLT KOBALT): Uses advanced social engineering and SIM-swapping to compromise telecom-linked identity platforms.

If you work in rural broadband or telecom and want to get ahead of the next threat wave, don’t miss this session.

Stay tuned for the full GTBA agenda, and we look forward to connecting with industry peers at Hammock Beach.

Speaking at GridSecCon 2025: Mental Health in Cybersecurity and the Maslach Burnout Inventory

We’re proud to announce that Patrick Kelley, CEO of Critical Path Security and Léargas Security, will be speaking once again at GridSecCon 2025. His breakout session, titled “Mental Health in Cybersecurity: Leveraging the Maslach Burnout Inventory,” will take place on October 8, 2025, from 3:00 PM to 4:00 PM PT.

Why This Talk Matters

Cybersecurity is more than threat detection and response—it’s a high-pressure profession where burnout, imposter syndrome, and emotional fatigue are common, yet rarely discussed. The stakes are high, the expectations relentless, and the human toll is real.

In this session, Patrick will offer a brutally honest and personal look at the psychological cost of doing this work, the systemic flaws that exacerbate mental strain, and how the Maslach Burnout Inventory can be used as a tangible tool to assess and manage burnout.

What Attendees Will Learn

  • How to recognize the warning signs of burnout before they escalate

  • How to use the Maslach Burnout Inventory to self-assess and spark change

  • Resilience strategies that have real-world applicability in high-stress environments

  • How to advocate for healthier team culture and systemic improvements in cybersecurity organizations

This isn’t a surface-level motivational talk. It’s a call for accountability and change—from the ground up and the top down.

For the Community, By the Community

Patrick’s voice in this space is deeply rooted in experience. From running Managed Security Operations Centers and Incident Response teams, to counseling colleagues through moments of extreme stress, he brings an honest, no-nonsense perspective that many in our industry have lived—but few have said aloud.

Join us at GridSecCon 2025 and be part of the conversation we all need to be having.
Learn more and register here: GridSecCon 2025 Event Summary

Inside the Race: Ryan Vargas Talks CTMP, Team Progress, and the Road Ahead

In our latest interview with Ryan Vargas, we got a firsthand look at what’s fuelling his drive this season—upcoming races, continued team growth, and the strong foundation built through our ongoing partnership with Léargas Security.

All Eyes on Chicago and Canada
Ryan shared his excitement about the next stops on the schedule: Chicago and Canada. With travel plans in motion and preparations underway, the team is dialed in for what promises to be a high-stakes stretch of the season. These events offer not just track time, but the chance to go head-to-head with some of the best in the business.

A Dream Realized at CTMP
One standout on the calendar? Canadian Tire Motorsport Park (CTMP). For Ryan, this race carries personal significance. “CTMP has always been on my bucket list,” he told us. “To finally get the chance to race there is huge—it’s something I’ve looked forward to for a long time.” His enthusiasm for the opportunity was clear, and fans can expect him to bring that energy to the circuit.

Pushing Performance Boundaries
Throughout our conversation, it was clear just how much progress the team has made. Ryan highlighted gains in lap times and the team’s ability to lead laps during recent events. These aren’t just stats—they’re signs of a team on the rise, tightening execution and sharpening every element of race strategy.

Competing Among Canada’s Finest
Ryan also spoke about the competitive edge of the NASCAR Canada series. With a field full of seasoned, talented drivers, every race is a test. But it’s exactly that high level of competition that continues to push the team to elevate its game.

Built on Trust: The Léargas Partnership
A major part of that continued growth stems from our ongoing partnership with Léargas Security. It’s a collaboration that has strengthened Ryan’s career and helped the team operate with more focus and cohesion. This isn’t just about logos on a car—it’s about shared goals, constant support, and driving real results, both on and off the track.

