A Colonial Pipeline Story
It’s a simple concept. If your network is completely isolated no one can hack it. Except insiders of course.
Routing is designed like water; it will find a way.
Fast forward to today and every industrial control system has incorporated digital controls, all remotely connected over networks. Because the actuators, solenoids, sensors, and rate controllers for industrial systems predated networking they were all built with no thought for security. Safety yes. Security no. Operators have a simple task: ensure that plant networks are not connected to the rest of the world.
But network isolation is not a simple task. Routing finds a way and malware does not need a network.
It is still not evident that Colonial Pipeline’s systems were in any way penetrated by the Darkside hackers that are holding its data for ransom. Perhaps Colonial has good enough network segmentation. From reported sources we know that Colonial’s invoicing system receives data from its pipelines. Fuel amounts are measured and reported out to the invoicing software that sends the bills to their downstream customers. It probably is also tied to their auditing system so they can verify that their upstream providers of gasoline and kerosene are accurately billing them.
The disruption to fuel supplies on the Eastern seaboard are attributed to the invoicing system being disabled by the ransomware which has infected the corporate network. It cannot receive data from the pipeline. The operators are also blind because they cannot monitor the health of the pumps, fuel stirrers, and gages on their network.
Colonial Pipeline did not have the confidence in their security to keep their pipelines running. Being blind means they actually lost control, forcing them to shut down. To their credit they did have enough control to shut things down safely.
Lessons learned so far from the Colonial Pipeline ransomware attack include:
Segmenting production from office systems worked in this case. One-way flow of information from production systems to office is safe. However, it’s not resilient if that data can be lost to a simple ransomware attack.
Network segmentation is one thing. Business process segmentation is another. If your business depends on an isolated network, businesses should plan out scenarios that involve losing all office IT systems while maintaining production. A manufacturing plant is easier than a pipeline which has remote sensors and pumping stations strung out across its 5,500 mile span.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement on ransomware attacks from DarkSide. In it they offered some mitigation advice.
Here is the checklist.
Retain full visibility and control at all time. Being blind in your networks means you actually lost control and are forced to shut down all systems.
Limit access to resources over networks, especially by restricting RDP. More than 50% of ransomware attacks come in over RDP since COVID started.
Monitor and/or block inbound connections from Tor exit nodes. It’s always safe to block traffic from TOR exit nodes.
Implement and ensure robust network segmentation between IT and OT networks
Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity.
Identify OT and IT network inter-dependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes.