Once again: Operations can be impacted by a “purely IT” incident

Even though there have been lots of ransomware attacks, today’s news story on the Colonial Pipeline ransomware attack was quite interesting to me for one reason: Even though the attack (according to Colonial) only affected Colonial’s IT network, pipeline operations were shut down as a precaution. To quote WaPo:

The company learned of the attack on some of its “information technology” or corporate network systems Friday, but “proactively took certain systems offline to contain the threat,” it said.

In other words, if the company is to be believed, the ransomware didn’t directly affect the OT network at all. However, they shut OT down anyway, out of what’s often referred to as “an abundance of caution”. But not everyone believes the company. WaPo also says:

Mike Chapple, a cybersecurity expert at the University of Notre Dame and a former computer scientist at the National Security Agency, said the shutdown of pipeline infrastructure indicated that the attack was either very sophisticated or that Colonial’s (operational) systems were not well secured.

Note I inserted “operational”, since that’s very likely what Mr. Chapple meant.

However, Rob Lee of Dragos said in the same article “There are absolutely cases in industrial operations where ransomware impacts operations..” Note this doesn’t mean he also thinks that Colonial is lying. In fact, I think he’s taking their words at face value: They “proactively took certain systems offline to contain the threat…”. In other words, Colonial couldn’t take the chance that the ransomware would spread to their OT network and they wanted to contain any further spread on their IT network. This led them to shut both networks down. I believe Rob is saying “Even though the ransomware attack didn’t directly force Colonial to bring their OT network down, the fact that they felt compelled to do so means it in fact impacted operations.”

This is just another example of something I pointed out in this post last October: A cyberattack that is confined to the IT network can impact OT just as seriously as if OT had been directly attacked.

And what’s the moral of this story? It’s that protection of an OT network requires protection of the IT network as well. The protections don’t need to be the same (and they’ll usually be much more rigorous on the OT network), but they need to be coordinated. In the case of the utility in the 2018 incident described in my October post, the additional protections would probably have included a much greater focus on anti-ransomware training, as well as perhaps technologies that can block a lot of ransomware emails before they’re even read.

Does this mean I support extending the NERC CIP standards to cover IT systems in some way? Absolutely. But does it also mean that I support extending the existing NERC CIP standards to cover IT systems? Absolutely not. As I’ve said many times and also discussed in this webinar in 2019, the generally prescriptive nature of the NERC CIP standards (except for CIP-012, -013 and -014) requires a huge – and continually growing - investment of resources by NERC entities, well in excess of the cybersecurity benefits that are realized.

The last thing we need to do is require utilities to extend CIP-002 through CIP-011 to IT systems. Instead, we need to rewrite all of the CIP standards as risk-based ones. CIP-013-1 is a pretty good example of what I mean by “risk-based”, although even that isn’t perfect.

Later on Saturday: Rob Lee added this comment to this post when I posted it on LinkedIn a little while ago. As usual, he raises good points!

You’re interpreting me correctly. I take Colonial at their word. But also, IT attacks can impact OT and we have been responding to ransomware incidents in OT directly (so exactly as you stated).

IMO a big challenge is the community puts so much focus on prevention controls like segmentation and patching that without visibility and monitoring they don’t see those preventive controls atrophy and change over time, and have incomplete enforcement of them. I’m glad that the electric sector and others are pushing for more visibility and detection, as it isn’t just about detecting cyber threats, it’s about making sure you’re getting the expected value out of your preventive investments as well.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.