By Yanir Laubshtein, NanoLock Security
The biggest news in the utilities industry right now is the ransomware hack of the Colonial Pipeline, a 5,500-mile-long oil and gas pipeline that stretches along the east coast of the United States from New Jersey all the way to Texas. In early May, a group of hackers, known as DarkSide according to the FBI, gained entry to the business network of the pipeline operator and were able to seize corporate data, issuing a $5 million ransom demand for its safe return.
It is still not fully clear how exactly the breach occurred, but based both on what has been reported and the group’s past modus operandi, it seems the malware was deployed at onto their IT network, either through a phishing attempt or another form of user manipulation. Though the group reportedly did not breach the company’s more sensitive OT networks, the operators of the pipeline shut those down promptly out of an abundance of caution, ceasing pipeline operations and impacting the company’s ability to service and accurately bill customers. The company has since announced they have paid the ransom and resumed pipeline operations, and the American government has initiated action against DarkSide, with hopes of future prosecution.
Utilities Are More Vulnerable Than Ever
As this attack proves, utilities are only growing more vulnerable, as organizations reliant on critical infrastructures turn towards digitalization to streamline operations, reduce costs, and drive production. While this convergence of OT devices and IT networks allows for easier management, monitoring, and maintenance, each connected device also represents an additional potential vulnerability for bad actors looking to use the IT to get to OT or vice versa. Future hackers may see these OT systems as an enticing target given control over distribution of gas, electricity, or water is vastly more potentially damaging (and thus valuable) than control over billing, HR, or generic business data.
Many utilities remain unaware of the extent of the cyber risk they face, though at least some have recognized they are vulnerable. According to a Siemens and the Ponemon Institute utility survey (2019), 56% of the 1726 utilities network operators surveyed worldwide reported at least one shutdown or operational data loss per year and 25% were impacted by mega attacks. 54% expect an attack on critical infrastructure in the next 12 months. The federal government has recognized this vulnerability as well with President Joe Biden’s introduction of a new executive order designed to advance toward “Zero Trust Architecture” and to “rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
The Costs to the Community Can Outweigh the Ransom
Worth keeping in mind for the next time a ransomware attack happens is that law enforcement traditionally advises against paying ransoms in order to avoid attracting future hacks and given there is no guarantee hackers will comply once a ransom is paid. We are inclined to agree and believe the default stance in these cases ought to be to treat these attacks as acts of terror — no negotiation, no payment, and the immediate involvement of federal agencies.
That said, given the FBI’s involvement in the situation once made public, it is likely the decision to pay in this case was strategic and approved by the agency as part of a larger plan. Colonial also may not have had much choice, especially because the costs to the economy when a piece of critical infrastructure goes down are dramatically higher than the costs to the particular company that owns it.
Though Colonial is now out $5 million, the effects on the country were much worse, as thousands of Americans began to panic-buy gas even though the pipeline itself was only down for a few days. On top of that, the state of North Carolina declared a state of emergency and the governor of the state of Georgia had to suspend taxes on fuel in order to offset rising prices at pumps that remained open. DarkSide stated they were not out to “create problems,” and were only seeking a pay day, but given the sprawling fallout of their cyberattack, it is clear that breaches into critical infrastructures can have chain-reaction-style consequences far beyond what hackers or their victims may imagine.
For example, what problems might occur if a smart meter were breached, and a city were forced to shut down their entire electrical grid for days or even weeks? What if a water services network was accessed and the pH levels of public water supply were made poisonous, as almost happened in Florida earlier this year? It is critical that entities enact measures to preserve business continuity if and when they are attacked because if they allow the hack to derail their service — and therefore their community — they give hackers more leverage.
What Can Be Done to Safeguard Utility Systems?
In the aftermath of this attack, decision makers for utilities are likely wondering what can be done to protect their systems. For starters, utilities can begin by analyzing their security policies and systems for potential weak points, conducting regular penetration and resilience testing activities, and training IT and cybersecurity teams (assuming they have them) to detect and respond to threat situations. Utilities will also want insurance policies in place to hedge against damaging attacks, for they should by now be operating as though an attack is a matter of when and not if.
On a practical level however, utilities must future-proof their vulnerable IoT and IIoT devices such as smart meters and control systems with Zero Trust device-level protection that can prevent unauthorized modification to critical code and data, thereby preventing persistency. This won’t stop future hackers from trying to breach converged IT/OT systems, but it will at least protect the most vulnerable potential points of attack and prevent them from being used as entry points to wider systems.
There is urgent need for security at all three levels of OT systems — the device, network, and system levels — but for bad actors targeting critical infrastructures, a single connected device is sometimes all it takes. It is therefore well past time governments, utilities, and private industry recognized the threat they face and took action to protect their vulnerable connected devices.
About the Author
Yanir Laubshtein is VP, Cybersecurity & Industry, at NanoLock Security, where he brings over 20 years of experience working in the cybersecurity industry in various roles both for the government and private sectors, including his most recent at PwC’s Cybersecurity & Privacy Impact Center as the OT/ICS Security Lead. Prior to PwC, Yanir led strategic government projects in Israel, managing the Cybersecurity Operations on behalf of the Ministry of Energy and the Water & Sewage Authority and subsequently designing and managing the development of Israel’s National C-SOC for Critical Infrastructures.