Short Track Focus Ahead
Looking ahead, the team is gearing up for a string of short track races. These tight, fast-paced events demand razor-sharp reflexes and smart strategy—something Ryan and the crew are more than ready for. Expect intense action and close competition as they hit some of the most challenging short tracks on the schedule.

Catch the full interview for more insights from Ryan himself as he talks through what’s next and what keeps him hungry behind the wheel. The road ahead is exciting, and with momentum building, there’s plenty more to come. Stay tuned!

VMware Cloud Foundation Security Advisory: Multiple High-Severity Vulnerabilities (VMSA-2025-0009)

Publication Date: May 20, 2025

Severity Rating: High

Affected Product: VMware Cloud Foundation (Versions 4.5.x and 5.x)

CVE Identifiers: CVE-2025-41229, CVE-2025-41230, CVE-2025-41231

CVSS Scores: 7.3 – 8.2

Executive Summary

Critical security vulnerabilities have been discovered in VMware Cloud Foundation, posing significant risks. These include directory traversal (CVE-2025-41229, CVSS 8.2), information disclosure (CVE-2025-41230, CVSS 7.5), and missing authorization (CVE-2025-41231, CVSS 7.3). Immediate patching is strongly recommended as no temporary mitigations are currently available. 

Vulnerability Analysis and Remediation

  1. CVE-2025-41229: Directory Traversal (CVSS 8.2)
    • Impact: Unauthorized network access to internal services via port 443.
    • Resolution: Upgrade to Cloud Foundation version 5.2.1.2. For version 4.5.x, consult KB398008.
  2. CVE-2025-41230: Information Disclosure (CVSS 7.5)
    • Impact: Potential disclosure of sensitive information through network access to port 443.
    • Resolution: Implement updates as detailed in the official VMware advisory.
  3. CVE-2025-41231: Missing Authorization (CVSS 7.3)
    • Impact: Potential for unauthorized actions and limited data access by attackers with Cloud Foundation appliance access.
    • Resolution: Patches are available for all affected versions.

Affected Versions and Fixed Versions

VersionCVE IdentifiersFixed Version
VMware Cloud Foundation 5.x41229, 41230, 412315.2.1.2
VMware Cloud Foundation 4.5.x41229, 41230, 41231Refer to KB398008

Required Action

Due to the lack of workarounds, immediate upgrade to the specified fixed versions is crucial.

Detection and Prevention

Léargas Security strongly advises immediate attention to the VMware Cloud Foundation Security Advisory (VMSA-2025-0009) which details multiple high-severity vulnerabilities. Given the critical nature of these flaws, it is imperative that organizations prioritize the patching of their VMware Cloud Foundation environments as soon as possible. In the interim, and as a crucial security measure, Léargas Security recommends diligent monitoring of all network traffic to and from VMware infrastructure components and limiting connections to the infrastructure. This enhanced monitoring will aid in the early detection of any malicious activity that may attempt to exploit these vulnerabilities before patches can be applied. Furthermore, organizations should invoke their emergency patching procedures to expedite the deployment of the necessary updates released by VMware.

References

  • VMSA Advisory: VMSA-2025-0009
  • VMware Cloud Foundation 5.2.1.2 Release Notes
  • CVE Details:
    • CVE-2025-41229
    • CVE-2025-41230
    • CVE-2025-41231

External Resources

A UK Breach, A US Warning: Scattered Spider’s Growing Threat to Retail – and How to Prepare

The recent cyberattack on Marks & Spencer (M&S), allegedly carried out by the threat group Scattered Spider, isn’t just a UK incident—it’s a stark warning for U.S. retailers. This group demonstrates a pattern of targeting specific sectors in waves, and with UK retail currently under siege, U.S. businesses should be actively preparing for potential targeting.

What Happened at M&S? A Deep Dive

Scattered Spider’s success at M&S highlights a concerning trend: exploitation of weaknesses in identity verification. They skillfully used social engineering, impersonating legitimate users and bypassing basic security checks. Their tactics – confident language, familiar insider jargon, and convincing phone calls – exposed a critical vulnerability: a reliance on single-factor verification.

The initial breach is believed to have started via a third-party vendor, emphasizing the crucial need for rigorous supply chain security and continuous monitoring of vendor traffic. While M&S responded swiftly, the attack still disrupted operations, underscoring the critical need for robust, real-time visibility and rapid incident response capabilities.

U.S. Retailers: Take Action Now – Don’t Wait for a Breach

Scattered Spider is likely scoping out the U.S. market, and proactive defense is essential. Léargas Security recommends the following key strategies, enhanced by the power of our advanced Extended Detection and Response (XDR) platform.

1. Fortify Your Identity Verification: Beyond Passwords & SMS

Simply moving beyond passwords isn’t enough. Implement a layered approach to identity verification, including:

  • Multi-Factor Authentication (MFA): Mandatory for all users, especially those accessing sensitive systems.
  • Cross-Channel Verification: Verify identity across multiple communication channels (e.g., email, phone, in-person).
  • Escalation Workflows: Establish clear procedures for verifying high-risk support requests.
  • Léargas Assistance: We can help identify interconnected systems and services currently lacking robust MFA, providing a prioritized remediation roadmap.

2. Proactive Threat Intelligence: Anticipate and Disrupt

Scattered Spider’s tendency to reuse infrastructure and techniques means that threat intelligence is your most valuable early warning system. Léargas Security provides:

  • Real-Time Threat Intelligence Feeds: We track known malicious IP addresses, command-and-control (C2) infrastructure, and actor-specific Indicators of Compromise (IOCs).
  • Automated Signature Updates: Our system automatically updates threat signatures, ensuring continuous detection and isolation of intrusions before they escalate.
  • Contextualized Reporting: Understand the evolving tactics of Scattered Spider and how they relate to your specific risk profile.

3. Eliminate Visibility Gaps: Unified Security, Real-Time Response

Many security solutions operate in silos, creating blind spots. Léargas integrates endpoint, network, and cloud telemetry into a unified XDR platform, offering:

  • Comprehensive Visibility: See all critical activity across your entire environment.
  • Accelerated Detection & Response: Identify threats faster and contain them more effectively.
  • Real-Time Context: Understand the ‘why’ behind security events, enabling informed decision-making.

Stay Ahead of the Threat – With Léargas Security

Scattered Spider has proven they will exploit every weakness. Don’t wait to be the next headline. With Léargas Security’s XDR capabilities, retailers gain the visibility, control, and confidence they need to protect their business before an attacker even knocks.

Learn how Léargas Security can safeguard your retail business.

Stay vigilant. Stay ready. With Léargas, stay ahead.

 

Leargas Critical Infrastructure Alert: Enhancing the Security of Operational Technology and Industrial Control Systems

Leargas Critical Infrastructure Alert: Enhancing the Security of Operational Technology and Industrial Control Systems

Critical infrastructure poses a challenge not only in deployment, maintenance, uptime, but also the risk of cyberattacks is significant. We will address some key ways to reduce risk and attack surface for this challenging environment. Also it is worth noting that we see alerts from government agencies, cybersecurity, and threat intelligence vendors often, but a multiagency alert on best practices regarding our critical infrastructure in the current global climate is important. Recognizing this current climate and risk, the Cybersecurity and Infrastructure Security Agency (CISA), in a concerted effort with the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the Department of Energy (DOE), has released a crucial fact sheet titled “Primary Mitigations to Reduce Cyber Threats to Operational Technology.” This guidance is for organizations across critical sectors such as energy, water, manufacturing, transportation, and healthcare, aimed at strengthening the security posture of their Operational Technology (OT) and Industrial Control Systems (ICS). The interconnectedness of these systems with our daily lives underscores the urgency and importance of implementing robust cybersecurity measures.

