In early May 2021, The Colonial Pipeline Company reported that it was a victim of a cybersecurity attack that involved ransomware. The breach underscored the vulnerability of national critical infrastructure to hackers and brought that issue to the attention of governments everywhere.
In many instances, operational technology (OT) networks run on proprietary protocols where legacy equipment is incompatible with traditional IT security tools such as virtual private networks (VPNs) used in enterprise IT environments, meaning the same security tools that work well in IT are not adequate for OT. When a company connects its OT assets to its corporate IT network without the appropriate additional security measures, it leaves itself exposed, potentially with an expanded attack surface. Threat actors are given numerous direct or indirect pathways into the OT network, and to the critical systems and physical processes, it controls.
In the case of Colonial Pipeline, about a month after the attack, the company’s CEO disclosed to U.S. government officials that the perpetrators were able to get into the system by stealing a single password. This password gave them access to a legacy VPN system used to remotely access the company’s servers. Because the VPN did not have multi-factor authentication in place, the attackers needed only to know the username and the password to gain access to the largest petroleum pipeline in the country.
These vulnerability issues are compounded by the fact that oil and gas companies’ OT assets are frequently spread across large geographical distances (sometimes multiple countries), and are typically sourced from different vendors, who each use different proprietary protocols. This makes it challenging for oil and gas companies to identify and address potential cyber risks.
The Colonial Pipeline breach highlighted to governments that OT network protection of critical national infrastructure was a national security issue. The U.S. immediately moved to mandate incident-reporting procedures and to ensure that hardened cybersecurity practices be installed and required of private companies that operate in some sectors, such as energy, oil and gas, transportation, finance, healthcare, and food and beverage.
Some governments in Asia were already broaching the issue. In October 2019, the Singapore government’s Cybersecurity Agency, CSA, outlined an OT Master Plan, which includes adopting technologies for cyber resilience through public-private partnerships to protect Singapore from cyber-attacks on critical sectors like transport and water supply. In May 2021, the CSA announced the formation of the OT Cybersecurity Expert Panel. The panel complements CSA’s OT Master Plan and members will meet in October 2021, to discuss ways to strengthen local cybersecurity capabilities and competencies in the operational technology sector.
At a recent webinar hosted by Claroty, security experts came together to discuss the implications of the Colonial Pipeline ransomware attack, whether the company’s fuel operations should have been shut down, and what you need to know about the impact of ransomware on industrial processes. The panel agreed that regardless of who is involved in the decision to shut down operations when a ransomware attack happens, there are steps organizations can take, no matter where they are in their cybersecurity journey, to help make better decisions.
Decisions should be grounded in data
Effective industrial cybersecurity must start with knowing what needs to be secured. You always need a current inventory of all OT, Internet of Things (IoT), and Industrial IoT (IIoT) assets, processes, and connectivity paths into the OT environment.
With an accurate picture, you can tackle inherent critical risk factors–from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote-access mechanisms. Visibility into process values–such as temperatures, chemical composition, and product formulas–can help ensure the quality and consistency of outputs. You can establish a behavioral baseline against which to monitor the network and understand the vulnerabilities, threats, and risks that may be present–including anomalies that may indicate an early-stage attack–in order to take pre-emptive actions.
Build resilience to regain control
In addition to strengthening your industrial network defenses, you also need to build resilience. When executed effectively, network segmentation is an effective strategy for impeding attackers’ lateral network movement.
In today’s hyper-connected world, OT networks are no longer air-gapped and network segmentation compensates for this. Since these environments are often geographically dispersed, deploy virtual segmentation to zones within the industrial control system (ICS) network to regain control over isolated sites. This will alert you to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment.
Virtual segmentation can also improve network monitoring and access control, and greatly accelerate response time. In the event an attacker does establish a foothold, you can shut down only portions of the network, regain control, and drive intruders out, saving cost and reducing downtime.
Additionally, encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware. Secure, available offline backups are crucial to rapid recovery from such attacks. Make sure you know where backups are, how to access them, and that they are regularly tested.
The main lesson from the Colonial Pipeline attack applies to all industrial organizations: Digital transformation expands an organization’s attack surface, making it easier for threat actors to enter the network and gain control of OT assets. Without the correct security tools in place organizations can’t identify vulnerabilities or detect malicious activity.
If you wish to watch the webinar and hear the full discussion, you can watch the on-demand webinar replay now.
Vijay Vaidyanathan is Regional Vice President – Solutions Engineering, APJ at Claroty. Vijay works predominantly on the front lines of customer cybersecurity risks and challenges for their plants, factories, and industrial automation control systems. He has extensive experience in helping industrial and critical infrastructure facilities understand their current status and gaps. He provides guidance on how to protect productivity and availability considering the active cyber threat landscape around us.
TechNode Global publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Featured image credits: Pixabay