Global lime and minerals producer Lhoist’s IT security and industrial automation organizations haven’t always worked closely together, but a renewed focus on industrial cybersecurity united the two in a global initiative built around Microsoft Azure Defender for IoT. The new agentless OT security monitoring platform offers powerful asset discovery, vulnerability management, and threat monitoring capabilities, and contributes to a safer, more resilient, and more efficient operation that furthers the mission shared by all Lhoist workers: ensure production availability and deliver value to their customers.
“OT and IT share the same goal of ensuring production availability, delivering for our customers, and maintaining the health and safety of our coworkers.”
Clément Herssens, CISO, Lhoist
Rock and roles at Lhoist
Clément Herssens, CISO at Lhoist, jokes that his company is all about rock. It pulls rock out of the ground, crushes it, burns it, and mills it. In a broader sense, Lhoist is a global leader in mineral and limestone materials with 80 plants in more than 25 countries, and its products find their way into people’s everyday lives throughout the world in steel, flue gas treatment, paints, papers, roads, rock gardens, chalk, concrete, and even in toothpaste.
Lhoist field locations typically include a quarry next to a processing plant. Both the quarry and the plant contain heavy machinery and industrial automation equipment, known as operational technology (OT)–or, more familiarly, “automation.” OT teams work onsite, taking care of electrical and mechanical projects and maintenance, including logistics operations, and they assume responsibility for the most important business functions at Lhoist: environmental safety, workplace safety, and productivity—keeping the plants running.
Historically, there’s been a healthy debate between the automation team and their colleagues in the IT department, which is also involved in day-to-day operations, including ensuring security and business continuity for the company’s IT infrastructure. Jean-François Sprumont began in the maintenance department and is now Automation Expert at Lhoist. He’s familiar with the sometimes-conflicting sense of ownership that can occur between his team and the IT department. “The people onsite and the IT guys each have their own schedules, timescales, and objectives, and we each feel we are the most essential to the Lhoist operation,” he says with a smile.
Herssens heartily agrees. “That’s a very valid point about the different kinds of expertise on the IT and automation sides,” he says. “We have the most work to do in this area because IT feels that it has some responsibility in managing security for the automation experts. On the other hand, automation feels hindered by security restrictions put in place in the past by IT, who don’t always understand that OT prioritizes availability over all else, and typically has the viewpoint that ‘if it works, don’t touch it.’”
OT network security brought into focus
OT network security hasn’t always been the priority it is today; by convention the plant would have been physically isolated or “air-gapped” from any other network or the internet. But digital transformation has led to increasingly connected industrial environments and made OT security a top priority for Lhoist’s security team. Critical OT equipment is now more connected to the plant IT network, which is in turn connected to the larger organization's corporate IT network. There is also an increasing demand for remote access from third-party vendors who help manage and maintain equipment.
Herssens and the board view the CISO’s role as being responsible for reducing cyber risk enterprise-wide, and ensuring that any attempt to compromise OT equipment—such as via ransomware, which is all too common today—is quickly detected and mitigated. And unlike other security domains such as email security, the risk from bad actors isn’t limited to data theft—they can also take control of connected plant equipment and pose a threat to the environment or to workers’ health and safety. As Herssens explains, “Shutting down an IT server does not have nearly the same impact as shutting down a programmable logic controller (PLC) in a plant.”
When a recent catastrophic ransomware attack at a related organization brought its entire operation down for a month—resulting in missed deliveries to customers and millions of dollars in damages—it provided a cautionary tale that also brought into sharp focus Lhoist’s need for a security review. “This was a topic that I’d been bringing to the table almost from day one,” says Herssens, who reports directly to the audit committee. “And this event was a message that the board clearly heard.”
Bridging the IT/OT divide
The resulting global OT security initiative, built upon Microsoft Azure Defender for IoT, boosted security while also helping bridge Lhoist’s IT/OT divide. “OT and IT share the same goal of ensuring production availability, delivering for our customers, and maintaining the health and safety of our coworkers,” says Herssens.
To ensure a smooth rollout by involving all key stakeholders, Herssens initiated the project by meeting with the VP of Operations and plant managers about the business implications of OT risk, and why stronger OT security was required. Top-down support from the board was critical, but the team also made sure to drive the project from the bottom up by engaging Sprumont from the automation team, and meeting with automation personnel in the plants.
The team also created a Center of Excellence (COE) for Global Industrial Security to foster ongoing collaboration and communication between the teams.
Delivering both cyber and operational efficiency benefits
Within minutes of being connected to the SPAN port of the network switch, Azure Defender for IoT automatically discovers and maps the entire network and all connected OT devices such as human machine interfaces, engineering workstations, and PLCs. This happens regardless of whether they’re specifically enabled for monitoring, and includes legacy Windows systems that can’t easily be upgraded or patched.
According to Sprumont, it was like a blurred image gradually coming into focus. “A few minutes after connecting the Defender for IoT sensor to the network switch, we began to see all the nodes and activity on our OT network—the devices, traffic, bandwidth usage, protocols, and all the links between different zones. I didn’t know we could do that, and it was quite amazing to see it for the first time.”
Supporting a vast range of protocols used by diverse industrial equipment, including equipment from OT vendors such as Rockwell Automation, Schneider Electric, Siemens, ABB, and Yokogawa, the solution gathers information about the environment over time, using specialized OT-aware analytics to identify device status and configuration details, learn what’s normal network behavior, and raise alerts on vulnerabilities, or when an event might indicate a security issue.
Even Lhoist automation staff who weren’t focused on cybersecurity soon recognized the operational efficiency benefits from the wealth of monitoring information now available to them, now bringing major cost and time savings along with overall increase in ROI. This information can be used for optimizing device performance and predicting failures, and immediately identifying misconfigured or malfunctioning devices. And performance can be improved by tracking down sources of congestion or unnecessary traffic. For example, the team used Azure Defender for IoT to automatically filter the traffic by protocol, and found older industrial protocols on the network that no one knew were still being used, and observed multiple subnets that should not be connected to the same switch.
For the IT security specialists, too, this is a clear game changer. They can use protocol and network topology information to implement network segmentation more quickly as part of the company’s Zero Trust strategy. Herssens describes an example of how, even at the proof-of-concept stage, IT security specialists gained invaluable insights that enabled them to preempt a potentially serious security breach. An external party that was connected to Lhoist’s network had inadvertently introduced a ransomware virus, but the virus and the source were immediately identified and isolated. “We had a malware outbreak occur while we were running proofs of concept to select our OT security solution. Azure Defender for IoT performed well, immediately detecting the suspicious traffic. We were able to pull the plug on the malware before it could stop production,” he says.
Frictionless, agentless deployment with built-in SOC integration
The Microsoft solution is easy to deploy as a preconfigured network sensor appliance, requiring no software agents, and it doesn’t impose any performance overhead or instability to the OT network because it’s entirely passive. It also integrates with the AlienVault SIEM solution that was already in use in the Lhoist security operations center (SOC), as part of the company’s SOC program with a well-known managed security service provider (MSSP).
The solution can be fine-tuned so alerts are accurate, targeted, and relevant, helping avoid security analyst fatigue, which Herssens says is an important requirement. “We wanted to avoid a solution that raises too many meaningless alerts a day, which eventually no one would take seriously,” he says.
A clearer, more secure future
For their pilot program, Lhoist initially deployed Azure Defender for IoT to five sites, including two sites in Belgium, two sites in the United States, and one site in Germany. Based on the positive results and ease of implementation they saw in the pilot program, Lhoist chose the Microsoft solution for its global deployment and is now in the process of rolling out to all 80 plants worldwide.
Today, the IT and OT staff each has a clearer view of the other’s side of the business—and of their shared goal of delivering value to Lhoist customers. The company is also a major Office 365 and Power Apps user, and views its Azure Defender for IoT deployment as an opportunity to expand its adoption of other Microsoft security technologies. “Azure Defender for IoT is really our first major investment in Azure,” says Herssens. “We’ll be growing into that over the next couple years and looking forward to extending into new capabilities such as [taking advantage of] our existing Power BI investment to create audit and compliance dashboards and reporting.”
Find out more about Lhoist on Twitter, Facebook, Instagram, and LinkedIn.
“We had a malware outbreak occur while we were running proofs of concept to select our OT security solution. Azure Defender for IoT performed well, immediately detecting the suspicious traffic. We were able to pull the plug on the malware before it could stop production.”
Clément Herssens, CISO, Lhoist
Follow Microsoft