Key Takeaways From the Colonial Pipeline Attack
Every time I hear about a new cyberattack, I ask myself: “Is this a new attack vector? A new vulnerability? A new creative tactic?” The answer is almost invariably no. Attack after attack, threat intelligence reports describe well known tactics that have been carried out numerous times in the past. I breathe a sigh of relief and remember Churchill’s famous World War II motto: “Be calm and carry on!”
The attack reported on May 7th on the Colonial Pipeline is no exception. The Colonial Pipeline is the largest pipeline system in the United States, carrying over 3 million barrels of refined oil products per day between Texas and New York. It is a critical infrastructure supplying almost 50% of the gasoline and jet fuel utilized by numerous industries and 50 million people on the East Coast. These critical infrastructures must be secured!
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) confirmed that DarkSide, a Russian cybercriminal hacking group that targets victims using ransomware and extortion was behind the Colonial Pipeline attack. They succeeded in gaining access to the company’s enterprise network and deploying the DarkSide ransomware to seize IT systems. It seems the attack did not spread to Colonial’s industrial network, as the company wisely disconnected OT systems to ensure safety of their industrial operations.
After paying a $4.4 million ransom and spending a long week restoring backups, Colonial was able to resume operations. Subsequently, fuel shortages began to occur across several airports such as at Charlotte Douglas International where airlines had to change flight schedules. Filling stations in several states also run out of fuel amid panic buying. Average fuel prices rose to their highest since 2014 and President Joe Biden declared a state of emergency to allow additional transport of fuel by road to alleviate shortages.
OT and IT networks have converged
Many reporters qualify this attack as one of the most critical one in the country’s history. This is certainly true considering the impact it had on the physical world, although it only targeted IT systems. Industrial and enterprise networks are converged. They are now so well-connected to each other that an attack on either one will disrupt the other, causing numerous cascading effects.
Yet, many industrial organizations still operate based on the assumption that the air gap they created to isolate industrial operations from the enterprise network will suffice. The Colonial Pipeline attack is another alarm bell for the industry, stressing the fact that protecting the physical world from cyberattacks requires a strong IT security practice as well as specific OT security measures. Organizations have started to build holistic security strategies, managing IT and OT security as a whole and not as two separate silos.
How can you secure it?
Here are a few measures that industrial organizations should implement to start converging their IT and OT security practices:
- Protect computer systems against malware. Almost every cyberattack starts with a malware intrusion or an attempt to drive users to compromised websites to steal credentials or infect their systems. Solutions such as Cisco Secure Endpoint (formerly AMP for Endpoints) detect attempts to infect a computer, trap watering hole websites, stop access and raise alert. Powered by threat intelligence from Cisco Talos, it is always up to date to detect the latest threats.
- Secure emails to block suspicious messages. Spear phishing email campaigns are generally how bad actors get malware in place or how they lure employees to connect to malicious web sites. Solutions such as Cisco Secure Email will get you protected so you don’t have to pray for employees not to open malicious files or click on suspicious links in an email.
- Enforce security at the DNS layer. Attacks are controlled via the internet. Cisco Umbrella analyses DNS queries to block requests to malicious domains, suspicious files or direct IP connections from command-and-control callbacks. Fully delivered from the cloud, this SASE approach to OT security is ideal to protect distributed industrial assets.
- Implement multi-factor authentication (MFA). Cybercriminal groups such as DarkSide rely on weak passwords to gain access to an organization’s network and critical systems. Solutions such as Cisco Duo enable Zero Trust access to applications and network entry points so stolen or compromised credentials won’t be a threat anymore.
- Isolate your OT and IT networks. Building an industrial DMZ is the mandatory first step to prevent malicious activities from reaching industrial control systems. Cisco Secure Firewalls are critical to blocking malware intrusions, stopping the infection spread and can be configured with policies to only allow the communications that are really needed to run operations.
- Implement a robust network segmentation. Enforcing ISA/IEC 62443 zones and conduits to isolate industrial zones from each other further solidifies your security posture. Industrial firewalls such as Cisco Secure Firewall ISA3000 physically prevent lateral movements between industrial network segments. Cisco Identity Services Engine (ISE) can also be used to implement micro-segmentation within the OT network leveraging Cisco Catalyst Industrial Ethernet
- Inventory and monitor the industrial network. Gaining visibility on your industrial control systems is key to ensure all assets are protected. Cisco Cyber Vision automates the discovery process at scale so you can implement OT security best practices. It also monitors industrial communications to detect abnormal behaviors and raise alerts.
- Investigate and manage security events across both IT and OT domains. Because IT and OT networks have converged, threat investigations and remediations must converge too. Cisco SecureX empowers your security teams with a single console that aggregates threat intelligence and data from multiple security technologies—Cisco and others, making investigation and remediation fast, simple, and highly effective.
- Test your defense, your recovery process, and train your teams. Don’t be caught by surprise. Have backups ready. Engage an IT and OT incident response team such as Cisco Talos to develop customized playbooks and test your defense through table-top exercises so that your security teams are ready when a crisis occurs.
This might sound like a daunting list, but everything doesn’t have to be deployed overnight. A global pre-integrated solution would make it much easier to deploy and operate while offering unmatched features. Security is a journey where new capabilities are added depending on your priorities and the events you fear the most. Cisco has designed a reference architecture that will help you phase your project. Read more about it here.
What about you? How mature is your organization’s OT Security practice? Take the test and see what you should do next! To learn more about how you can secure your IoT/OT infrastructure, visit our IoT Security page or contact us. To get the latest industry news on IoT Security delivered straight to your inbox, subscribe to the Cisco IoT Security Newsletter.
Author Vikram Sharma is senior manager, engineering, IoT, at Cisco Systems. Read more guest blogs from Cisco here.