By Matt Morris, Global Managing Director of 1898 & Co.
Two years have passed since the notorious Colonial Pipeline hack, an incident that plunged the nation into a state of emergency, causing fuel disruptions in airlines and commercial sectors, and triggering panic-buying among consumers leading to a sharp rise in gas prices. In May 2021, the hack infiltrated critical systems of the pipeline, resulting in its shutdown for several days. Regarded as the most significant publicly disclosed cyber-attack against vital infrastructure in the United States, the Colonial Pipeline hack serves as a valuable lesson, shedding light on the complexity of attacks on critical infrastructure, the detrimental impact of complete system shutdowns, and the imperative need for our nation to enhance the protection of crucial systems from threat actors.
Critical Infrastructure Attacks Double
According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), cyber-attacks against critical infrastructure in the United States have doubled since 2015. Most of these attacks originate from outside the country, just as the Colonial Pipeline hack was traced back to Russia. These attacks are often motivated by a desire to gain a competitive edge on the global stage or are due to the immense profitability associated with compromising systems vital to public safety. While data security is often the primary focus of IT environments, resiliency in OT environments relies on safety and reliability.
So, What Did We Learn?
The Colonial Pipeline attack underscored the increasingly blurred line between IT and OT systems. For instance, the ransomware attack that targeted the Colonial Pipeline compromised data, locked computers, and restricted access to billing systems within the corporate IT infrastructure. However, Colonial found it necessary to shut down OT operations for two main reasons. First, the company lacked a clear understanding of the interdependencies between its IT and OT systems and the potential for the incident to spread more directly into the OT environment. Second, although the ransomware did not directly infiltrate the OT systems, it paralyzed a critical IT component that the OT systems relied on for proper functionality, effectively causing an indirect shutdown of the OT operations.
Shutdowns of critical infrastructure can have far-reaching consequences for entire industries. Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, likened the Colonial Pipeline hack to the Deepwater Horizon incident for offshore oil drilling and the Exxon Valdez oil spill for environmental disasters. These incidents demonstrated the colossal problems that arise from unforeseen shutdowns and a lack of preparedness.
Improving Our Nation’s Infrastructure
One major issue that needs to be addressed is the inadequate monitoring and detection within critical infrastructure systems to identify disruptions promptly. When dealing with cyber sabotage, the goal is often to cause disruption or degradation rather than complete shutdowns. Focusing solely on “system shutdown” represents outdated, traditional risk management thinking.
To address these challenges, our nation’s infrastructure requires improved preparedness measures upfront. OT cybersecurity programs need to be established, incorporating essential elements such as baseline risk assessments, comprehensive asset inventories, regularly updated incident response plans and consistent testing.
Introducing Cyber Informed Engineering
Another way for OT systems to protect critical functions is by adopting cyber-informed engineering (CIE) and consequence-driven, cyber-informed engineering (CCE) to protect what matters most. CIE and CCE ensure that even in the face of an attack, the core operations of the company continue to function. Unfortunately, the Colonial Pipeline attack demonstrated the opposite scenario, where the primary pipelines were shut down, leaving only a few tributaries operational. It is imperative for critical infrastructure systems to incorporate additional monitoring measures that complement CIE to ensure the security of their systems, enabling them to learn from past mistakes like the Colonial Pipeline hack and prevent their recurrence.