Never Let a Crisis Go to Waste: Lessons from the Colonial Pipeline Attack
By The Claroty Team | May 26, 2021
For years now, the government has been warning openly and clearly of targeted attacks against government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The recent ransomware attack attributed to the DarkSide cybercrime group against Colonial Pipeline made the risk real for all of us. Not only did the attack against Colonial’s IT network prompt the company to shut down its pipeline operation to contain the attack, but the shutdown also sent prices climbing and consumers in some states scrambling to find gasoline at the pumps.
Recently, Mike Mimoso, Claroty’s Editorial Director, gathered Claroty experts on the front lines of industrial cybersecurity for a webinar, “The Implications of Ransomware on OT Networks: What you need to know post-Colonial Pipeline about how ransomware impacts industrial processes.” Among the panelists was Admiral (Ret.) Michael S. Rogers, Claroty Chairman, Board of Advisors, who set the tone with his perspective, “Never let a crisis go to waste. Use it to drive change.” It is in that spirit that he, together with Gary Kneeland, Sr. Product Manager, and Justin Woody, Director of Innovation, shared their observations, advice and next steps for IT and OT teams.
Ransomware attacks are largely opportunistic. In this instance, the cybercriminals leveraged a ransomware-as-a-service operation to target large organizations which they believed could pay large ransom demands. We don’t know the initial attack vector at this point for Colonial Pipeline, but the three most typical ways are unpatched systems, phishing, and leaked credentials which can be stolen or purchased. As companies prioritize digitization and the convergence of IT and OT networks expands dramatically, the lines between IT networks and OT networks are blurring. Once inside the network they can move laterally to other network domains.
To date, we haven’t seen any examples of ransomware specifically targeting OT components and this holds true for Colonial Pipeline; the ransomware infiltrated the IT network and there is no evidence that it directly impacted the OT network. However, out of an abundance of caution Colonial shut down the OT side of the network, thus precluding their ability to distribute fuel. This move on their part was driven by lack of visibility and understanding of their level of exposure and limited confidence in their ability to mitigate the impact to the OT network, which leads us to the next area of discussion…
Basic security practices that can lessen the impact of a ransomware attack
While the panelists discussed several security practices, here are five top recommendations:
Foundational to any security program is having visibility and accurate knowledge of your network structure, endpoints, and connectivity paths which have been growing steadily and dramatically increased over the last 15 months. With an always current inventory you can patch systems or apply additional verification or other compensating controls on legacy and unsupported systems.
Encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware. While secure, available offline backups are crucial to rapid recovery from such attacks.
Network segmentation is a critical strategy to impede attackers’ lateral network movement. In today’s hyper-connected world, OT networks are no longer air-gapped and network segmentation compensates for this.
Continuous network monitoring for unusual activity allows you to see when bad actors enter the network and respond faster to make a bad situation better.
Planning and testing plans with tabletop exercises and red team/blue team exercises can be done without impacting your production environment. The more you train and test, the better prepared you are to respond rapidly and effectively. If you work with third parties, make sure disaster recovery is included in your services agreement.
Topics for ongoing discussion
As ransomware attacks increase in frequency and sophistication, several questions were raised by the audience and will remain important topics for discussion for some time to come, including:
What should the role of government be?
Colonial Pipeline made the decision to shut down their pipeline on their own. While perhaps not applicable to every segment, for companies in some critical sectors like energy, oil and gas, transportation, finance and healthcare, the decision to shut down may need to be made in consultation with government entities and not in a vacuum. However, if this is the case, provisions must be made for immediate access and dedicated attention.
To pay or not to pay?
Pressures to pay a ransom vary based on circumstances; there is no one-size-fits-all approach. But if a legal framework is passed that introduces penalties for the payment of ransom, then government entities must be available to help in real time as companies manage through these attacks. And what are the implications for insurance providers? Similar to auto insurance that rewards good drivers and safer cars, cyber insurance should be used to encourage stronger security practices, not as a means to sidestep risk and accountability.
Is my organization on a target list?
There are many different, shifting factors that play into this including the geopolitical climate, economic drivers, and disruptive regional or world events. But Admiral Rogers advises against using the probability of your organization being targeted as a cornerstone of your cyber defense and resilience strategy. We repeatedly see that what the adversary cares most about is if you have money to pay a ransom and if their technique to gain network access will be effective against you. Furthermore, as the SolarWinds attack showed, all of the hundreds of entities affected were not specifically targeted but happened to be part of the supply chain and were collateral damage.
To hear the full discussion and learn more about how to use this crisis to drive real and meaningful change that strengthens your organization’s industrial cybersecurity, watch the on-demand webinar replay now.