The BaseRock team was called in to help a global petcare company following a ransomware attack that had spread to every site.
As the attack was hitting one of the sites, the local IT staff panicked and started pulling out network connections and power cables from their VMware hosts and SANs as a last-ditch effort to save their data. Unfortunately, not only was this too late, but they had actually made things more problematic as they didn’t have the necessary local expertise to piece everything back together and they had inadvertently corrupted some of the hypervisors.
Once the machine running the Ransomware payload was identified and isolated, the BaseRock team was able to methodically reconnect all of the server room components that had been disconnected, rebuild the broken VMware hosts, perform an integrity check on the SAN storage and get the infrastructure up and running so that it was ready to take on workloads again.
Overall, this led to a two-week recovery time and an overall cost to the business of over $140 million.
Virtual and physical servers were powered on in isolation and sanitised before reconnecting them to the network when it was safe to do so. All machines that were identified as having been affected by the Ransomware attack were recovered from backup. However, due to an ageing backup solution that was purely tape based and with the backup server also being exposed to the Ransomware attack, the backup server had to be rebuilt from scratch and the tapes needed to be catalogued again before restores could take place. Overall, this led to a two-week recovery time and an overall cost to the business of over $140 million.
This customer started to introduce network connected assets on its production lines. The decision was made for these factory assets to utilise the existing IT network due to the factory teams not having any skilled resources who were comfortable with installing and maintaining a modern network, combined with the perception that the IT team was responsible for it as it was a network.
Unfortunately, its IT department simply treated the factory as an extension of the IT network and so the only separation between the IT systems and the factory systems was by use of VLANs to create separate broadcast domains; a solution that does not conform to ISA 99 / IEC 62443 security standards.
The only separation between the IT systems and the factory systems was by use of VLANs to create separate broadcast domains; a solution that does not conform to ISA 99 / IEC 62443 security standards.
Thankfully, the company started to realise that the factory systems needed to be treated differently to the IT systems and so a cyber security program was put in place with the objective of aligning with ISA 99 / IEC 62443. As part of this, the BaseRock team was tasked with designing, supplying, installing and configuring a dedicated resilient network infrastructure for the factory to provide physical separation between the IT and OT worlds. Once in place, systems were migrated from the IT network infrastructure to the new dedicated factory network; this was achieved with absolutely no loss of production.
The next step was to facilitate the installation of a Palo Alto firewall with appropriate DMZ configuration to ensure no direct communication takes place between systems on Level 3 (or below) and Level 4 (or above) of the Purdue model, whilst allowing relevant data to be transferred to systems in the corporate IT network, such as SAP.
Finally, monitoring systems were put in place to ensure that the customer had visibility of the health of their new systems.
When this customer was acquired by another company, it was quickly realised that much of the existing infrastructure services used by the factory – which were historically being provided by the global IT team – would no longer be accessible.
A solution had to be put in place swiftly and so the BaseRock team architected, installed and configured all required systems to ensure that the factory could continue running without disruption.
At the same time, the team was able to enhance the security posture of the factory by introducing additional in-depth defence strategies and solutions that were unavailable to the factory previously
At the same time, the team was able to enhance the security posture of the factory by introducing additional in-depth defence strategies and solutions that were unavailable to the factory previously – due to restrictions and limitations that existed whilst some of the core systems were under the management of the old IT team.