Securing Critical Infrastructure Starts with the OT: Takeaways From the Colonial Pipeline Hack

The biggest news in cybersecurity right now is the ransomware hack of the Colonial Pipeline, a 5,500-mile-long oil and gas pipeline that stretches along the east coast of the United States from New Jersey all the way to Texas. In early May, a group of hackers known as DarkSide according to the American FBI, gained entry to the business network of the pipeline operator and was able to seize corporate data, issuing a $5 million ransom for its safe return. Though the gang reportedly did not breach the company’s more sensitive OT networks, the operators of the pipeline shut those down promptly out of an abundance of caution, ceasing pipeline operations and impacting the company’s ability to service and accurately bill customers. The company has since paid the ransom and resumed pipeline operations, and the American government has initiated action against DarkSide, with hopes of future prosecution.

Key takeaways from the colonial Pipeline hack

There are a few key takeaways from this incident. One is that the costs to the economy when a piece of critical infrastructure goes down are dramatically higher than the costs to the particular company that owns it. Though DarkSide has claimed they were not out to “create problems,” and were only seeking a ransom payment, the impact on regional economies has been far greater as the state of North Carolina  declared a state of emergency and the Governor of the state of Georgia had to suspend taxes on fuel in order to offset rising prices at the pump. Even after the pipeline resumed operations, consumers panicked as large percentages of gas stations in states all along the east coast of the U.S. remained empty.

Another takeaway is the rising vulnerability of OT (Operational Technology) systems, and that an attack like Colonial Pipeline is likely to increase in frequency – and severity. Though hackers hardly needed additional motivation to attack vulnerable systems, the fact that Colonial decided to pay DarkSide will almost certainly inspire other groups to target other major infrastructures. This is why the FBI advises against paying such ransoms, for by demonstrating a public willingness to pay, Colonial was in a way showing weakness, inadvertently attracting further hacks. The FBI also argues that there is no guarantee that hackers will comply once the ransom is paid – they are criminals after all.

This financial validation of DarkSide’s efforts, combined with the comparatively vast economic damage, will not only convince hackers that their crimes are likely to succeed, but also that they have leverage to demand even larger payments from other critical infrastructure companies.

The growing threats to OT Systems

As hackers like DarkSide become increasingly motivated and sophisticated, OT systems are growing more vulnerable as industries reliant on critical infrastructures turn towards digitalization to streamline operations, reduce costs, and drive production to be more efficient. While this convergence of OT devices and IT networks allows for easier management, monitoring, and maintenance, each connected device also represents an additional potential vulnerability for bad actors looking to use the IT to get to OT. It doesn’t seem like DarkSide targeted Colonial’s OT networks, but having breached their IT systems, there is little reason they couldn’t have. Future hackers may see these OT systems as an enticing target given control over distribution of energy, water, or anything else is a lot more potentially damaging (and thus valuable) than control over billing, HR, or generic business data.

High profile hacks like the Colonial Pipeline which generate huge media attention can perpetuate the false idea that it is only major businesses or strategic governmental groups that are at risk, but a majority of network operators of all kinds clearly know they are vulnerable. According to a Siemens and the Ponemon Institute utility survey (2019), 56% of the 1726 respondents worldwide reported at least one shutdown or operational data loss per year and 25% impacted by mega attacks. 54% expect an attack on critical infrastructure in the next 12 months. The American government has recognized this vulnerability as well with President Joe Biden’s introduction of a new executive order designed to advance toward “Zero Trust Architecture” and to “rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”

Events like the Colonial Pipeline hack highlight the fragility and vulnerability of our critical infrastructure, specifically within the energy sector. Given the (unadvisable) payment of ransom in this case and the increasing electrification, digitalization, and automation of critical infrastructures, we must also operate under the assumption that such attacks will increase in frequency and severity, whether from unfriendly nations or criminals simply looking to make a buck. With that in mind, it is critical that governments, utilities, and critical infrastructure companies boost their infrastructure’s resilience to the attacks it will face going forward, not just those it has faced in the past. This will require future-proofing their vulnerable IoT and IIoT devices such as smart meters and control systems with a device-level protection that can prevent unauthorized modification to critical data.

Device-Level protection for ensuring operational integrity

Fortunately for critical infrastructure companies, that is exactly what we do at NanoLock by introducing zero-trust device-level security that protects connected edge devices like smart meters from all attack vectors through installation, implementation, maintenance, and future upgrades. We embed a gatekeeper into the device memory that will provide zero-trust and passive prevention against outsider, insider, and supply chain APT threats by automatically rejecting all changes unauthenticated by a trusted external server. This prevents persistency because bad actors won’t be able to insert their code into the memory. This won’t stop future hackers from trying to breach converged IT/OT systems, but it will at least patch the most vulnerable potential points of attack, while using limited computing power, and prevent them from being used as entry points to wider systems.

Since we know hackers are likely to think even bigger for each of the reasons stated above, it is well past time governments, utilities, and private industry started thinking smaller because while there is need for security at all three levels of OT systems – the device, network, and system levels – for bad actors targeting critical infrastructures, a single connected device is sometimes all it takes.

Book a demo to see NanoLock’s powerful defense in action.