Attacks on Critical Infrastructure
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reports that cyberattacks against U.S. critical infrastructure have doubled since 2015. Most attacks on critical infrastructure systems come from outside of the country — and in the Colonial Pipeline’s case, Russia — either in an effort to boost their country’s advantage on the world stage, or simply because systems critical to public safety and order and much more profitable.
Achieving cybersecurity resiliency in the OT environment has much more to do with preserving safety and keeping systems online and producing, otherwise known as reliability. While data security is the primary focus of information technology cybersecurity, data security is not as important as safety and reliability in OT.
What We Learned from the Colonial Pipeline Hack
There is an ever-thinning line between IT and OT systems. For instance, the ransomware attack that impacted the Colonial Pipeline stole data, locked computers and limited access to the billing systems within the corporate IT environment. Nevertheless, Colonial needed to shutter the OT operations for two distinct reasons. The first being that Colonial did not have a clear understanding of the interdependencies between its IT and OT, its overall security posture, and it was not certain that the incident could not promulgate its way more directly into the OT systems. Second, while ransomware itself did not make its way into the OT environment, it locked up a critical system within the IT environment that certain OT systems needed access to function properly, essentially shutting the OT down by proxy.
The shutdown lasted a total of five days, translating to about $1 billion worth of impact to the company. Take into consideration the price of oil per barrel and the number of barrels lost, plus the $4.4 million paid for the ransom, and a $1 million penalty issued by the Department of Transportation’s Pipeline and Hazardous Material Safety Administration for Colonial’s “ad-hoc approach” to restarting the pipeline system.
So, what did we learn? Shutdowns to critical infrastructure can result in significant impacts to the industry as a whole.
Eric Goldstein, executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency said that the Colonial Pipeline hack was a “clarion call” to companies that might not have viewed hacking as a critical business risk. In many ways, Colonial is the equivalent to the Deep Water Horizon for oil drillers in the ocean, and the Exxon Valdez for oil spills and environmental impacts. Huge problems due to unforeseen shutdowns and lack of preparation.
Our Nation’s Infrastructure Can Do Better
One major problem is the lack of monitoring and detection within critical infrastructure systems, which could detect disruption. When it comes to cyber sabotage, the goal is to disrupt or degrade, as opposed to process shutdown. Only thinking ‘system shutdown' is emblematic of traditional, old-school thinking for risk management. Attackers don’t always try to shut down the entire production of milk, instead they degrade the pasteurization enough to get people sick. And the latter is what people now need to monitor for.
Our nation’s infrastructure is in dire need of improved preparedness upfront. OT cybersecurity programs need to be established and must include baseline risk assessment, asset inventories, as-built architectural maps, updated incident response plans and constant testing. But these programs can’t get caught up in the “rat race” of constantly monitoring vulnerabilities and attempting to patch systems that, by design, are not meant to be constantly patched and updated.
OT systems must apply cyber-informed engineering (CIE) and consequence-driven, cyber-informed engineering (CCE) to protect the company’s critical function or mission, which is what matters most. CIE and CCE ensure that when an adversary attacks, the lifeblood of the company continues to operate, even though some less critical components may be impacted. We saw the exact opposite with the Colonial Pipeline where the main pipelines were shut down and only a few tributaries remained online.
Further iteration and innovations have been made to CIE and CCE that have allowed firms to achieve meaningful results in a matter of weeks. But it goes without saying that critical infrastructure systems must employ additional monitoring to supplement what is not covered by CIE and ensure their systems are secure to learn from and avoid such calamities as the Colonial Pipeline hack.
Matt Morris is global managing director of 1898 & Co.