1660343088335 Colonialcover8

Colonial Pipeline hack: What is at risk and how we prevent this in the future

May 14, 2021

Put rules in place for “acceptable” commands.

By Ken Walker, CTO, Owl Cyber Defense

What is the cost of shutting down the Colonial Pipeline for an hour, a day, a week? 

We'll all feel it at the pump in the coming months, but the cost of preventing shutdowns by protecting the critical equipment pales in comparison.

Click the cover to read our Quick-Response Report on the Colonial Pipeline hack.

While it’s not clear which initial vector was used in the Colonial Pipeline ransomware attack, and it’s unlikely control systems were targeted, taking down an operational pipeline indicates the industrial control system (ICS) network had been significantly compromised. This incident just shows that the oil-and-gas industry is no better prepared than anyone else. 

Within the oil-and-gas, regulatory focus is generally on safety; it has not kept up with the operational technology (OT)/information technology (IT) convergence, and in many cases, this convergence is being done without a full understanding of the risks. Delivering services efficiently requires some exchange of IT/OT data, but this must be done securely. Organizations must analyze the protocols and threats to inform the architecture and mitigation efforts.   

There are a number of strategies organizations can implement to protect against ransomware (e.g., data vaults), and, more generally, protect critical systems with high-assurance mechanisms to limit the damage that can be done when attackers are inside the gates. These include: 

  • Filter connections at the device—There is no reason for a PLC, pump or any other ICS to be exposed to unlimited traffic from the network, even a "closed" or private network. There are very specific protocols, commands and other data streams that the equipment is expected to produce or consume. Filter the connection at the device to make sure only known, good traffic is allowed. This prevents an attacker from sending packets on unexpected ports or command combinations that the manufacturer hasn't tested, which could result in failure or unauthorized access through an unknown, exploitable vulnerability.  
  • Put rules in place for “acceptable” commands—The Florida County water attack earlier this year proved that the attacker can use acceptable commands and still cause issues. Put rules in place that prevent frequent or large swings in parameters when these types of changes aren't expected. Generate SNMP (Simple Network Management Protocol) alerts when changes are made, and set up the SIEM to watch for these events.
  • Invest in solutions that can help isolate and mitigate the impact of a cyber-incident—Isolation and filtering with hardware enforcement, which can't be modified through the data path, make it much more difficult for an attacker to manipulate the environment and avoid detection. Hardware-based protocol breaks help to stop many of the low-level attacks that trip up software solutions (i.e., Ripple-20). 

These techniques have been used to protect national security systems for years and the same technology can be used to protect the critical infrastructure.In the coming days and weeks, we will undoubtedly learn more about the attack on Colonial Pipeline as the situation and repercussions are further assessed, but in the meantime all organizations and systems should see this as a wakeup call and ensure they have a plan in place to minimize the impact of these type of attacks.