Operational technology (OT) serves as the backbone and infrastructure the world relies on to provide critical resources and requires sustainable operations. to provide reliable technology services. The headwinds facing OT services include: many businesses are operating their OT networks with aging legacy technology, many business networks do not provide adequate segmentation between IT and OT, and OT systems are frequently operating with critical vulnerabilities, all of which establishes OT as an easy target for cybersecurity threat actors.
Colonial Pipeline attack
Colonial Pipeline, a U.S. pipeline that provides 45% of all fuel consumed on the East Coast, was a victim of data theft and ransomware attacks affecting its IT environment in May 2021. After confirming the attack, Colonial Pipeline immediately shut down a portion of its OT systems and remained offline until the organization felt it was safe to continue pipeline operations.
The Colonial Pipeline incident was just one highly publicized example of the business impact a cyber attack can have on critical infrastructure when operations are disrupted or halted. Pipeline operators are constantly under siege from threat actors, often funded by nation-states. The US government has taken steps to protect these and other US critical infrastructures, including, stepping up efforts to improve the detection and response capabilities of critical infrastructure operators.
U.S. government response to the Colonial Pipeline attack
This attack prompted the US government under the Biden Administration to issue several new cybersecurity regulations for critical pipeline owners and operators that will improve the response time to threats in the pipeline sector. The Transportation Security Administration’s (TSA) initial May 2021 security directive requires critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the Department of Homeland Security (DHS) and designate a cybersecurity coordinator to be available 24/7. This directive also requires owners and operators to review current cyber protection practices and identify existing cyber vulnerabilities and related remediation measures to identify cyber-related risks and report the results to the DHS within 30 days. In addition, cybersecurity and physical security incidents must be reported within 12 hours of identification.
An additional security directive, released by the TSA on July 20, 2021, further clarified that pipeline operators must “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.” Among the main items for immediate review by pipeline security teams are cyber hygiene practices such as patching, proper segmentation and implementing multifactor authentication.
The Colonial Pipeline attack garnered the attention of other critical infrastructure regulatory bodies, such as the Electricity Information Sharing and Analysis Center (E-ISAC), which is teaming up with the North American Electric Reliability Corporation (NERC) and other industrial security firms to allow the electric utility sector to share threat intelligence data anonymously through various platforms that utility companies can leverage to enhance detection capabilities.
In an unprecedented response, the government recovered $2.3 million of Colonial Pipeline’s ransom payment. Also, according to a White House press release, ransomware targeting critical infrastructure has been a discussion topic between President Joe Biden and Russian President Vladimir Putin. These actions clarify that the U.S. government will take any further attacks targeting critical infrastructure seriously, and nation-states that target critical infrastructure should expect escalatory actions.
Defense strategies for organizations supporting critical infrastructure
Given the importance of critical infrastructure, the increase of attacks, and the new guidance from the TSA, we offer some tactical defense strategies critical infrastructure organizations can take in securing their OT environments:
Assess the OT environment for potential cybersecurity risks that could jeopardize operational resiliency and affect ongoing business operations. This defense strategy starts with evaluating threats to the organization and the maturity of existing controls to meet various threat scenarios. The model should start with identification of the most concerning threats, the potential impact to the business and the probability of occurrence. Any gaps should be risk ranked based on the likelihood of a particular threat, mitigating controls in place and impact to the organization and critical processes. Preventive and detective measures should be implemented for any residual risks to indicate an early warning signal for a cyber attack.
Improve visibility and detection of ransomware and other modern supply chain attacks. As events such as the Colonial Pipeline ransomware attack and those affecting supply chains — such as the SolarWinds and Kaseya attacks — increase, the ability to detect and rapidly respond to security incidents is even more critical. Organizations must ensure full visibility into their environment so they can identify anomalous behaviors and potential incidents. If preventive or agent-based security controls are unavailable or not supported, organizations should implement passive and detective monitoring capabilities. Continuous evaluation of environments is necessary to ensure that visibility into threat actor activity is comprehensive and that corrective actions are implemented promptly. Third-party risk management capabilities and monitoring are increasing in importance as attackers look to target not only environments but also key suppliers with access to them.
Implement or enhance network segmentation to minimize the impact of a cybersecurity attack on an organization’s critical infrastructure. Network segmentation between the IT and OT environments is one of the most valuable defenses for preventing the compromise or shutdown of the process control network. Leading practices and frameworks recommend that network segmentation and segregation are implemented with a goal of limiting network traffic to/from the OT environment as much as possible. Logical separation, a highly effective alternative to an air-gapped network, protects organizations supporting critical infrastructure.
A common concern when segmenting networks, however, is providing remote access to third-party vendors for maintenance. It is critical to ensure that these remote access gateways are restricted to appropriate personnel, strong authentication is utilized (including multi-factor authentication where possible), security monitoring is in place, vendor accounts are removed promptly after termination, and data is encrypted in transit. Insecure remote gateways are a common vector for threat actors to bypass network segmentation and gain direct access to OT environments.
Test and simulate the incident response plan via tabletop exercises and determine the organization’s response to cyber attacks. Testing the incident response (IR) plan is one of the best ways to identify gaps within an organization’s response procedures. We recommend a tabletop exercise to simulate an incident and walking through the IR plan with stakeholders from all pertinent business units so they understand their roles and responsibilities should an incident occur. Results can be leveraged to remediate gaps such as failure to collect key log data or identify proper site personnel, or outdated contact information. We further advise IR teams to create playbooks specific to the OT environment that identify roles and responsibilities for on-site OT personnel.
Develop threat-hunting capabilities to search for potential security incidents proactively within the OT environment. Threat hunting — searching for an attacker not detected by existing monitoring capabilities — is effective for discovering potential threats within the OT environment before a significant impact occurs. Threat hunting should be completed once fundamental cybersecurity preventions and detection mechanisms and processes (like those referenced above) are already in place.
The three main types of threat hunting are:
- Indicator-based threat hunting – using indicators of compromise to search for malicious activity;
- Attack-based hunting – using known attack methodologies to find signs of internal breaches; and
- Behavioral or anomaly-based threat hunting – searching for uncommon events or activities within the organization.
The evolving nature of cyber attacks against OT environments requires a strategy to secure critical infrastructure by building resilient operational practices which will quickly detect security incidents, mitigate the impact efficiently, and reduce downtime.