This joint alert stands out due to its timing and the breadth of agencies involved. In today’s environment—where critical infrastructure is increasingly in the crosshairs of nation-state actors and ransomware groups alike—coordinated guidance from CISA, FBI, EPA, and DOE underscores just how urgent and credible the threat is. The fact sheet isn’t just another government bulletin—it’s a wake-up call grounded in real-world incidents and threat intelligence.

 

The Unique Vulnerabilities of OT and ICS: Why They Are Prime Targets for Attackers

OT encompasses the diverse array of hardware and software that is often legacy, or meant for isolated environments which introduces unique as well as common risks. This realm includes systems like Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), and a multitude of other specialized devices integral to the functioning of critical infrastructure. Unlike traditional Information Technology (IT) systems, which have evolved with security considerations at their core, many legacy OT/ICS/SCADA/PLCS devices were originally developed in isolation, with a primary focus on reliability and efficiency rather than robust cybersecurity with little intent on being networked to the internet or shared with standard IT networks.

OT environments have been historically isolated yet have become increasingly interconnected with enterprise IT networks and, in some cases, the public internet, they inherit and are exposed to vulnerabilities. These vulnerabilities stem from a variety of factors, including the use of end of life (EOL) or unpatched operating systems and software, a lack of built-in security features, and the prevalence of default or easily guessable/dictionary based passwords. Attackers are aware of these weaknesses and actively attempt to exploit them. They often leverage readily available tools, techniques, and procedures (TTPs) to identify and compromise exposed OT and ICS systems, potentially leading to an incident, ranging from service disruptions and economic losses to environmental damage and threats to health or public safety. The potential for cascading effects across interconnected infrastructure further amplifies the severity of these risks.

We’ve already seen high-profile incidents like the Colonial Pipeline ransomware attack and the attempted poisoning of a Florida water treatment plant highlight how quickly a cyber event in OT can escalate into a public safety crisis. These events reinforce the need for proactive hardening, not reactive clean-up.

 

Key Mitigation Strategies for OT and ICS

To effectively mitigate these threats, Léargas, CISA, and its partner agencies have outlined a set of essential mitigation strategies that organizations operating OT and ICS environments should prioritize and implement diligently:

  1. Eliminate Public Internet Exposure:

The most fundamental step in securing OT/ICS environments is to ensure that these systems are not directly accessible via the public internet. Direct connection creates an easily discoverable attack surface, allowing threat actors to utilize search tools, specialized scanning tools (like Shodan), and publicly available exploit frameworks to identify open ports, vulnerable services, and configuration errors. Organizations should conduct thorough and regular assessments of their network infrastructure to identify and remove any public-facing OT and ICS assets. This may involve potentially significant network topology changes, ensuring that direct internet connectivity to OT devices is blocked or strictly limited. Bastion hosts or secure jump servers should be employed for necessary remote administration, ensuring no direct exposure of the OT network to the IT infrastructure or open internet.

  1. Enforce Strict Authentication Practices Across All Systems:

Weak or default passwords represent a significant and frequently exploited vulnerability. Attackers commonly use password spraying, dictionary, and brute-force techniques to gain unauthorized access. It is important that organizations change all default credentials on OT and ICS devices and implement and test a strong policy mandating strong, unique passwords for all accounts, especially those with administrative privileges and those used for remote access. Password complexity requirements, regular password resets, and the use of password management tools should be enforced. Furthermore, the implementation of multi-factor authentication (MFA) is key.

Organizations should also enforce regular password resets and the use of password management tools to reduce credential reuse and administrative overhead.

  1. Establish Secure and Controlled Remote Access Mechanisms:

While remote access can and many times is essential for legitimate operational and maintenance purposes, it also presents a significant attack vector if not properly secured. When remote access to OT networks is necessary, it must be strictly controlled and secured using private connections, VPNs, MFA, bastion hosts, or jump servers for all remote users. Access should be granted based on the principle of least privilege, ensuring that users only have the necessary permissions to perform their assigned tasks. Regular reviews of remote access accounts are critical, and dormant or unused accounts should be promptly disabled to prevent potential misuse. Comprehensive logging and monitoring of all remote access activity are also essential for detecting and responding to any suspicious behavior.

