The attack on Colonial Pipeline in May last year, which affected the company's billing system, highlighted some cybersecurity gaps in both the US government and industries, as an attack on the IT systems of critical infrastructure was able to bring operational technology operations to its knees. Not only did the ransomware attack force Colonial Pipeline to go offline, but it also compromised the personal information of nearly 6000 individuals, highlighting the importance of adequate cybersecurity to protect both business operations and customers.
Even relatively naïve attacks are accompanied by a torrent of consequences while also revealing how far governments and OT industry asset owners must go to thwart cyber-attacks and implement defense-in-depth security control strategies to protect critical infrastructure. Unfortunately, Colonial Pipeline suffered these consequences and can now be used as an example to teach some valuable lessons about how to handle a cyber-attack. The primary takeaway for other organizations is to separate IT management and the actual operational technology. Other pipeline operators, for instance, have started paying more attention to how to proactively deploy a security strategy that involves the segregation and separation of duties while defining logical boundaries between IT and OT networks.
What Lessons Were Learned?
- Proactive cyber monitoring: security incident and event monitoring (SIEM) solutions, coupled with advanced threat intelligence, detection and monitoring, can help organizations recognize anomalous activities early on. This way, they can see the signs of an attack in the early stages and protect their networks.
- Protecting IT and OT convergence: Organizations should maintain the segregation and separation of OT and IT networks and implement defense-in-depth security controls that complement OT. It is essential to deploy identity, protection, detection, response and recovery controls at each layer with a complementary technology that can quickly grasp OT proprietary networks.
- IT Governance to manage enterprise risk: Having standard procedures in place to decommission and shut down access points and obsolete equipment and networks would have reduced the organization’s threat surface and risk of breach. In addition, organizations should implement MFA for secure remote access to their systems, especially with so many workers continuing to work outside the office.
What Still Has to Change?
The mounting threats against critical national infrastructure are expanding the attack surface. As a result of remote work, the past year created the perfect circumstances for threat actors to target industrial control systems (ICS), OT, IIoT and IoT systems, as these are proprietary, isolated or air-gapped networks. In addition, the digital transformation has created a shift towards the early stages of the 4.0 industrial revolution. This is further propagated by digital communication and the interlocking of humans and technology. What’s more, due to IT/OT convergence, interconnected control systems are increasingly co-mingling with IT boundary business networks, leading to the cross-contamination of traffic from LAN, WAN, internet, Wi-Fi, control networks and CIP protocols.
Unfortunately, OT ecosystems generally lack IT cybersecurity hygiene (such as AV, EDR, SIEM, SOAR, SSO, etc.), further exposing them to a plethora of threats. As such, asset owners need to implement effective tactics to protect OT environments and provide the appropriate security controls to truly understand the necessary security principles, as these are not the same for IT and OT.
While government regulations and general awareness toward cybersecurity is increasing, breaches and attacks of all sorts are continuously evolving and becoming more sophisticated. There is still an ongoing shift toward remote operations and increased digital interactions, which further puts OT operations at risk. Even with the increase in focus on cyber-resilience and security, it is still unclear whether organizations are taking advantage of the clear guidance on secure design and risk assessment from existing guidelines. This includes guidelines such as ISA/IEC 62443, NERC CIP, NIST 800-53, ISO 270001, ISA/IEC 62443, TSA Pipeline, DHS CFATS or ISA S99. All of these specifications point toward the NIST cyber security framework (CSF), and asset operators need to begin shaping their security programs to protect their most critical assets.