The worst cyber attack to date against an industrial control system (ICS) in the US just happened on Friday. The United States’ largest pipeline for oil and gas has been shut down after a group infiltrated Colonial Pipeline’s network and locked data on its computers and servers, demanding a ransom payment to get it back.
The attack was made possible by engineers accessing the pipeline remotely from home. This is a situation many companies now find themselves in. With the pandemic moving to a remote work setting, it has opened new vulnerabilities.
As many companies choose to keep their employees remote, even post-COVID, this vulnerability will add to one of many ways bad actors gain access to IT and OT infrastructure. Organizations must consider vulnerabilities on home networks as part of their overall cybersecurity strategy.
Though the motive for this attack seems related to profit, state-sponsored attacks have happened in other countries. These attacks are devastating, and one can imagine the level of damage an attack could create with such access to critical infrastructure. It could cripple a country.
Ransomware attacks have been increasing in recent years, with many high-profile attacks happening just recently. Our blog on the importance of supply chain security highlighted a few of those.
The Cybersecurity and Infrastructure Security Agency (CISA) last year also warned of ransomware attacks affecting pipeline operations and for all asset owner operators across critical infrastructure to ensure corresponding mitigations were applied.
A ransomware attack’s damage is so severe that you are left with only two options once affected: pay the ransom to get your access back or rebuild the system. These are both terrible choices to be forced to make. The best choice is preventing it from happening in the first place.
In the case of the attack so far, the US has issued emergency legislation loosening regulations so the supply of petroleum will not be further disrupted, and Colonial’s systems have been offline for days while they are fixing the fallout from the attack.
ICS Cybersecurity Best Practices
Many companies are not adequately protecting their ICS environment. This is putting the infrastructure of America at risk, as these threats will only grow in number as electric and water utilities, or transport and gas companies are targeted.
As the operational technology of our critical infrastructure, like those of industrial control systems, become fresh targets for attack, it’s important that we review what can be done to prevent it from happening.
In the case of Colonial Pipeline, they needed a secure remote access solution, creating a barrier between the attacker and the end point. This is done by creating a protocol break, which prevents ransomware, malware or viruses from moving from your home network into the critical infrastructure.
This is taken a step further with role-based access control, which ensures that even a legitimate actor is only given access to specific assets and only when they have a legitimate need to access said asset.
This access is recorded, and the configuration of the asset is checked after the user has made changes, alerting someone immediately if its configuration has changed.
Follow these ICS cybersecurity best practices below to ensure you are prepared to defend against attacks on your industrial control system:
- Employ a secure access control technology that provides a protocol break between the user and the assets to which he is accessing.
- Continue to monitor your critical infrastructure for unexpected configuration changes such as ports that have been opened, privileged accounts that may have been added.
- Ensure your security programs, anti-malware and other software are up to date.
- Consider refreshing your wi-fi routers every few years as some older ones have vulnerabilities that are never patched.
- Make sure your routers are not configured to have an open wi-fi and have encrypted passwords and you know which firewall ports and services are active.
- Password protect all devices with difficult passwords and incorporate two-factor authentication and role-based access control.
- Have awareness of who is logged in to a device and what they did, providing real-time and after-the-fact forensic evidence that can be used for investigation.
With ConsoleWorks, you’re not just getting one piece from this list of best practices, you’re getting a complete, secure operations platform that ensures you are protected against security threats to your IT and OT environments.
With Colonial now shutdown for days, the nation having to loosen regulations of transport of petroleum products on highways to avoid disruptions to the fuel supply and prices of fuel potentially increasing, we cannot afford anything less than the most up-to-date defense against these outside threats.
They will continue to grow in number and in sophistication. The time to be prepared was yesterday.