Colonial Pipeline Cyber Attack Highlights IT and OT Convergence
Every time I hear about a new cyber attack, I ask myself: “Is this a new attack vector? A new vulnerability? A new creative tactic?” The answer is almost invariably no. Attack after attack, threat intelligence reports describe well-known tactics that have been carried out numerous times in the past. I breathe a sigh of relief and remember Churchill’s famous World War II motto: “Be calm and carry on!”
The attack reported on May 7 on the Colonial Pipeline is no exception. The Colonial Pipeline is the largest pipeline system in the United States, carrying over 3 million barrels of refined oil products per day between Texas and New York. It is a critical infrastructure supplying almost 50% of the gasoline and jet fuel utilized by numerous industries and 50 million people on the East Coast. These critical infrastructures must be secured!
What Happened?
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) confirmed that DarkSide, a Russian cybercriminal hacking group that targets victims using ransomware and extortion, was behind the Colonial Pipeline attack. They succeeded in gaining access to the company’s enterprise network and deploying the DarkSide ransomware to seize IT systems. It seems the attack did not spread to Colonial’s industrial network, as the company wisely disconnected OT systems to ensure safety of their industrial operations.
After paying a $4.4 million ransom and spending a long week restoring backups, Colonial was able to resume operations. Subsequently, fuel shortages began to occur across several airports–such as at Charlotte Douglas International, where airlines had to change flight schedules. Filling stations in several states also run out of fuel amid panic buying. Average fuel prices rose to their highest since 2014, and President Joe Biden declared a state of emergency to allow additional transport of fuel by road to alleviate shortages.
OT and IT Networks Have Converged
Many reporters qualify this attack as one of the most critical one in the country’s history. This is certainly true considering the impact it had on the physical world. It targeted only IT systems, but industrial and enterprise networks are converged. They are now so well connected to each other that an attack on either one will disrupt the other, causing numerous cascading effects.
Yet, many industrial organizations still operate based on the assumption that the airgap they created to isolate industrial operations from the enterprise network will suffice. The Colonial Pipeline attack is another alarm bell for the industry, stressing the fact that protecting the physical world from cyber attacks requires a strong IT security practice, as well as specific OT security measures. Organizations have started to build holistic security strategies, managing IT and OT security as a whole and not as two separate silos.
How Can You Secure It?
Here are a few measures that industrial organizations should implement to start converging their IT and OT security practices:
- Protect computer systems against malware. Almost every cyber attack starts with a malware intrusion or an attempt to drive users to compromised websites to steal credentials or infect their systems. Solutions such as Cisco Secure Endpoint (formerly AMP for Endpoints) detect attempts to infect a computer, trap watering hole websites, stop access and raise alert. Powered by threat intelligence from Cisco Talos, it is always up to date to detect the latest threats.
- Secure emails to block suspicious messages. Spear fishing email campaigns are generally how
- Page 1
- Page 2