Lessons Learned from the Colonial Pipeline Attack
June 03, 2021
This blog is the first of a series of three that will review cyberattacks that exposed severe vulnerabilities. My goal is to help you improve the cybersecurity of your IoT devices by presenting security features that would of mitigated each of the attack vectors used. I’ll partake in a webinar where we’ll dive into these security features using BG Networks security automation tools, open-source software, and WINSYSTEMS off-the-self hardware.
Cybersecurity attacks that affect our daily lives serve as massive wakeup calls to improve our IoT and Operational Technology (OT) security. The recent cyberattack on the Colonial Pipeline disrupted oil and gas distribution along the East Coast of the U.S., causing gas shortages and higher prices, and mass hysteria in some places. And it showed just how fragile our critical infrastructure is to cyber-attacks.
The lesson learned is that our nation’s infrastructure, factories, vehicles, and personal devices are at risk and must be addressed. The Colonial Pipeline attack could have been much worse than the $4.4 million of bitcoin paid to Darkside, the Russian criminal group behind the attack, if their intentions were more malicious.
Attacks on IoT devices increased 500% from 2019 to 2020, and FireEye has published a list of 15 OT systems compromised by low sophistication attacks from last January through this April. The next attack could have a much greater consequence affecting water supply, electrical grid, or even your own home.
The Colonial Pipeline is the largest U.S. pipeline for refined oil products (gas, diesel, jet fuel). The attack targeted billing systems that run on traditional enterprise networks. The details of the attack have yet to be disclosed, but previous Darkside attacks give us a good idea of what happened. The typical ransomware approach is to gain initial access with a compromised password, possibly from a phishing attack, and then install code to encrypt files on the network.
The OT systems are the network of IoT devices, such as pumps, motors, sensors, and meters controlling the pipeline and flow of oil and gas. These systems were shut down because the ransomware could have spread from the enterprise networks, causing a critical disruption or failure of the OT systems that monitor the amount of fuel delivered to a customer and report the data to the billing systems.
Even though just the billing system was attacked, Colonial didn’t know how far the attack progressed into their systems. Colonial’s enterprise and OT networks are connected to automate billing, and there’s potential for lateral movement (i.e., when a hacker’s attack moves from one computer system to another).
How It Happened
Reports claim that Colonial’s Enterprise and OT networks were segmented through a firewall, and most of the communication was uni-directional. Given that the pipeline was shut down, it’s clear that they were concerned the network segmentation could have been breached. Standards and best practices for industrial cybersecurity, including IEC-62443, NIST 800-82, and the Industrial Internet Consortium’s Security Framework, all talk about the importance of network segmentation for industrial systems. The European Union Agency for Cybersecurity (ENISA) has also updated the Purdue Model for Industrial Control Systems, which is often used as a reference for implementing industrial cybersecurity.
The ENSIA update shows the critical security impact of IoT devices and gateways that connect directly to cloud computing resources. The ENISA model is shown below and is documented in Good Practices for Security of Internet of Things in the Context of Smart Manufacturing. Segmentation of networks using some kind of firewall is typical between levels three and above, called the DMZ. Segmentation is also implemented between level three (typically the systems at a plant) and level two (the Supervisory Control and Data Acquisition Systems).
It is also suspected there was limited cybersecurity situational awareness on Colonial’s OT network, meaning they had limited or no capacity to determine the occurrence of an attack. NIST 8259A, IoT Device Capability Core Baseline, recommends that IoT device manufacturers include capabilities to determine if a device has been compromised and isolate that device from the network to contain further spread of an attack. The paper recommends six core IoT cybersecurity capabilities that provide a foundation for cybersecurity to build on over time:
- device identification
- device configuration
- data protection
- restriction to local and network interfaces
- software updates
- cybersecurity state awareness
The fallout from this attack, the pipeline being shut down for a week, the payment of the ransom, and the lack of security on a critical infrastructure system captured the world’s attention. However, the permanent response to address this cybersecurity problem still falls on those of us who are designing IoT devices. The U.S government’s response included:
- a presidential executive order
- a mandate from the Transport Security Administration (TSA) requiring attack reporting
- five new cybersecurity-related bills introduced by Congress
However, none of these responses require mandatory cybersecurity in our nations’ infrastructure. It’s critically important that we immediately add cybersecurity protection and detection to our embedded software and hardware. If we don’t, the next wake-up call could be much louder.
Colin Duggan is the CEO of BG Networks, an IoT cybersecurity software company. Before founding BG Networks, Duggan worked at Analog Devices for 29 years in various engineering, management, and marketing leadership roles, managing teams in the U.S., China, Europe, and India. Colin’s experience includes work in automotive, consumer, industrial, and aerospace, and defense industries.