Industrial Cybersecurity Lessons from the Colonial Pipeline Breach
Not long ago, most cyber-attacks on industry happened largely behind the scenes. The companies whose systems were breached rarely went public about the event and if information about these events was ever discussed publicly, it was usually years after the event and few specific details beyond the nature of the attack were ever revealed.
But thatâs been changing as cyber-attacks have become more brazen and threaten the public at large. For example, on February 5, 2021, we learned about the remote access intrusion into the control system at a water treatment facility in Oldsmar, Fla., about 13 miles from Raymond James Stadium in Tampa where the Super Bowl was held just two days later.
As an industry observer, one of the more shocking aspects of the Oldsmar hack is that the only thing that stopped it was an observant operator who noticed some unusual changes being made to the facilityâs control system. Though remote access to this system was allowed, apparently no user authentication or high-level security methods were employed to restrict access by unauthorized users. And because the operator who noticed the changes received no alerts about themâhe just happened to notice that the changes being made were unusualâitâs not unreasonable to assume the facility had no effective anomaly detection or intrusion technologies in place either.
Earlier this week, cyber-crime gang DarkSide claimed responsibility for compromising the Colonial Pipeline Companyâone of the largest fuel pipelines in the United States. As a result, fuel outages are being experience across states in the eastern U.S. supplied by the Colonial Pipeline. While we donât yet know all the details of how DarkSide compromised Colonial Pipelineâs network, we do know that it is a ransomware attack involving the theft of nearly 100 gigabytes of data from the companyâs IT network. Information issued by Colonial indicates that itâs OT (operations technology) network was not affected.
Advice for industry
Considering the ongoing rise in cyber-attacks on industry, Ron Brash, director of cybersecurity insights at Verve Industrial, a supplier of industrial control system security, highlighted five key areas of focus to help industrial companies mitigate the threat of a cyber breach affecting their operations. âThe financial impact of a shutdown can be significant,â he said. âCyber now needs to be a primary component of all disaster recovery planning and must become a larger area of management focus, even for organizations that donât see themselves as a natural target.â
Realize that industrial cybersecurity is not IT vs. OT, as operations can be affected by attacks on both sides of the system. âOrganizations need to work on bringing these two organizations together to protect the entire system. Billing and pricing systems and the data needed to operate them are critical processes, just as critical as the SCADA network operating the pumps and valves. Visibility and protection across the IT-OT landscape is key to protecting operations,â he said.
The largest security gaps in industrial companies tend to be in the management and maintenance of security. âFirewalls may exist, but personnel have adjusted rule settings to allow remote access and created servers that route around critical protection layers; patching policies may exist, but the manual tasks that are often standard do not get completed given the urgencies of operations; and standard secure configurations may exist, but exceptions are made, users adjust them, new software is allowed, and ports are opened, leaving gaps in that secure structure,â said Brash. â[But often] there is no central visibility of these gaps.â
He also noted that availability of robust and timely backups can significantly reduce downtime in case of a ransomware attack. âBut are these backups up to date? Do they restore quickly? Without management, the backups you thought you had may not be ready in case of emergency,â he said.
Rapid response and recovery are critical. The real advantage a company can have is the immediate ability to take actions across endpointsâIT or OTâto stop the spread of malware, Brash said. âThis integration of detection and response actions allows industrial organizations to significantly reduce the spreadâand costâof ransomware attacks.â
Have a plan for a conscious shutdown. Brash explained that having a plan for âconscious shutdownâ to avoid an OT incident while balancing loss is an acceptable alternative to a major incident. âIncidents like the Colonial crisis have become the new norm within the critical infrastructure cybersecurity community,â he said. âAs such, organizations should be adequately trained and prepared to handle incidents like this via a well-defined procedure.â
Brash noted that the ability to consolidate the security status across all systems into a common database to track and ensure protections are maintained is critical to strong cybersecurity protections. âOwners must patch, segment, harden configurations, ensure appropriate backups, and limit access to least privilege,â he said. âThese core, fundamental elements of security can be the difference between being a victim or not.â
IoT device security
Mark Thompson, VP of product management at Keyfactor highlighted three common mistakes Keyfactor sees being made in industry as they relate to IoT device security, and how to avoid them:
Hardcoding credentials onto the device:Â Some IoT devices are limited due to hardcoded credentials, Thompson said. âThis is a common outcome when manufacturers embed passwords or shared keys into firmware to help simplify development or deployment at scale. If [these keys are] accidentally leaked, threat actors or individuals without proper authority can access an entire fleet of devices.â To avoid this problem, Thompson recommends using strong mutual authentication between any connected devices or applications within the overall deployment.About the Author

Leaders relevant to this article:





