For years now, the government has been warning openly and clearly of targeted attacks against government entities and multiple U.S. critical infrastructure sectors — including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The recent ransomware attack, attributed to the DarkSide cybercrime group, against Colonial Pipeline made the risk real for all of us. The Colonial Pipeline cyber attack prompted the company to shut down its pipeline operation, disrupting the delivery of gasoline and other petroleum products across much of the southeast United States. This incident affected multiple segments of the transportation industry — with jet fuel shortages for many carriers causing disruptions to air transportation, and fear of gas shortages leading to panic-buying at the pump amongst consumers.
Recently, Mike Mimoso, Claroty's Editorial Director, gathered Claroty experts on the front lines of industrial cybersecurity for a webinar, "The Implications of Ransomware on OT Networks: What you need to know post-Colonial Pipeline about how ransomware impacts industrial processes." Among the panelists was Admiral (Ret.) Michael S. Rogers, Claroty Chairman, Board of Advisors, who set the tone with his perspective stating, "Never let a crisis go to waste. Use it to drive change." It is in that spirit that he, together with Gary Kneeland, Sr. Product Manager, and Justin Woody, Director of Innovation, shared their observations, advice, and next steps for IT and OT teams.
How Ransomware Can Impact OT Network
Ransomware attacks are largely opportunistic. During the Colonial Pipeline cyber attack, the perpetrators leveraged a ransomware-as-a-service operation to target large organizations which they believed could pay large ransom demands. We don't know the initial attack vector that was infiltrated and ultimately led to the Colonial Pipeline shutdown, but the three most typical ways are unpatched systems, phishing, and leaked credentials which can be stolen or purchased. As organizations prioritize digitization, and the convergence of IT and OT networks expands, the lines between IT networks and OT networks are blurring. This has brought on a significant industrial cybersecurity challenge, as cybercriminals now have the ability to move laterally to other network domains.
To date, however, we have not seen any examples of ransomware specifically targeting OT components. This holds true for the Colonial Pipeline cyber attack, where the ransomware infiltrated the IT network, with no evidence that it directly impacted the OT network. Although there was no impact to OT, out of an abundance of caution, Colonial Pipeline still shutdown the OT side of the network, thus precluding their ability to distribute fuel. Their decision to shutdown OT operations was driven by a lack of visibility and understanding of their level of exposure and limited confidence in their ability to mitigate the impact to the OT network. Luckily, this challenge can be addressed with basic security practices and can then be used to prevent cyber threats of this nature in the future.
Lessons From the Colonial Pipeline Attack
While the panelists discussed several security practices, here are the five top recommendations:
Foundational to any security program is having visibility and accurate knowledge of your network structure, endpoints, and connectivity paths which have been growing steadily and have dramatically increased over the last 15 months. With an always current inventory you can patch systems or apply additional verification or other compensating controls on legacy and unsupported systems.
Encryption of data at rest and in motion is important for good cyber defense and resilience with respect to ransomware. While secure, available offline backups are crucial to rapid recovery from such attacks.
Network segmentation is a critical strategy to impede attackers' lateral network movement. In today's hyper-connected world, OT networks are no longer air-gapped and network segmentation compensates for this.
Continuous network monitoring for unusual activity allows you to see when bad actors enter the network and respond faster to make a bad situation better.
Planning and testing plans with tabletop exercises and red team/blue team exercises can be done without impacting your production environment. The more you train and test, the better prepared you are to respond rapidly and effectively. If you work with third parties, make sure disaster recovery is included in your services agreement.
Topics for Ongoing Discussion
Several questions were raised by the webinar audience and will remain important topics for discussion as ransomware attacks increase in frequency and sophistication. Thus, we wanted to share them here:
What should the role of government be?
Colonial Pipeline made the decision to shut down their pipeline on their own. While perhaps not applicable to every segment, for companies in some critical sectors like energy, oil and gas, transportation, finance and healthcare, the decision to shut down may need to be made in consultation with government entities and not in a vacuum. However, if this is the case, provisions must be made for immediate access and dedicated attention.
To pay or not to pay?
Pressures to pay a ransom vary based on circumstances; there is no one-size-fits-all approach. But if a legal framework is passed that introduces penalties for the payment of ransom, then government entities must be available to help in real time as companies manage through these attacks. And what are the implications for insurance providers? Similar to auto insurance that rewards good drivers and safer cars, cyber insurance should be used to encourage stronger security practices, not as a means to sidestep risk and accountability.
Is My Organization Targeted?
There are many different, shifting factors that play into this including the geopolitical climate, economic drivers, and disruptive regional or world events. But Admiral Rogers advises against using the probability of your organization being targeted as a cornerstone of your cyber defense and resilience strategy. We repeatedly see that what the adversary cares most about is if you have money to pay a ransom and if their technique to gain network access will be effective against you. Furthermore, as the SolarWinds attack showed, all of the hundreds of entities affected were not specifically targeted but happened to be part of the supply chain and were collateral damage.
The Colonial Pipeline cyber attack elevated industrial cyber attacks to the mainstream. From this incident, we learned how a ransomware attack against IT systems can impact OT networks and processes, and the reasons critical infrastructure organizations have become increasingly targeted. In today’s volatile cybersecurity climate, ransomware attacks are only growing in frequency and sophistication, as hackers understand that critical infrastructure organizations cannot afford any downtime. Luckily, organizations can prevent attacks like this one with basic security best practices in place and the help from a dedicated cyber-physical systems (CPS) protection platform.
To hear the full discussion and learn more about how to use this crisis to drive real and meaningful change that strengthens your organization's industrial cybersecurity, watch the on-demand webinar replay now.
