The Colonial Pipeline ransomware attack is front page news across every cyber security outlet. There are many that have commented on the breach itself and the impact of that breach which is felt not just in the United States through lack of fuel supply, but a corresponding increase in fuel price across the western world. The response in restoring supply and the ongoing ramifications will be observed with interest by cyber security practitioners for a long time to come because of the magnitude of the impact and the disruption it has caused. Indeed, the US government has responded with its cybersecurity executive order to ensure there is a strong and concerted effort against these types of incidents.
In day-to-day operations of critical infrastructure, there is quite rightly, a focus on availability of critical infrastructure with security taking a back seat. In the case of the Colonial pipeline, their security program will likely be revamped to protect from these incidents in future. Already, they are advertising for a security manager who will have their work cut out. One of their first tasks when the dust settled is to review the present architecture and account for every operational technology device that is connected to the IT network.
Operational Technology devices are built to provide one function and are built to operate for longevity. It is expected that the operational technology will operate for over 25 years. These devices do not have what IT cyber analysts would call security built into these tools. They issue commands with protocols that differ from TCP and UDP.
When I have consulted with many industries around the world, I have often found the IT analysts trying to retrofit their processes and technologies into OT environments. I find that much of my initial work when reviewing a site is not assessment but education, which focuses on the following point…
- Does my device really need to be on an IT network in the first place?
- Do I have segmentation that ensures that there are several controls in place before an operational technology device can be accessed from a laptop?
- Is separation of the operational technology possible with the staff on the ground who operate the equipment, so that these systems can be removed from IT networks?
By reviewing these three points, a new lens can be applied to reviewing the architecture in place that allows OT systems to be accessed from IT networks. Then you are able to review your support processes, such as backups, disaster recovery procedures and techniques, and the overall business continuity effectiveness in place.
The reality is that today, OT and IT are intertwined to the point that a ransomware attack on an IT system can have a devastating effect on OT. A review of the architecture must start with the above three points. Let’s look at these in detail.
Does my device really need to be on an IT network in the first place?
We have seen with operational technology that connects to an IT network that there is a reaction to scan that device, patch it and collect logs from those technologies. In some cases, MODBUS commands from programmable logic units have been collected and massaged so they can feed into an IT SOC. This snowballs into IT analysts wanting to flood their OT with so many things they would use in IT, without understanding the criticality of the device and the service it provides. Let’s take an example of a CT Scanner which sells as new for around $500,000 USD. It performs a vital service. If it is unavailable, the biggest risk is that lives may be affected. It is designed to provide scans of living tissue and of people. What does a network connection add from a business sense? Is it just for remote support? What are the alternatives to remote support? Are these built into your contract with your third party?
Segmentation of the devices and visibility of what is in place
Even in pandemic times, many operational technologies have required boots on the ground to operate, whether they are energy supply, or warehousing, or manufacturing, or high-volume food production. These use devices that work quite happily and do their job without the intervention of an IT connection. Business requirements to connect these devices to IT networks need to be re-evaluated and assessed.
It is common for segmentation to be in place at a site that houses OT devices in operation. Often however, the segmentation has been site specific and not device specific. I have assessed many sites where a virtual LAN is set up for the OT equipment but on that VLAN is also their physical entry systems, CCTV and environmental systems. Some of these systems allow remote entry.
Segmentation does need to be revisited in detail but should be supported with the means to view their environments in detail. The means to view and assess their OT systems and to respond to issues is lacking. Clear and proper segmentation should be implemented and supported with a review of incident response programs and information that provides the visibility of the current state. Operational technology that can be reached from an IT device has no defense. The visibility needed should be able to outline the environments and display how broad the impact is of a suspected breach.
All the more reason to ensure the segmentation is robust.
Separation as opposed to segmentation
A response to a cyber breach is to separate or isolate the device from the network. In many systems that utilize programmable logic units (PLC) and Human machine interfaces (HMI), the ability to monitor and control industrial operational machines is provided. Many of these allow the onsite engineer to activate and deactivate remote access capability, thus regulating the ability of a remote engineer to access the device. In many cases it may be that the device can be wholly removed from the network and still operate. Robot monitoring PC’s often run software for OT devices on older operating systems. These are examples of devices that may be candidates for separation from the network altogether, depending on the business requirements and the risks identified and accepted by the organization.
Get to know your government cyber security people
Prepare for a breach and assume it will happen. Get in touch with your local government support people, such as
USA – CISA – Cybersecurity and Infrastructure Security Agency
UK – NCSC – National Cyber Security Centre
Australia – ACSC – Australian Cyber Security Centre
Canada – Canadian Center for Cyber Security
Ensure you have a connection with your local government people and gather their input into protecting your critical technology.
Author Biography – John Rouffas
John is a Non Executive director for forensic and risk startup companies and is presently a Senior Director with Ankura. He has worked with critical infrastructures in the United States and the UK, helping bridge the gap between OT and IT security. He is known for developing security operations centres for US agencies and has been a CISO for a major telecom as well as startup companies in energy and fintech.