  1. Implement Robust Network Segmentation and Zoning:

A fundamental security principle is to segment the OT network from the enterprise IT network. This logical and physical separation helps to reduce the attack surface area and prevent the lateral movement of cyber threats from the IT environment to the OT/ICS/SCADA environment. Implementing a demilitarized zone (DMZ) to mediate data transfer between these distinct networks adds another crucial layer of security. The DMZ acts as a controlled and inspected data exchange while preventing direct communication between the less secure IT network and the sensitive OT network. Well-defined security policies and access control lists (ACLs) should govern the traffic flow between network segments.

  1. Maintain and Regularly Test Manual Operation Capabilities:

Despite the increasing automation of OT and ICS, organizations must retain and regularly practice the ability to operate critical systems manually in the event of an incident or system failure. This ensures business continuity and minimizes the impact of disruptions. Regular testing of manual controls, fail-safe mechanisms, and backup systems is paramount to verify their functionality and ensures that personnel are proficient in their use during emergency situations. These manual procedures should be well-documented, readily accessible, and regularly reviewed and updated. They must be incorporated into your IRP (Incident Response Plan), BCP (Business Continuity Plan), and DRP (Disaster Recovery Plan) to ensure organizational resilience.

The Critical Role of Collaboration with Third-Party Providers:

Misconfigurations, vulnerabilities, and security oversights can frequently occur during standard maintenance operations, system upgrades, or be inadvertently introduced by third-party system integrators, service providers, and vendors who have access to OT/ICS environments. Establishing clear communication channels and well-defined security requirements for all third-party providers is essential. Regular communication, security assessments of third-party practices, and contractual obligations regarding cybersecurity ensure that system-specific configurations remain secure and up-to-date throughout the lifecycle of the OT/ICS environment. Organizations should also have incident response plans that explicitly address the involvement and responsibilities of third-party providers.

At Léargas Security, we understand the critical nature of these environments and the difficulty of balancing security with uptime, safety, and operational efficiency. Our team works directly with ICS/OT operators to assess exposure, design segmentation strategies, and deploy monitoring solutions like Zeek, Suricata, and proprietary tools to detect anomalies before they become incidents. Proactive defense is no longer optional—it’s the only path to resilience.

 

Accessing Valuable Resources for Enhanced OT/ICS Cybersecurity:

Léargas, CISA and its partner agencies offer a wealth of resources to assist organizations in strengthening their OT and ICS cybersecurity posture:

CISA’s Stuff Off Search
(https://www.cisa.gov/resources-tools/resources/stuff-search): This valuable tool enables organizations to identify and reduce the internet exposure of their assets, helping to eliminate easily discoverable attack vectors.

Implementing Phishing-Resistant MFA
 (https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf): This fact sheet provides detailed guidance and best practices for implementing robust, phishing-resistant multi-factor authentication to protect against credential compromise. Layering Network

Security Through Segmentation
 (https://www.cisa.gov/sites/default/files/2023-01/layering-network-security-segmentation_infographic_508_0.pdf): This infographic visually illustrates strategies and best practices for implementing effective network segmentation to enhance the security and resilience of OT and ICS environments.


Implementing these primary mitigation strategies and leveraging the resources provided by Léargas Security, Critical Path Security, CISA and its partners, organizations operating critical infrastructure can significantly reduce their risk and attack surface, safeguarding essential services and mitigating the potentially severe consequences of attacks.

For a deeper conversation about securing your OT and ICS infrastructure, or to schedule a no-cost assessment, contact Léargas Security today. We’re committed to protecting the infrastructure that powers the world.