Even though there have been lots
of ransomware attacks, today’s news story
on the Colonial Pipeline ransomware attack was quite interesting to me for one
reason: Even though the attack (according to Colonial) only affected Colonial’s
IT network, pipeline operations were shut down as a precaution. To quote WaPo:
The company learned of the attack
on some of its “information technology” or corporate network systems Friday,
but “proactively took certain systems offline to contain the threat,” it said.
In other words, if the company is
to be believed, the ransomware didn’t directly affect the OT network at all. However,
they shut OT down anyway, out of what’s often referred to as “an abundance of
caution”. But not everyone believes the company. WaPo also says:
Mike Chapple, a cybersecurity
expert at the University of Notre Dame and a former computer scientist at the
National Security Agency, said the shutdown of pipeline infrastructure
indicated that the attack was either very sophisticated or that Colonial’s (operational)
systems were not well secured.
Note I inserted “operational”,
since that’s very likely what Mr. Chapple meant.
However, Rob Lee of Dragos said in
the same article “There are absolutely cases in industrial operations where
ransomware impacts operations..” Note this doesn’t mean he also thinks that
Colonial is lying. In fact, I think he’s taking their words at face value: They
“proactively took certain systems offline to contain the threat…”. In other
words, Colonial couldn’t take the chance that the ransomware would spread to
their OT network and they wanted to contain any further spread on their IT
network. This led them to shut both networks down. I believe Rob is saying “Even
though the ransomware attack didn’t directly force Colonial to bring their OT
network down, the fact that they felt compelled to do so means it in fact
impacted operations.”
This is just another example of
something I pointed out in this post
last October: A cyberattack that is confined to the IT network can impact OT
just as seriously as if OT had been directly attacked.
And what’s the moral of this
story? It’s that protection of an OT network requires protection of the IT
network as well. The protections don’t need to be the same (and they’ll usually
be much more rigorous on the OT network), but they need to be coordinated. In
the case of the utility in the 2018 incident described in my October post, the additional
protections would probably have included a much greater focus on anti-ransomware
training, as well as perhaps technologies that can block a lot of ransomware
emails before they’re even read.
Does this mean I support extending
the NERC CIP standards to cover IT systems in some way? Absolutely. But does it
also mean that I support extending the existing NERC CIP standards to
cover IT systems? Absolutely not. As I’ve said many times and also discussed in
this
webinar in 2019, the generally prescriptive nature of the NERC CIP
standards (except for CIP-012, -013 and -014) requires a huge – and continually
growing - investment of resources by NERC entities, well in excess of the cybersecurity
benefits that are realized.
The last thing we need to do is require
utilities to extend CIP-002 through CIP-011 to IT systems. Instead, we need to
rewrite all of the CIP standards as risk-based ones. CIP-013-1 is a pretty good
example of what I mean by “risk-based”, although even that isn’t perfect.
Later on Saturday: Rob Lee added this comment to this post when I posted it on LinkedIn a little while ago. As usual, he raises good points!
You’re interpreting me correctly. I take Colonial at their word. But also, IT attacks can impact OT and we have been responding to ransomware incidents in OT directly (so exactly as you stated).
IMO a big challenge is the community puts so much focus on prevention controls like segmentation and patching that without visibility and monitoring they don’t see those preventive controls atrophy and change over time, and have incomplete enforcement of them. I’m glad that the electric sector and others are pushing for more visibility and detection, as it isn’t just about detecting cyber threats, it’s about making sure you’re getting the expected value out of your preventive investments as well.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment