On Friday, May 7, United States fuel pipeline operator Colonial Pipeline reported that it had shut down its entire network due to a ransomware cyberattack (The cause? One compromised password). With nearly half of the U.S. East Coast’s fuel supply compromised and millions of consumers affected by fuel shortages and a spike in prices, it is one of the most disruptive cyber incidents ever reported and has shed a light on the vulnerability of the United States’ energy infrastructure.
“Just as oil and gas can flow up and down the pipeline, so can malware, reaching remote facilities whose IT and operational technology systems may not be adequately fortified to defend against an attack,” Bradley Barth writes in SC Magazine.
The criminal culprit, DarkSide, was reportedly not intending to damage national infrastructure, but rather to “associate with a target which had the finances to support a large payment,” as reported by Brian Krebs. As a ransomware platform, DarkSide executes “double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.”
Cyberattacks against major U.S. infrastructure have shown that an increasing reliance on digital systems and interconnectivity—the IoT—has not kept pace with the need for standards-based cybersecurity protocols and protection layers, leaving the door open to criminal hacking and other adversarial outcomes for many companies in the process automation and industrial control space. Indeed, these issues are not new, and are certainly not going away anytime soon.
The ISA Global Cybersecurity Alliance, made up of nearly 50 companies, is working to confront the automation cybersecurity challenge in multiple ways. While all the factors involved in the Colonial Pipeline incident remain to be seen, in general, a strong automation cybersecurity posture relies on people, process, and technology:
- People: Individuals and companies using automation and control systems must be well trained, and companies must make better cybersecurity hygiene and best practices the fabric of their corporate and facility-level cultures.
- Process: The ISA/IEC 62443 series of standards, endorsed by the United Nations and backed by hundreds of asset owners in every world region, specifies how to assess and manage cybersecurity risk in OT environments. At the state and federal level, in the United States and around the world, the ISA Global Cybersecurity Alliance and its member companies are advocating policies that designate the use of the ISA/IEC 62443 series of standards as foundational, outcome-focused, technology-neutral documentation. The series of standards articulates roles, responsibilities, and expectations of suppliers, service providers, and asset owners, which can be easily translated to enforceable policy elements.
- Technology: The ISA Security Compliance Institute offers conformance programs to certify components, devices, systems, and processes that are compliant with the latest ISA/IEC 62443 requirements. ISA advocates common-sense approaches to protecting legacy and next-gen equipment, leveraging the vast knowledge and expertise of our supplier and integrator member companies.
Many critical infrastructure and industrial manufacturing companies already have or are working diligently to integrate cybersecurity into their risk-management and business continuity plans and strategies. Using the ISA/IEC 62443 series of standards as their foundation, they focus on adopting security as part of the operations lifecycle, ensuring compliance with various aspects of the standards across their supply chains, and including cybersecurity in operational risk-management profiles.
ISAGCA is also working closely with the Department of Homeland Security’s ICS Joint Working Group, electric utilities, cybersecurity response teams, and more than 50 participating companies to update the 62443 framework and create the Incident Command System for Industrial Control Systems. ICS4ICS is a growing public-private partnership with DHS that leverages FEMA’s Incident Command System framework for response structure, roles, and interoperability. This is the same system used by First Responders globally when responding to hurricanes, floods, earthquakes, industrial accidents, and other high impact situations. The approach guides companies, organizations, and municipalities in identifying an incident, assessing damage, addressing immediate challenges, communicating with the right agencies and stakeholders, and resuming day to day operations.
As we learn more about the circumstances and responses surrounding the Colonial Pipeline incident, we will share more recommendations and insights on how we can better secure and protect the world’s most critical operations and our global supply chain. Below, ISA has gathered several responses and perspectives on the Colonial Pipeline attack from some of our member companies and organizations.
John Cusimano at aeSolutions
"A common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks which are the networks that connect the pipeline control center to every terminal, pumping station, remote isolation valve, and tank farm along the pipeline. These are very large networks covering extensive distances but they are typically 'flat', from a network segmentation standpoint. This means that once someone gains access to the SCADA network they have access to every device on the network.
The other big challenge with securing pipeline SCADA networks is that they branch into every facility along hundreds of miles of pipeline. Some of those facilities are in very remote places with little to no physical security meaning that if an attacker breached the security of one of those facilities they could gain access to the network."
Read the full article here.
See also: “The New DOE ICS Cybersecurity Initiative is Missing Some Crown ‘Joules’”
Mike Hoffman & Dr. Tom Winston at Dragos
“DarkSide, and many other ransomware groups, are opportunistic. They find soft targets, evaluate if they are a strong candidate to ransom, and then they attack.
Unfortunately, this applies to many industrial companies. These groups rely on weak passwords via unsecured internet exposed services such as Remote Desktop Protocol or exploits against a vulnerable version of common internet-facing devices. Numerous vulnerabilities have been released over the past year for these types of devices to include Pulse Connect Secure, Fortinet FortiOS, and Accellion FTA devices. Once initial access is achieved, they quickly bring in tools focused on gaining Domain Administrator access to enable them to then deliver their ransomware. Dragos response teams have observed this initial access to the deployment of ransomware ranging widely with ransomware delivered as quickly as 24 hours from initial access while in other cases several months before the group deploys their ransomware payload. In our incident response cases and assessments, Dragos often finds shared credential management between IT and OT networks such as connected Domain Controllers as a mechanism to impact OT.”
Read the full article, including recommendations, here.
See also: Rob Lee, Founder and CEO, spoke to CNN regarding the attacks.
Edgard Capdevielle at Nozomi Networks
“The industry is anxiously awaiting guidance and support/reinforcement from the federal government on how to protect critical infrastructure. Over the years, there has been a lot of talk about how actions aren’t catching up with the attackers. It’s going to be imperative that there are some very prescriptive steps providers have to take before it’s too late. There needs to be a level emphasis put on cybersecurity that we haven’t seen to date, or attacks like we saw on Colonial Pipeline and the Oldsmar Water Plant will be just the beginning. Funding, support and clear guidance will all play an important role in making sure our critical infrastructure is resilient and safe.
They say luck is when preparation meets opportunity. With today’s threat landscape getting broader and more sophisticated, if you adopt a post-breach mindset (without the impact of a breach), you will be extremely lucky.”
Read the full article here.
Megan Samford at Schneider Electric
“As the first founding member of the ISAGCA, Schneider Electric understands the significance and challenge of defending against and responding to ransomware attacks that increasingly impact global critical infrastructure,” said Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric. “Through the ISAGCA, some of the world’s foremost cybersecurity thought leaders and organizations are able to set aside competitive interests and work collectively as partners, not just to help industry recover from attacks, but to drive a standards-based approach to preventing them. With our collective expertise and experience, and by furthering the utilization and adoption of the prevailing ISA/IEC 62443 cybersecurity standard, the ISAGCA stands ready to support and guide members of the critical infrastructure community in preventing, mitigating and responding to cybersecurity attacks that threaten the reliability, resiliency and safety of global supply chains.”
Along with aeSolutions, Dragos, Nozomi, and Schneider Electric, ISAGCA is made up of 40+ member companies, representing more than $240 billion in aggregate revenue across more than 2,400 combined worldwide locations. Automation and cybersecurity provider members serve 31 different industries, underscoring the broad applicability of the ISA/IEC 62443 series of standards.
Current members of ISAGCA include Pfizer, Ford Motor Company, Rockwell Automation, Honeywell, Johnson Controls, Claroty, PAS, Xage Security, Wallix, Bayshore, MT4 senhasegura, Radiflow, WINICSSEC, exida, Munio Security, Digital Immunity, Tripwire, Idaho National Laboratory, TI Safe, Mission Secure, WisePlant, Tenable, 1898 & Co. (Burns McDonnell), ACET Solutions, CyberOwl, ISASecure, LOGIIC, Nova Systems, Deloitte, ConsoleWorks, Eaton, Idaho State University, PETRONAS, Surge Engineering, KPMG, Johns Manville, Xylem, UL, Red Trident, Carrier Global, TDI Technologies, BaseRock IT Solutions, Coontec, and CyPhy Defense.