Colonial Pipeline hack sounds alarm for greater OT security

It is time for oil and gas companies to take a closer look at their security solutions, writes Chris Bihary

WHAT: The ransomware attack on Colonial Pipeline has had serious consequences for US fuel markets.

WHY: The incident does not appear to have affected the company’s OT networks, but it highlights the link between security and operational continuity.

WHAT NEXT: Companies involved in the oil and gas sector should try to determine whether their cybersecurity solutions are robust enough to withstand a rising tide of threats.

It has been less than a week since Colonial Pipeline, the Georgia-based operator of a petroleum product pipeline network that runs across 13 states from Texas to New Jersey, revealed that it had been hit with a ransomware attack. The attack appears to have been carried out by DarkSide, a for-profit operation that specialises in double extortion schemes, which involve locking down the target company’s networks and also releasing stolen data if the company does not pay the ransom demanded.

It also appears not to have infected any of Colonial Pipeline’s operational technology (OT) networks. Nevertheless, the company took its 5,500-mile (8,851-km) network offline in order to ensure that DarkSide malware could not spread from corporate information technology (IT) systems into the OT systems that manage the flow and distribution of fuel through its pipelines.

Since Colonial Pipeline accounts for about 45% of all the gasoline, diesel and jet fuel consumed along the East Coast, the shutdown is already having significant consequences. It has triggered the shutdown of the largest refinery in the United States. It has led major airlines to revise their fuelling arrangements in order to avoid shortages. It has caused hundreds of filling stations to run out of gasoline and diesel because they cannot secure supplies through the usual channels.

The company has said it hopes to restore services by the end of the week, provided that security threats have been adequately contained. Nevertheless, it is probably going to take a few weeks to bring US fuel markets back to normal.

Objective reasons for beefing up security

It will also take time to sort out the consequences of this incident on the cybersecurity side. Even so, companies active in the oil and gas industry – and in all other sectors of critical infrastructure – should start thinking now about how to guard against the next attack.

There are objective reasons for increased vigilance. On the one hand, the number of cyberattacks targeting the oil and gas industry is on the rise, not just in terms of absolute numbers, but also in comparison to other sectors of the economy, as a recent Kaspersky report has detailed. This means that oil and gas companies – including upstream, midstream and downstream operators, as well as service providers – should all assume that they are on the list of targets, no matter how big or small they are.

On the other hand, the consequences can be dire. Shutdowns, lockdowns and other disruptions are usually expensive for the companies involved, as well as a drain on the economy at large. They can lead to regulatory violations, legal troubles and poor public relations. Even worse, they have the potential to pose direct threats to the health and safety of workers and nearby communities.

Time to take a closer look

But what exactly should oil and gas companies be doing to prepare?

First, they should be taking a look at their own cybersecurity solutions. If they do not have any, now is the time to find some. But even if they do have something in place, they ought to take a closer look and make sure those solutions are up to the challenge.

That process will probably involve one or more of the following steps.

Steps to strengthen cybersecurity posture

Asset discovery: Companies active in the oil and gas sector should take a look at all of their assets and determine exactly what their IT and OT systems consist of, including both hardware and software. They should also determine how these systems are connected – and how all the components of each system are linked (For oil and gas companies, this would involve identifying every asset involved in the performance of both administrative and operational duties).

Asset inventory: It is not enough for companies to draw up a list of assets. They also need an organised inventory that explains what each asset does and how each asset works with other parts of the system. Additionally, they need a way to manage the inventory to ensure that it is updated each and every time there is a change in the line-up – for example, if new devices are added to a network or if existing software is updated. (Again, for an oil and gas company, this would involve an explanation of what role every asset plays, both individually and within the system as a whole.)

Vulnerability assessments: An inventory is not enough either. Oil and gas companies also need to know which parts of their systems are especially at risk. They also need to know why those components are vulnerable – for example, whether it is because they are legacy technologies that are not compatible with newer equipment used elsewhere or whether it is because they rely on a specific type of software that cannot be updated without voiding the terms of service. Pinpointing these vulnerabilities makes it easier to decide where safeguards such as firewalls and sandboxes are needed most. (In similar cases, we have seen that vulnerability assessments have informed decisions to close down pipelines in order to prevent malware that had infected IT systems from spreading into the OT realm.)

Visibility: Identifying weaknesses within the system is not enough either. Companies should also look for cybersecurity solutions that help them make sense of the information they have through visibility. That is, since they cannot secure what they cannot see, it is imperative these security solutions have complete packet data to provide a clear representation of the systems being inspected. We are seeing more and more companies turning to Data Diode TAPs (test access points) to ensure that monitoring traffic is unidirectional so OT environments are not hackable. Solutions of this type help put everything together by allowing users to see what is in their networks, what is connected to their networks and who is active on their networks on the packet level. (This is very important information for companies whose petroleum product pipeline networks are considered critical infrastructure.)

Continuous, real-time monitoring: Visibility is even more useful when paired with monitoring solutions that allow users to detect threats and anomalies as they happen and respond to them as rapidly as possible. With continuous, real-time monitoring, it is easier to act quickly to contain security breaches – even in situations where fast action may be difficult, as in the case of Colonial Pipeline. (Similar companies' pipeline systems can be extensive and sprawling, with some facilities in remote rural locations and many others distant from headquarters.)

Preparation, practice and prevention: Oil and gas companies should also take a proactive approach to cybersecurity, not just by reacting to attacks and anomalies, but also preparing for them, practising for them and looking for ways to prevent them. In concrete terms, this means instituting a regular programme of maintenance for security systems, developing a strategy for responding to threats and conducting drills and simulations through penetration testing and/or red-teaming. (Oil and gas companies will benefit from stepping up such practices, given that the oil and gas sector is known to be at risk.)

Industry-specific expertise: Oil and gas companies would also do well to seek cybersecurity solutions from providers that understand their challenges. These include but are not limited to wide geographic dispersion of assets, dependence on legacy systems that are ageing but reliable, monitors and sensors that generate so much data that they may make cyberattacks hard to spot and the need to avoid shutdowns that can damage equipment or cut off supplies of vital commodities. Security providers that are not accustomed to accommodating such conditions are likely to have a hard time setting up an effective solution for oil and gas companies.

We know we have given you a long list of things to think about. But you do not have to solve the problem by yourself. Garland Technology is happy to discuss network TAP visibility and other solutions that oil and gas companies can implement to keep their critical infrastructure systems working.

Chris Bihary, CEO and Co-Founder of Garland Technology (http://www.garlandtechnology.com), has been in the network performance industry for over 20 years. Bihary has established collaborative partnerships with technology companies to complement product performance and security through the integration of network TAP visibility. Chris started his career owning an IT reseller who built out 9-1-1 call centre network infrastructure, which shaped his core belief to always ensure uptime for critical networks.