Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
IT/OT Collaboration
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Risk & Compliance
Supply Chain Security
Technology & Solutions
Threat Landscape
Vulnerabilities

Colonial Pipeline incident helped reinforce cybersecurity across critical infrastructures, but still, a long way to go

May 07, 2022
Colonial Pipeline incident helped reinforce cybersecurity across critical infrastructures, but still, a long way to go

It’s been a year since the Colonial Pipeline incident led to the company halting around 5,500 miles of pipeline operations in an abundance of caution to contain the DarkSide ransomware attack. Following the cyberattack, the fuel pipeline company’s IT networks were compromised and faced incapacitation, preventing millions of barrels of petrol, diesel, and jet fuel from being delivered. 

Shortly after the attack, the U.S. administration released an executive order intended to improve national cybersecurity, highlighting the need for the federal government “to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.” Apart from the executive order, several federal and legislative measures have been introduced that ​​prioritize a higher threshold of cybersecurity and operational resilience.

Following the Colonial Pipeline incident, organizations in the U.S. witnessed other critical incidents that made national headlines, including the Kaseya ransomware attack and the discovery of the Log4j vulnerability that was baked within the foundations of the software applications deployed across global installations.

Another issue that Congress is dealing with involves the decision on whether Transportation Security Administration (TSA) is the appropriate agency to regulate pipeline cybersecurity. Congress might decide to fund TSA and ensure that it has the requisite expertise and human capital to modulate pipeline cybersecurity effectively. However, there is currently an ongoing debate about whether a more appropriate agency could be tasked to regulate pipeline cybersecurity.

Industrial Cyber reached out to experts in the field to check out the key changes made across the critical infrastructure sector one year after the Colonial Pipeline incident and to evaluate if the critical infrastructure sector is more secure today than it was a year ago.

“We’re starting to see more awareness of attacks on critical infrastructure and this is due in part to the increased transparency displayed by impacted organizations, which should be applauded, so we can all learn from such incidents,” Marty Edwards, vice president for OT security at Tenable, told Industrial Cyber. “While some countries such as Australia have stepped up in terms of policy changes, institutional inertia makes implementing these changes slow,” he added.

Marty Edwards, vice president for OT security at Tenable

However, the fact that ransomware cases on critical infrastructure continue to make headlines demonstrates that organizations are generally under-prepared when it comes to overall critical infrastructure cybersecurity, according to Edwards. “We tend to focus (and spend) a lot of money on cybersecurity for enterprise and corporate environments, but operational technology and production-oriented environments have not received their share of attention and investment over the years,” he added. 

“The Colonial Pipeline incident also highlights the importance of maintaining good cybersecurity fundamentals,” Edwards said. “Things like enabling multi-factor authentication and disabling dormant accounts are simple but effective. Some critical infrastructure sectors have not prioritized cyber and are largely blindsided by cyber as a strategic risk. These sectors historically haven’t thought about interconnectivity, access, complexity, and digitization as strategic cyber risk and haven’t been regulated in that way,” he added.

Chris Grove, chief security strategist at Nozomi Networks
Chris Grove, chief security strategist at Nozomi Networks

“The Colonial Pipeline incident itself served as a vehicle to bring visibility to the problem from the top, at the Boards-level, and down into the homes of the workers and civilians and across all forms of media,” Chris Grove, director for cybersecurity strategy at Nozomi Networks, told Industrial Cyber. “Regular people that weren’t experts in industrial cybersecurity, or even aware of technology in general, were impacted and are now cognizant of the challenges we face in our industry,” he added.  

“That, in itself, is far more valuable to the defenders than any single regulation or standard we can devise,” according to Grove. “More citizens on the street were talking about the Colonial Pipeline incident than any other cyber-attack in history,” he added.

‘I would say, yes, critical infrastructure is safer, but only marginally so,” Padraic O’Reilly, chief product officer and co-founder at CyberSaint, told Industrial Cyber. “There is certainly more attention being paid to the overall challenge, and the directives are being taken seriously by governance and operational concerns. But the directives are still subject to haggling, and TSA is not terribly well equipped to handle a process like this at scale,” he added.

Padraic O'Reilly, chief product officer and co-founder at CyberSaint
Padraic O’Reilly, chief product officer and co-founder at CyberSaint

Looking into the underlying factors that the critical infrastructure sector is adopting to safeguard from the evolving threat and cybersecurity landscape following the Colonial Pipeline incident, Edwards said that “the rising number of ransomware attacks reveals that cyberattackers are finding holes in the current defenses and profiting from it. As seen in the past, these attacks have the ability to halt operations which have wider economic implications.”

“Also, like any other industry, critical infrastructure has undergone a rapid digital transformation in their quest for efficiency and efficacy. In OT, connectivity to IT systems and networks is a comparably new phenomenon and often involves updating legacy industrial systems with modern connectivity solutions in order to improve efficiency,” according to Edwards. “Such IT/OT convergence is rapidly transforming how critical infrastructure organizations operate — and increasing risk in the process,” he added.

Edwards said that this means that the technology that drives manufacturing, refineries, and utilities is now, in many cases, accessible from the Internet. “It also means that the same bad actors that go after our computers, phones, and tablets now have a way into these mission-and security-critical environments,” he added.

