Global agriculture supply chain company COFCO International wanted to increase visibility into operational technology (OT) risk within its specialized industrial plants around the world. It chose to deploy Microsoft Defender for IoT, an agentless solution which offers the local monitoring and control that plant personnel require, along with global visibility for the security operations team. Paired with Microsoft Sentinel as COFCO International’s cloud-based SIEM/SOAR solution, the solution has already proven effective in proactively securing the company’s production environment.
“When the plant stops production, it creates a huge financial and operational impact that ripples up and down the supply chain. We needed a practical, agentless solution for automated asset discovery, vulnerability management, and global real-time threat monitoring, without interfering with operations inside each plant.”
Asher Elazar, Global Head of IT Security, COFCO International
COFCO International is a global agriculture supply chain company in the food processing, production, and trading business, with about 12,000 employees in 35 countries. A key goal for COFCO International’s Global Head of IT Security, Asher Elazar, was to raise awareness of cyber risk across the organization. He recognized the necessity to extend security monitoring and vulnerability management beyond the corporate IT network and into COFCO International industrial plants around the world.
Elazar looked for a holistic solution that would provide the foundation for a more proactive and centralized security stance. “Our approach was to look for a non-invasive solution that could be rapidly operationalized and was easy to operate. It made sense to build on our Microsoft Defender and Azure security investments and use all the cloud-based security solutions Microsoft has to offer,” he says. “For simplicity and scalability, I see this as the optimum approach to reducing risk.”
The need for centralized visibility into production risk
Initially, each of the firm’s plants was largely isolated, comprising specialized equipment from diverse operational technology (OT) vendors such as Rockwell Automation, Siemens, Honeywell, and Schneider Electric. Each was managing its own local environment, offering little or no visibility to the corporate security operations team.
Elazar was aware how difficult it could be providing a single security operations view that combined information about local IoT/OT assets, vulnerabilities, and threats with security information about the broader corporate environment, such as corporate endpoints and next-generation firewalls. “There was a security gap between IT and OT at that time,” he says. “IT security was more mature than OT. We knew we had a problem, we just didn’t know how big. Rather than visiting each plant and implementing custom individualized solutions, we decided to collaborate with Microsoft to implement a more centralized and standardized approach.”
It would turn out to be as much a cultural and organizational process as it was a technical one to make this happen. In industrial environments, it’s common for the plant operations team to be protective of their business-critical operations technologies. Elazar wanted to give the global security team visibility into those environments without compromising the fiercely protected capability for each plant to operate according to its specific requirements, with neither dependence on, nor perceived interference from the central security organization.
Explaining the business need for stronger OT security
As in many industrial organizations that have grown via mergers and acquisitions, each of the COFCO International plants has its own specialty with its own resources, OT equipment vendors, and budget. Elazar recalls conversations with plant managers in which he initially raised the idea of a stronger and more standardized approach to OT security. “They were telling us, ’We’re not a sugar plant; we’re a coffee plant. We don’t have this process; we have another process. We don’t use this automation vendor; we use that one!’”
And yet, from a business point of view, it’s crucial that all factories be secured against unscheduled downtime caused by a ransomware attack, especially during seasonally intensive periods like harvest. “When the plant stops production, it creates a huge financial and operational impact that ripples up and down the supply chain,” says Elazar. “We needed a practical, agentless solution for automated asset discovery, vulnerability management, and global real-time threat monitoring, without interfering with operations inside each plant. Microsoft Defender for IoT was the perfect choice.”
Defender for IoT provides agentless, network-layer security monitoring and visibility across a broad range of IoT/OT devices within an industrial plant, including proprietary embedded devices such as programmable logic controllers (PLCs) and older versions of Windows like Windows XP that can’t be easily upgraded. It provides plant-level visibility and control through a local web console, while seamlessly sharing security data with Microsoft Sentinel, a cloud-native SIEM/SOAR solution, for a global, enterprise-wide view. It also provides a centralized management console for viewing assets, vulnerabilities, and threat alerts across all plants on a global basis.
Key to its value is the visibility that plant managers get into their specific environment and the IoT/OT assets within it, alerting them to operational issues that can reduce plant efficiency such as malfunctioning or misconfigured equipment. But at the same time, security visibility extends into the corporate security operations center (SOC), in order to detect and track modern, multi-stage attacks that typically cross IT/OT boundaries as adversaries move laterally from one network to the other.
Increased visibility catches destructive malware
Although COFCO International’s plants were air-gapped from the public internet, the security team knew there were still occasional security incidents, but they didn’t have the means to develop a clear picture of the extent of those incidents. “I told the plant managers that we don’t want to intrude into their network; the only ask is to install a single network sensor on the OT network. That’s it. A passive device with no impact on production availability or performance. And that solved our visibility issue.”
The value of that increased visibility became readily apparent when someone connected an older laptop infected with NotPetya malware to the corporate IT network at a COFCO International site in the UK. The laptop began broadcasting the virus, which quickly spread to the OT network at a European plant. Those events immediately triggered alerts in the local Defender for IoT sensor and subsequently in Microsoft Sentinel. The site was isolated, and the device identified and shut down.
This experience, says Elazar, highlighted the importance of a Zero Trust approach because it showed how easy it is for attackers to pivot from IT to OT and potentially shut down production or cause a safety incident. The experience was key to obtaining management approval and funding to implement stronger network segmentation, including a demilitarized zone (DMZ) for proper isolation between IT and OT.
It also showed the importance of having controls in place to enforce corporate policies. For example, the plant had a policy prohibiting employees and contractors from plugging laptops into the control network, but until they deployed Defender for IoT, they had no way of monitoring for compliance with that policy. “If you want to verify your policy is working, you need to have telemetry monitoring for the environment. And if you don’t have those controls in place,” he says, “that policy isn’t worth the paper it’s written on.”
Using asset discovery for budgeting and identifying upgrade requirements
One of the core Defender for IoT capabilities is the automatic discovery and classification of all IoT/OT devices connected to the OT network and the creation of a map of how they’re connected to each other. This auto-discovery typically happens within an hour or two of connecting the network sensor to the OT network. COFCO International is now using that detailed asset inventory information to build an accurate budget for upgrading their Windows hardware to support Windows 10, which will help them to standardize on Microsoft Defender for Endpoint as their single anti-malware solution. This solution will be easier to manage compared to the non-standard mix of third-party antivirus solutions currently in place across different plants.
Managing vulnerabilities
Another core capability is identifying vulnerabilities in the OT environment—such as unauthorized connections to the internet, unauthorized IT/OT connections, unencrypted passwords, and missing patches—and providing an overall risk score plus risk-based recommendations on how to address them.
The Defender for IoT Vulnerability Assessment (VA) report is now reviewed on a weekly basis with local plant personnel, and on a monthly basis with the CIO and OT management. This process helps ensure accountability for reducing risk and is also used to track continuous improvement over time.
Continuous protection from ransomware and targeted attacks
Once COFCO International standardized on Defender for IoT and gained a clearer view of its OT networks, devices, and traffic, it was well positioned to make design changes to strengthen overall security and build a more secure environment. After the security incident at their European site, OT management, IT leaders, and local site personnel understood the risk and were all on board with the global IT/OT initiative.
The global view of device behavior across all discovered assets helped COFCO International craft a strategy for upgrading devices and developing stronger segmentation. With Defender for IoT continuously monitoring for unauthorized or suspicious behavior, and Microsoft Sentinel providing automated responses via SOAR playbooks, Elazar says the firm can now better detect and respond to threats such as destructive ransomware and targeted attacks.
COFCO International is also employing automated threat mitigation via built-in automated orchestration between Defender for IoT and the firm’s next-generation firewall platform. When Defender for IoT identifies potentially malicious behavior—such as malware, PLC reprogramming, or a PLC Stop command—it automatically creates firewall rules to block sources of malicious traffic.
Next Steps for COFCO International
Elazar says, “Based on the success of our initial deployment to multiple plants worldwide, our next steps will be to make sure that all our Windows-based assets upgrade to Windows 10, all our plants deploy Defender for IoT, and all sensors forward alerts to Microsoft Sentinel so we can track all incidents in the cloud.” Meanwhile, plant personnel can still take local ownership of security or operational incidents, when necessary, via the local web console. “OT teams can access the sensor themselves and actually look into the information that is provided there, whether that’s network maps, connections, asset inventory, vulnerabilities, equipment malfunctions, or any other information,” says Elazar.
It’s an ongoing process, and COFCO International will be continuing to evolve and mature its new global IT/OT security infrastructure. “Automation is the key to scalable security processes. When we started out, we couldn’t automate the isolation of an infected device. Now with Defender for IoT, we can. Similarly, before we had to manually reset the passwords of misbehaving users and revoke all tokens, but today we have an automated process for that, too,” Elazar says. He plans to take advantage of the education, tools, and resources available from Microsoft, including user-contributed SOAR playbooks on GitHub. “For any company that is onboarding today on Microsoft Sentinel, those resources from Microsoft are very, very useful. They help define the roles, functions, and SOC workflows including escalation paths. It really is great!” concludes Elazar.
Find out more about COFCO International on Twitter and LinkedIn.
“We knew we had a problem, we just didn’t know how big. Rather than visiting each plant and implementing custom individualized solutions, we decided to collaborate with Microsoft to implement a more centralized and standardized approach.”
Asher Elazar, Global Head of IT Security, COFCO International
Follow Microsoft