.png)
Industry Defence Insights
Our engaging episodes will equip you with essential knowledge about OT/ICS/IT cybersecurity to safeguard your digital presence. Your digital safety starts here!
Industry Defence Insights
Red Teams, Blue Teams: How Proactive Cybersecurity Protects Critical Infrastructure
The alarming rise in cyber attacks targeting Europe's water and energy infrastructure demands our immediate attention. When malicious actors target these critical systems, the consequences extend far beyond data breaches – they threaten the essential services millions depend on daily.
Dive into the specialized world of operational technology (OT) and industrial control systems (ICS) cybersecurity as we explore the crucial role of red teams and blue teams. The red team functions as ethical hackers, simulating sophisticated attacks on the physical machinery controlling water treatment plants and power stations. Their counterparts, the blue team defenders, implement specialized security measures designed specifically for industrial protocols that operate very differently from standard IT networks. This dynamic partnership creates a powerful feedback loop of continuous improvement – the cornerstone of truly proactive cybersecurity.
Recent incidents in Europe highlight the growing sophistication of these threats. Finnish energy company Fordham faced not only increased cyber attacks but also suspicious physical surveillance near their facilities, suggesting potential state-sponsored activities tied to geopolitical tensions. Meanwhile, cybersecurity firm Dragos reports an 87% increase in ransomware attacks on industrial organizations in 2023, with a quarter of these incidents causing complete operational shutdowns. The threat landscape continues expanding, with vulnerability discoveries increasing by 27% year-over-year.
The stakes couldn't be higher. When these systems fail, it's not just inconvenient – it directly threatens public health and safety across entire regions. Organizations must move beyond reactive security approaches toward continuous testing, simulation, and improvement. As attacks grow more sophisticated, our defenses must evolve in tandem. The question isn't whether critical infrastructure will be targeted, but how prepared we'll be when it happens. Subscribe now to continue this vital conversation about protecting the systems we simply cannot live without.
In today's podcast, we are going to talk about the necessity of proactive cybersecurity in operational technology and industrial control systems, particularly within the water and energy sectors. All right, so today we're diving into something that's been in the headlines a lot lately and something that I know keeps a lot of folks up at night, and that is cyber attacks, but specifically those targeting critical infrastructure.
Speaker 2:Right, yeah, absolutely Especially what we've been seeing in Europe lately with water and energy systems.
Speaker 1:Yeah, Europe has definitely been a hotbed of activity and the potential fallout there I mean thinking about it is kind of scary.
Speaker 2:Oh yeah, the thought of widespread disruptions to daily life, I mean that's a huge concern that we need to be taking very seriously.
Speaker 1:Absolutely, and that's why we're really going to zero in on the whole proactive cybersecurity approach and, specifically, what's becoming so crucial is this idea of red teams and blue teams.
Speaker 2:You got it.
Speaker 1:I'm sure some of our listeners might be hearing that and thinking, ok, red team, blue team, is this some kind of like spy movie thing going on here? So can you break it down for us, particularly when we're talking about, you know, the OT, the ICS, the operational technology and those industrial control systems that keep things like our power grids and water treatment plants actually running?
Speaker 2:Yeah, so think of it this way the red team is essentially like a group of ethical hackers. Their whole job is to simulate real cyber attacks and they try to find those weaknesses, try to exploit the vulnerabilities in these critical systems.
Speaker 1:So they're basically trying to break in just like a real attacker would.
Speaker 2:Exactly yeah, they're the ones on the offense looking for those holes in the armor, so to speak.
Speaker 1:Okay, so red team's the offense and the blue team then is.
Speaker 2:The blue team is the defense.
Speaker 1:Okay.
Speaker 2:So they're the ones responsible for protecting those systems Got it. They're constantly monitoring for any signs of an attack and then if something does happen, they constantly monitoring for any signs of an attack and then, if something does happen, they got to respond quickly. So their focus is really on building and maintaining the strongest possible security setup that they can.
Speaker 1:And it's important to emphasize here. I mean, we're not just talking about, you know, someone stealing some data.
Speaker 2:Oh, no, no, no.
Speaker 1:If these systems get hit. We're talking about real world consequences like no clean water coming out of the tap power outages that could affect millions of people.
Speaker 2:Absolutely yeah, it's a potential nightmare scenario.
Speaker 1:Yeah, I mean, the stakes are incredibly high. Incredibly high, yeah, when we're talking about OT and ICS.
Speaker 2:Right, and that's really why we're here today.
Speaker 1:Yeah.
Speaker 2:To really dig into how this partnership between red and blue teams, this proactive approach, can actually create some resilience against these threats.
Speaker 1:Exactly, and we'll be looking specifically at some recent events, particularly in Europe, and we'll be using some data from the cybersecurity firm Dragos to really paint a clearer picture of what's going on. Absolutely so we talk about these red and blue teams operating in environments like power plants, water facilities. I mean it's got to be a lot more involved than just like running a scan on a computer network, right?
Speaker 2:Oh yeah, you're absolutely right. I mean, in OT and ICS environments you have to understand that the complexities are very unique. So red teams need to grasp not just the IT systems that a business uses, you know, like everyone's familiar with, but also the operational technologies, so things like PLCs those are programmable logic controllers and they're essentially the computers that directly control the physical machinery.
Speaker 1:OK.
Speaker 2:So you know, like the pumps in a water treatment plant or the turbines in a power station.
Speaker 1:So very, very different.
Speaker 2:Very different. Yeah, they'll be looking for vulnerabilities that could allow an attacker to manipulate those physical controls.
Speaker 1:Wow.
Speaker 2:And then, on top of that, they also need to understand the specialized communication languages that these OT devices use. Right, those are called industrial protocols and they have very different security considerations compared to your standard IT networks.
Speaker 1:So the blue team, then their role is to take what the red team finds and really fortify the defenses.
Speaker 2:Yeah.
Speaker 1:Specifically for those OT ICS environments.
Speaker 2:Yeah.
Speaker 1:And it's not just a one size fits all. You can't just use like normal IT security measures, right?
Speaker 2:Exactly, you hit the nail on the head there are blue teams in this area. They need specialized knowledge measures right, exactly, you hit the nail on the head Blue teams in this area. They need specialized knowledge. They're configuring firewalls and intrusion detection systems that are designed specifically for those industrial protocols that we talked about. They're implementing security monitoring that understands the normal patterns of OT traffic, which looks very different from typical office network activity.
Speaker 1:And they're also developing incident response plans that take into account the potential physical impacts if something does happen. Exactly so it's really this constant back and forth, this collaboration between red and blue teams that that's the secret sauce here.
Speaker 2:That's really the core of it, yeah.
Speaker 1:So the red team finds the weak spots, blue team patching them up.
Speaker 2:Yeah.
Speaker 1:Makes the whole system more secure.
Speaker 2:That's the core idea of proactive cybersecurity. It's about not waiting for an attack to happen.
Speaker 1:Right.
Speaker 2:It's about constantly testing your defenses and improving them based on what you learn.
Speaker 1:And in these OTICS environments, I mean this is absolutely mission critical because, as we said, the consequences can be much more devastating than just losing some data.
Speaker 2:Oh, yeah, absolutely.
Speaker 1:You know, disrupting essential services like water supply or power grids could have an immediate impact on public health and safety.
Speaker 2:Right and it could affect millions of people across Europe.
Speaker 1:Exactly so. You mentioned earlier some recent incidents, particularly in Europe.
Speaker 2:Yes.
Speaker 1:Let's get into some specifics.
Speaker 2:OK.
Speaker 1:We heard about the Finnish utility Fordham back in October of 2024.
Speaker 2:Yeah, fordham. They're a major energy company in Finland and they reported a really significant increase in the number of cyber attacks that were targeting them every single day.
Speaker 1:Wow.
Speaker 2:But what was particularly concerning wasn't just the volume of attacks, it was they were also seeing suspicious activity in the physical vicinity of some of their facilities.
Speaker 1:Like people snooping around.
Speaker 2:It seems like it yeah Physical surveillance alongside cyber attacks.
Speaker 1:That sounds really serious, like a whole other level.
Speaker 2:It does, and the suspicion is that these activities were linked to some of the geopolitical tensions that are going on in Europe, which suggests that we're dealing with a more sophisticated and potentially state sponsored level of threat aimed at energy infrastructure.
Speaker 1:So not just some random hackers.
Speaker 2:Not necessarily no. This highlights how cybersecurity, especially for these essential services, can get tied up with these bigger geopolitical issues.
Speaker 1:It's not just opportunistic cybercrime anymore.
Speaker 2:Exactly, and this is where getting a broader view of the threat landscape is so important. And that's where a company like Dragos comes in. Exactly, and this is where getting a broader view of the threat landscape is so important.
Speaker 1:And that's where a company like Dragos comes in.
Speaker 2:Exactly yeah. Their 2023 OT Cybersecurity Year in Review report gives us a really crucial perspective on the scale of this whole problem.
Speaker 1:So what were some of the key takeaways from that report, particularly as it relates to the threats that we're seeing specifically in Europe?
Speaker 2:Okay, so we know that ransomware has been a big issue generally, but the report showed a huge global rise in those ransomware attacks and they're specifically targeting industrial organizations. So in 2023, they documented over 1,600 incidents. 1,600. Yeah, 1,693 to be exact, and that's an 87% increase compared to the year before.
Speaker 1:It's almost double.
Speaker 2:Almost double. In just one year in one year, and while that is a global figure, it really does underscore how critical infrastructure is becoming a really attractive target for these ransomware groups.
Speaker 1:Because they know that they have leverage.
Speaker 2:Exactly, they know they can cause major problems.
Speaker 1:And those attacks? I mean they're having a real impact on operations, right oh?
Speaker 2:yeah, a huge impact. So Drygos found that 75% of those ransomware incidents caused partial shutdowns of those OT operations Wow and 25% resulted in complete shutdowns.
Speaker 1:A quarter of them.
Speaker 2:A quarter of them had to shut down completely, and that just shows that these aren't just nuisance attacks.
Speaker 1:Right.
Speaker 2:They are having a direct impact on the ability of these essential services to function.
Speaker 1:So imagine a quarter of ransomware attacks on water companies or power companies.
Speaker 2:Leading to complete shutdowns. Yeah, it's a huge risk.
Speaker 1:It's a terrifying thought, and it's not just the attacks themselves. The report also pointed to vulnerabilities that are being found in these systems.
Speaker 2:Yeah, that's right. The number of vulnerabilities that are being discovered is also increasing. Ok, so in 2022, Drago's analyzed over 2,100 CVEs.
Speaker 1:And remind us what a CVE is.
Speaker 2:Right, so a CVE, that's a common vulnerabilities and exposures. It's basically a publicly known weakness in software or hardware that attackers can exploit.
Speaker 1:Okay.
Speaker 2:And that number in 2022 was a 27% increase from the previous year.
Speaker 1:So more and more weaknesses are being found.
Speaker 2:Yes, and that's creating more potential entry points for attackers.
Speaker 1:Sounds like a really tough situation to be in.
Speaker 2:It is, and it really highlights how urgently we need these proactive cybersecurity measures and, as the report points out, the way that we handle vulnerabilities in OT environments has to be different than in a traditional IT environment.
Speaker 1:How so.
Speaker 2:Well, these OT systems often have very strict uptime requirements. Okay, so just applying a standard software patch without testing it thoroughly could actually disrupt critical industrial processes.
Speaker 1:So it's a much more delicate balancing act when it comes to managing vulnerabilities in these OT environments.
Speaker 2:Right. And this all brings us back to why this collaboration between red and blue teams is so important.
Speaker 1:Right. So in this kind of environment where the threats are constantly evolving, how does that synergy between the two teams really make a difference?
Speaker 2:Well, when you integrate those two teams, it creates a culture of continuous improvement and vigilance, and that's essential. The red team simulated attacks those act as a really powerful learning tool. They don't just highlight theoretical vulnerabilities, they actually show how those weaknesses could be exploited in a real world attack.
Speaker 1:In a way that could target their specific system.
Speaker 2:Exactly, and that gives the blue team a much clearer understanding of the actual risks that they face.
Speaker 1:They can actually see it in action.
Speaker 2:They can, yeah, and that lets them develop much more targeted and effective defense strategies.
Speaker 1:So they can prioritize which vulnerabilities to patch.
Speaker 2:Right Based on which ones are actually exploitable in their systems.
Speaker 1:OK.
Speaker 2:They can fine tune their monitoring tools to detect those specific attack patterns and they can develop response plans that are informed by these real attack simulations.
Speaker 1:It really arms them with actionable intel.
Speaker 2:It does, and it's not just a one-time thing.
Speaker 1:you know it's ongoing.
Speaker 2:Yeah, these regular red team engagements and the continuous blue team monitoring. They create this feedback loop. Okay, so the blue teams improve defenses, then force the red team to adapt to their tactics, and that leads to stronger security overall.
Speaker 1:So it's this constantly evolving process.
Speaker 2:It is, and that process also leads to a much deeper understanding of those specific threat vectors that are most relevant to their particular OT-ICS environment.
Speaker 1:So it's not just about following general cybersecurity advice.
Speaker 2:No, it's about understanding your own unique weaknesses and the specific threats that you face.
Speaker 1:And by simulating those attacks, these organizations can test and refine their incident response plans.
Speaker 2:Exactly because you don't want to be figuring out what to do in the middle of an actual crisis.
Speaker 1:Right, you want to have a plan.
Speaker 2:Yeah, these red team exercises can identify gaps in your response procedures and make sure that everybody knows their roles and responsibilities if an attack does happen.
Speaker 1:It just highlights how critical this proactive approach is, especially when we look at how sophisticated these attacks are becoming and how often they're happening against these essential services in Europe.
Speaker 2:Yeah, and the incident with Fordham really showed us that in a very real way.
Speaker 1:It did so. The key takeaway here is that a strong cybersecurity strategy for critical infrastructure has to include these red and blue teams working together.
Speaker 2:Absolutely. They're not just something extra. They're fundamental to building real resilience against these threats.
Speaker 1:And we need to be paying close attention to incidents like what happened with Fordham and the kind of analysis that Druggist is providing.
Speaker 2:Yep. It's all about continuous learning, continuous testing and a real commitment to proactive defense, because this threat landscape is not standing still.
Speaker 1:It's changing all the time and it's becoming more sophisticated.
Speaker 2:Exactly.
Speaker 1:Well, this has been a really fascinating and, honestly, pretty concerning look at a really vital area.
Speaker 2:Yeah.
Speaker 1:Especially for those of us here in Europe. Considering everything we've talked about the increasing sophistication and frequency of these attacks, the potential for disruption to our daily lives, the role of red teams and blue teams what more can organizations and governments across Europe do to truly secure our critical infrastructure for the future?
Speaker 2:That's the million-dollar question, isn't it it?
Speaker 1:is, and it's a conversation that we need to keep having.
Speaker 2:Absolutely. The conversation doesn't end here.
Speaker 1:It definitely doesn't. Thank you so much for joining me for this deep dive. It's been a pleasure.
Speaker 2:It's been great talking with you.
Speaker 1:I think it's a conversation we absolutely need to continue having.
Speaker 2:I agree, thanks again.
Speaker 1:You're welcome.
Speaker 2:This podcast is supported by OTSET EU.
Speaker 1:Cohort.