“One of the toughest early challenges we’ve faced in the ICS cybersecurity space was during the early phases, we would visit facilities and were the only ones at the table discussing ICS cybersecurity,” Grove said. “Years ago, in many meetings I’ve personally been in, it was the first time the cybersecurity folks met someone from the OT side of the organization. Over time, with a combination of various influences like regulations, loss of profit, the IT/OT convergence, and some newsworthy events, the importance of securing industrial control systems became more widely known and accepted,” he added.  

“Still, trying to get everyone on the same page, speaking the same language, to accomplish a common goal was often in our hands, as cybersecurity product vendors,” Grove said. “A few years later, we were showing up at meetings where everyone in the room was working together to solve OT cybersecurity challenges. But the concept was still in its infancy and budgets were hard to come by,” he added. 

“Then came SolarWinds, the Colonial Pipeline, and JBL Foods incidents. Add in Covid, and suddenly cybersecurity vendors are being rushed through POCs and projects, budgets are waiting before the vendors arrive, and organizations are scrambling to shore up their defenses,” Grove highlighted. “There are fires on all fronts. We’re seeing rapid-fire cybersecurity projects in every sector we operate in,” he added. 

That said, there is a lot of work to do, these systems weren’t built overnight, according to Grove. “They won’t be changed overnight. It’s important to note that as we adapt our security posture, the adversaries also adapt. Hardening is important, but visibility and resiliency is where we need to be, which takes time to develop and deploy,” he added.

“The key drivers of change are the directives, the continued threat of attacks, the geopolitical situation, and the increased attention from regulators,” O’Reilly said. “There has also been increased attention on ICS more generally, as credible intelligence has indicated that cyber to physical attacks are more likely.” 

O’Reilly also pointed out that CISA has also been very focused on guiding ICS. “Key drivers in programs are the existing gaps that the directives seek to address. There are some unique challenges, as well, in Pipeline industrial control systems, which have to coordinate information over large geographic distances,” he added. 

The main issues are still the longstanding ones, according to O’Reilly. “What are the key business-critical systems? How segmented are networks? Are basic protections being missed like two-factor authentication? And is there a robust set of procedures in place for patching ICS, which is not as straightforward as patching IT networks? That has been a major bone of contention during the rollout of these new requirements,” he added.

Reviewing the focal role played by the regulatory measures that followed the Colonial Pipeline incident, Edwards said that the need for increased cooperation and collaboration has never been greater, and the solution lies in eliminating any policy vacuums between government and industry. 

“This has to be two-fold – while the government responds with sanctions, prosecution and other deterrence measures, the critical infrastructure operators must secure its systems properly,” according to Edwards. “Government can work with industry to establish technology-neutral, standards-based baseline standards or care for owners and operators of critical infrastructure,” he added.

“Now that the current focus is all about the Ukraine conflict and the possibility of a cyber or kinetic war, as an industry, we don’t need to go through the education phase with the general public like we did for years within the various industries we work,” Grove said. “Thanks to the Colonial Pipeline incident, even critical infrastructure sectors that were not directly impacted understand the gravity and importance of what we do as an industry,” he added.  

“This has put some tooth behind what was formerly voluntary guidance like that provided by the American Petroleum Institute,” O’Reilly said. “The Pipeline industry is currently undergoing the same sort of changes that NERC CIP put bulk power systems through when they came into effect in 2008.” 

In essence, the requirements establish a baseline of expected safeguards and the accountability for having them in place, according to O’Reilly. “They are still not publicly available so it is difficult to say the cadence at which the improvements are being made, but in my discussions with professionals, I can say that they are evaluating their current compliance, and in discussion with TSA,” he added. 

O’Reilly also said that certain companies are turning to consultants to expedite adoption and reporting. “The main parts of directive 2, though, are expensive—architectural review, contingency planning, and mitigation measures. Directive 1 has costs associated with it, as well. The fines are potentially substantial, but a change like this generally takes more than a year, so any security gains thus far are likely to be marginal,” he added.

Ahead of the Colonial Pipeline incident, cybersecurity regulations of oil and gas pipelines were largely voluntary, wherein pipeline owners and operators chose whether to follow the best practice recommendations articulated by the TSA. However, the outlook changed with the Colonial Pipeline attack to become a turning point for pipeline cybersecurity regulation. 

Estimating if the enforced regulations have pushed operators of critical infrastructure to spend the necessary resources to ensure effective protection and compliance sufficient within their installations, Edwards said that a task of this magnitude requires global governments to leverage the combined resources and expertise of government, industry and other stakeholders to provide timely and trusted information sharing to enhance the nation’s cybersecurity. 

Public-private partnerships can serve to develop cybersecurity guidance and best practices for critical infrastructure sectors,” according to Edwards. “However, it may be necessary for government policy to set baseline standards of care to ensure accountability,” he added.

“The net positive impact of the resulting government regulations, worldwide visibility on the problem, and dislodged budgets significantly offset the negative financial impact of the attack itself,” according to Grove. “As a whole, we’ve become stronger as a result of the Colonial Pipeline incident but still have a long way to go,” he pointed out. 

“I would say that the spend is coming as practitioners make the business case around compliance with the directives,” O’Reilly said. “While fines have been floated by Biden and the TSA, it doesn’t look like any penalties have been issued to date. The dust hasn’t really settled on this issue yet, and TSA will need to adjust on the fly and potentially tailor the directives to be more focused on the unique challenges in Industrial control system cyber,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights