After all that has been said and done about the US oil pipeline ransomware attack, will these lessons spur action?
In early May 2021, the US oil refinery firm Colonial Pipeline reported that it was a victim of a ransomware attack. The breach underscored the vulnerability of national critical infrastructure to hackers, and brought that issue to the attention of governments everywhere.
Very often, operational technology (OT) networks run on proprietary protocols where legacy equipment is incompatible with traditional IT security tools such as virtual private networks (VPNs) used in enterprise IT environments. This means that the same security tools that work well in IT are not adequate for OT.
When a firm connects its OT assets to its corporate IT network without appropriate additional security measures, it leaves itself exposed, potentially with an expanded attack surface. Threat actors are given numerous direct or indirect pathways into the OT network and the critical systems and physical processes it controls.
Just one single stolen password
In the case of Colonial Pipeline, about a month after the attack, the company’s CEO had disclosed to government officials that the perpetrators were able to get into the system by stealing a single password.
This password gave them access to a legacy VPN system used to access the company’s servers remotely. Because the VPN did have multi-factor authentication in place, the attackers needed only to know the username and the password to gain access to the largest petroleum pipeline in the country.
These vulnerability issues were compounded by the fact that oil and gas companies’ OT assets are frequently spread across large geographical distances and multiple countries, and are typically sourced from different vendors, who each use different proprietary protocols. This makes it challenging for oil and gas companies to identify and address potential cyber risks.
The Colonial Pipeline breach has highlighted to governments that OT network protection of critical national infrastructure is a national security issue. The US government immediately moved to mandate incident-reporting procedures and to ensure that private companies that in critical sectors harden cybersecurity practices.
Ripple effects in Asia
Even before this attack, some governments in Asia were already broaching the issue of critical infrastructure vulnerabilities due to the digitalization of OT. In October 2019, the Singapore government had outlined an OT Master Plan for cyber resilience through public-private partnerships. By May 2021, the formation of the OT Cybersecurity Expert Panel to complement the OT Master Plan was announced.
Additionally, at a recent webinar hosted by Claroty, regional security experts converged to discuss the implications of the ransomware attack.
The panel concurred that, where the decision to shut down operations in the event of a ransomware attack, there are steps organizations can take, to help leaders make better decisions.
Decisions should be grounded in data
What constitutes effective industrial cybersecurity?
- We must start with knowing what needs to be secured: you always need a current inventory of all OT, Internet of Things (IoT), and Industrial IoT (IIoT) assets, processes, and connectivity paths into the OT environment.
- With an accurate picture, you can tackle inherent critical risk factors: from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote-access mechanisms. Visibility into process values such as temperatures, chemical composition, and product formulas can help ensure the quality and consistency of outputs.
- Establish a behavioral baseline against which to monitor the network and understand the vulnerabilities, threats, and risks that may be present—including anomalies that may indicate an early-stage attack—in order to take pre-emptive actions.
- In addition to strengthening your industrial network defenses, you also need to build resilience. When executed effectively, network segmentation is an effective strategy for impeding attackers’ lateral network movement.
- In today’s hyper-connected world, OT networks are no longer air-gapped, and network segmentation compensates for this. Since these environments are often geographically dispersed, deploy virtual segmentation to zones within the industrial control system (ICS) network to regain control over isolated sites. This will alert you to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment.
- Virtual segmentation can also improve network monitoring and access control, and greatly accelerate response time. In the event an attacker does establish a foothold, you can shut down only portions of the network, regain control, and drive intruders out, saving cost and reducing downtime.
- Additionally, encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware. Secure, available offline backups are crucial to rapid recovery from such attacks. Make sure you know where backups are, how to access them and that they are regularly tested.
The main lesson from the attack applies to all industrial organizations: digital transformation expands an organization’s attack surface, and without the correct security tools in place, such organizations cannot identify vulnerabilities or detect malicious activity well.