4 Takeaways from the Colonial Pipeline Attack
By now, you've surely heard about the cyberattack on the Colonial Pipeline Company, the operator of the largest pipeline system for petroleum products in the United States. The attack, launched by the DarkSide ransomware group, took the company's IT systems offline, but was not reported to have directly affected the OT systems. Still, the company made the decision to shutdown the pipeline, which resulted in major shocks to gas and petroleum product supplies throughout the East Coast, triggering a panic and shortages which took weeks to resolve.
And they say there's no such thing as bad publicity.
A lot has been already been written about the attacks and their aftermath. CISA Alert AA21-131A covers this, and provides an important list of mitigations which, of course, should be implemented. However, if we read between the lines of all this coverage, some key themes emerge that are worth noting.
- The Perimeter Was Hardly Secure to Begin With
Security teams have for the most part done an admirable job of creating and defending the corporate perimeter. But if all it takes is a well-crafted phishing email to unlock the keys to the kingdom, then we have to ask: is all the emphasis on perimeter defense perhaps misplaced?
Perhaps it's time to finally bite the bullet and recognize that the old workhorses of perimeter defense, the network security boxes like VPNs and firewalls, just don't work anymore. CISOs should consider the possibility that traditional hallmarks of organizational efficiency, such as institutional knowledge and certifications, work well in times of stability, but can be downright dangerous in times of great change if they impede the adoption of new, more secure technologies.
Zero Trust is the way to go, but the hardest part about adopting it is the fact that enterprises have never had to create or maintain granular access policies that are tied to user and device identity. But as I've written before, you don't achieve Zero Trust by flipping a switch or replacing your firewall – it's a journey. Before you can reach the goal, you have to take the first step.
CISOs need to build a core team which can process Zero Trust requirements and drive change within the organization. There are no shortcuts. - Infrastructure and Operations Pain Leads to Security Holes
CISA reports that RDP was used to maintain persistence to servers inside Colonial, which suggests that RDP was open to the Internet. This is a bit of a head scratcher given the repeated warnings about the risks of exposing VDI to the Internet, but – and completely speculating here – it's possible it could have been the result of business pressure. Like all other functional groups in a company, IT and Infosec have to serve business requirements first. If the business absolutely requires RDP access from the Internet, it will push for the expedient solution (or go it alone – shadow IT, anyone?).
It's hard to know for sure how Colonial ended up in this situation, but had they adopted ZTNA for secure remote access, they could have closed port 3389 on every firewall throughout the company. That certainly would have complicated life for the attackers.
A modern ZTNA is easy to use, both for administrators to manage least-privilege access and for users to log in and use. If secure tools provide a great UX, there's absolutely no reason or justification to do anything that's less secure. - IT and OT Are More Interdependent Than You Think
Initial reports suggested that Colonial shut pipeline operations down for safety reasons, even though there was no evidence that the attackers had reached the OT environment. But days later, a CNN report contradicted that narrative, stating that the ransomware attack had shut down the billing system, making it impossible to properly charge customers for product they received. This makes sense – while stopping production cuts revenue to zero, at least it doesn't give away the store.
Now, the billing system is not typically considered part of OT – it's solidly an IT function, and would not fit anywhere in the OT levels of the Purdue model. However, as we can see, business operations were critically dependent on something outside of the OT environment. Another example of this might be the BI/ERP database that maintains production serial numbers in a manufacturing environment. While we increasingly see requirements for OT to connect to IT or to the cloud for business process optimization, existing dependencies on IT or cloud appear to be significantly under-appreciated.
Given this, it's worth running a thought experiment or even a simulation to understand the impact of an attack on operations. Any IT or cloud asset deemed to be critical should be secured with at least the same level of safeguards applied to OT – particularly, segmentation and access controls. - OT's Dirty Secret: There's a Lot of Flat Networks Out There
While there are no reports that Colonial's OT network was flat – to their credit, it does not appear that their OT network was breached – the topic of logical segmentation within OT figures prominently within the CISA mitigation guidelines. That's not a surprise. While the Purdue Enterprise Reference Architecture has been around since the 1990s, the Colonial Pipeline had been continuously operating since 1964, a full five years before the first computers were connected to ARPANET. In this kind of environment, one does not simply shut the plant down for updates.
The truth is, many existing ICS and CI facilities long predate modern best practices. Field equipment may have been upgraded, but ripping out and replacing the network wholesale, as would be required to create network segmentation with traditional network security infrastructure, is incredibly disruptive. Without solutions that work with the existing brownfield networks, it is difficult to see what companies are supposed to do.
The good news is, modern Zero Trust solutions can help. Reject solutions that require a network upgrade. Avoid arguments about "agentless" vs "agent-based" onboarding models - you need both to be able to protect a complex OT application that mixes IT equipment and HMIs with SCADA, PLCs, and CI tooling. Instead, look for overlay-based security, which makes segmentation software-defined and logical. This allows you to deploy without risk to operations, and introduce progressively tighter rules to lock down your environment and improve your security posture.