The impact of the Colonial Pipeline breach and ransomware attack is sizeable and the attack may quickly become the most deadly in history.
It didn’t just target the IT systems of Colonial, but instead was intent upon controlling and/or manipulating the OT systems that manage the distribution of petroleum products from upstream suppliers through downstream refiners throughout the entire eastern seaboard and inland from Tennessee to the gulf ports and up to Maine.
The pipeline carries 2.5 million barrels a day – 45% of the East Coast’s supply of diesel, petrol and jet fuel.
An Abundance of Caution
Colonial immediately shut down their “network” as they refer to the pipeline, “out of an abundance of caution,” and their network partners moved to disconnect from their pipeline interfaces so as to prevent any third-party infection.
Efficiently Island Hopping
It is assumed, and rightfully so, that the IT networks that were attacked were also connected to their OT networks and vice versa up and down the line due to the efficiency of OT controls feeding ticketing and billing systems on the IT side.
And that makes sense, except in dangerous cases, where systems need to be air gapped and can’t provide an island hop over to OT systems, and render control to adversaries.
Like this one.
Sucker Punch Payback
The attackers were a proxy for the Russian Intelligence units that have been doing their bidding in plain sight for decades. In exchange, they are protected by the Russian government and allowed to commit fiscal crimes and keep what they reap. So, contrary to the acknowledgement just released in a public statement by the bad guys, aka DarkSide, “We do not participate in geopolitics, do not need to tie us with a defined government and look for … our motives,” this attack was clearly a counter-punch for the sanctions we just slapped on the Kremlin.
Time to Join the 21st Century
OT systems that manage the information that controls everything from oil, diesel, petrol and jet fuel to electricity, water distribution, telecommunications, air traffic and cookie manufacturing, are in dire need of upgrading, re-configuring and re-imagining. They need to be moved into the twenty-first century at least in specific regard to their security vulnerabilities.
Most ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) systems were built to be managed by simplistic OT systems. Over time, a SCADA system can become outdated and unsupported, lack functionality and features, present increased security risks, and be difficult to scale. The average life cycle is 10 years.
Increasing Advances in Complexity
Gartner and Forrester have predicted that we are now in the process of moving from some 25 billion network-connected IoT devices to approximately 75 billion in the next 4 years alone. This large-scale increase in the number of IP-enabled devices will also exacerbate another critical trend – the steadily advancing complexity of enterprise IT networks in general. This alone will require significant advances in our ability to understand and respond effectively, especially as regards cybersecurity threats – and increasingly to anticipate and address risk in advance.
Like the Colonial Pipeline breach.
Remnants of a Bygone Era
Historically, OT was typically comprised of multiple standalone systems. Precision control systems, for example, had no need to communicate with those that might manage the flow of essential components onto an assembly line. And typically, none of these technologies had to or were expected to cross the functional barrier separating OT from IT, or to be joined to enterprise networks in order to share data or systems access with their brethren in corporate IT.
From the CIO’s perspective, these systems were managed by subject-matter-experts on the shop floor. Managing in their own specialized domain was simpler and it kept control in the hands of the operational personnel, who were ultimately accountable for outcomes.
Erosion of the Lines between IT and OT
But as most industries have evolved to take advantage of agile development, they have also become more data-driven. At the same time, OT systems have become increasingly complex, feature-rich and interconnected with other key systems, leveraging IT’s well-developed networking capabilities. As a result, the separation of IT and OT has begun to erode because of the greater benefits from access and analysis of data created within OT, and combining it with enterprise systems for financials and inventory management.
Big Data can produce strategic competitive advantages and mining OT data can yield many. But, doing this with established and connected systems is challenging enough, let alone trying to leverage historically disconnected OT systems.
The increase in the complexity often yields results like those that we will soon see with Colonial Pipeline attack.
Why?
Ignorance Is Amiss
It has now been 4 days since the attack, and we still know nothing. This is either because Colonial refuses to reveal publicly or because they themselves have no way to tell. I suspect it is the latter. And the federal investigative units are not helpful either, saying only that the incident remains under investigation.
Rhetorically, cui bono?
For the attack, the Russians. The benefit is the disruption of the U.S. energy markets and an increase in the price of every fuel used for transportation, right at the moment when the U.S. population is readying travel and vacation plans. It won’t just be the price of gas or airline tickets, it will be the availability.
Farfetched Faith in Colonial
From one pandemic lockdown to another shutdown. This one caused by very expensive and rarely available gasoline. The outcome depends on the ability of the Colonial Pipeline folks to determine the damage, correct it and return to normalized distribution models. So far, that doesn’t look promising. Every one of their up- and downstream partners has disconnected from their network and are arranging delivery via overland trucking.
Cui bono for survival, is Colonial. They have to prove that they are capable of controlling an outbreak like this, and scrambling around while delivering opaque reporting and communications is not good optics. The less they report, the more suspicious they become and while Kevin Mandian has more integrity than anyone in the cybersecurity business, he is also just a hired gun here – he is not investigating his own company falling prey to the SolarWinds attack, he is investigating Colonial – what he can and can’t say will be under Colonial’s control, not his.
A Game of Whack-A-Mole
Playing whack-a-mole with U.S. foreign policy is not a game for children. Our Russian sanctions will only bring more attacks with greater impact, and they will continue to attack our vulnerable infrastructure. They will do that because in the new world, cyber-physical attacks have the side benefit of becoming front-page stories in mainstream media, no longer relegated to the business or technology sections.
When everyday citizens begin realizing that we appear to be defenseless against cyberattacks that result in service outcomes upon which they rely, the bridge to start questioning leadership and governance is a short one.
Cui bono?
The Russians.