Colonial Pipeline, the largest refined products pipeline in the USA, was subject to an OT/IT ransomware attack on Friday, causing a wide range of facilities which are critical to US national infrastructure to be shut down. It looks like we are already seeing supply shortages.
Initial investigation points to an attack gaining malware access to the company’s business networks, probably via email. Accepting that we do not have a complete picture yet, it seems probable that the malware has been transmitted to the SCADA systems, the Operational Technology that connects the pipeline IT control centre to every terminal, pumping station, etc.
The subject article makes some very good points:
Marco Ayala, ICS cybersecurity and sector lead, 1898 & Co. (part of construction engineering firm Burns & McDonnell) and Sector Chief of the FBI’s Maritime Domain InfraGard Group:
‘Shutting down operations is a clear sign that they have little faith in their current operating technology security system, security environment and posture’
Marty Edwards, Vice President of Operational Technology Security at cybersecurity firm Tenable and the longest-serving director of ICS-CERT:
‘It is often the case that critical infrastructure owners and operators simply don’t have enough visibility, especially into these operating technology and industrial control system environments’
‘They have the systems in place on the IT network to be able to reach into all of those laptops that are sitting on people’s desks at home because of the pandemic, but they don’t often have the same technology to reach into the industrial control system environments and determine their state’
‘OT and IT are so intertwined now that if [an attacker takes down IT], OT could possibly crumble’
An important aspect of the incident is that the perpetrators claim not to have intended to cause this level of disruption. This kind of unintended consequence is very prevalent: once an infection is loose, anything can happen. You don’t even need to have been targeted as an organisation – you might simply be collateral damage in an attack on someone else.
This kind of attack linking IT and OT is of primary interest to Cyber Prism: it is one of the main reasons why we exist and is exactly the sort of thing we are here to protect against:
• Our ProcessGuard Universal Threat Manager is designed to isolate malware infections attempting to access OT from IT whilst allowing OT’s vital operating and safety functions to continue: so no shutdown
• Our ground-breaking CyberMonitor monitoring and alerts system performs the full range of network security functions, works with any manufacturer’s networked equipment and is highly effective in OT environments
• We have the deep experience of OT to wrap these products in the right supporting services
This event and the many others like it are deeply regrettable: they levy a huge cost upon Industry and pose a danger to the people involved. Thankfully, the security risks to OT seem to be gaining the visibility they deserve: we look forward to playing our part in improving protection and response.