[SystemSafety] Colonial pipeline attack
Bruce Hunter
brucer.hunter at gmail.com
Mon Jun 7 08:25:57 CEST 2021
Thanks Jon.
This wake-up call moment from a month ago has some interesting lessons for
safety and security that span People Processes and Technology risks.
I was waiting for the "dust to settle" and more substantive and trustworthy
information before commenting.
In the aftermath, several US agency have published or updated the guidance
and directives:
- US Department of Homeland Security (DHS) Cybersecurity &
Infrastructure Security Agency (CISA) with the FBI have published a
joint advisory on DarkSide Ransomware: Best Practices for Preventing
Business Disruption from Ransomware Attacks (20-131A)
https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/joint-cisa-fbi-cybersecurity-advisory-darkside-ransomware
and CISA Alert *https://us-cert.cisa.gov/ncas/alerts/aa21-131a
<https://us-cert.cisa.gov/ncas/alerts/aa21-131a>* on May 11, 2021 to
supplement previous advice (some errors in documented year)
- US DHS Transportation Security Agency (TSA) has updated Pipeline
Security Guidelines (2021)
https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf
- US TSA has issued Security Directive Pipeline-2021-01 (May 28, 2022)
https://assets.documentcloud.org/documents/20791875/security-directive-on-enhancing-pipeline-cybersecurity.pdf
This is not the first attack on pipeline companies nor critical
infrastructure. I guess what makes it stand out is the impact of losing
access to fuel for airlines and road transport in a large area of the US
and the exponential growth of ransomware and its targeting of critical
infrastructure. The outcome could be much worse than losing fuel supply.
I feel for the political and business pressure placed on the operation and
support engineers working to limit the damage of the ransomware attack and
get fuel flowing safely again.
The key points with Colonial Pipelines as I see it are:
- The company has a history of environmental damage and fines from
spills (precursor #1 – August 14, 2020)
- It has been criticised for poor cybersecurity practices (precursor #2)
- Poor security practices have meant uncertainty of OT network
segmentation reliability (precursor #3)
- It pumps hundreds of million USD value in fuel per day – loss of this
income is a critical issue of the company (precursor #4)
- Company uses live flow measurements for billing of customers
(precursor #5)
- Company supplies about 45% of east US coast fuel making it a major
risk to US transport operations (precursor #6)
- Lack of confidence in Operational Technology (OT) safety
segmentation/independence. Ransomware could have made safety functions
ineffective or even trip dangerous actions such as spills, overpressure
etc. (precursor #7)
- Ransomware criminals move their target from individuals to business
and especially were quick payment of ransom is lower than daily cost to
business (precursor #8)
- Oil and gas industry has strongly lobbied against cybersecurity
regulation (precursor #9)
- DarkSide ransomware attack locked out the business operation of
Colonial Pipeline (loss of control #1 – prior to 7 May)
- Colonial Pipeline as a precaution shuts down Operational Technology
system for pumping. (response #1 – 7 May)
- US East Coast loses 45% of is fuel supply causing panic buying and
logistical issues for road and air transport (outcome #2 – 7 May)
- Federal Motor Carrier Safety Administration (FMCSA) declared a state
of emergency in 18 states to help with the shortages (Outcome #3 – 9 May)
- Colonial Pipeline paid ransom (USD 4.4M) to assist in recovering from
attack (outcome #4 – prior to 13 May)
- Colonial Pipeline eventually re-established pipeline operation
(outcome #5 – 13 May )
- FBI and CISA issue alert on pipeline ransomware threat (outcome #6 –
11 and 19 May)
- TSA update to Pipeline Security Guidelines (outcome #7 – April 2021
replace criticality guides -naturally)
- TSA issues Security Directive Pipeline directing a whole range of
mandatory report and assessments with significant penalties for
non-compliance (outcome #8 – May 28)
- United States Department of Justice (DOJ) gives critical
infrastructure ransomware attacks equivalent priority to terrorism.
(outcome #8 – 3 June)
Pipeline and critical infrastructure regulators have consistently advised
effective and proven separation between Information Technology (Purdue
Layers 2 to 4) and Operational Technology/ Safety-related Systems (Purdue
Layers 0 and 1) and this would have helped minimise disruption (precursors
#2,#3, #7 and #9). Company reaction influenced by previous fines for
environmental spills (precursor #1) and business imperatives (precursors
#4, #5 and #6) to cause “knee-jerk” reaction to safety shutdown (outcomes
#1 and #3).
Regulators have had no choice but to increase oversight and reporting
(outcomes #5 to #8). It is yet to be seen whether this improves the
resilience of critical infrastructure.
Lesson for safety include:
- Safety and security must be coordinated. It was a matter of luck that
safety elements of the pipeline weren’t compromised.
- Segregation between OT and IT is not assured. Air gapping is not
certain (see RSA 2FA lesson).
- Software defined perimeters, such as in IIoT and Factory 4.0, increase
cyber-attack surface for OT and safety-related systems.
Probably worth writing a paper on this...
Bruce Hunter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20210607/fa542cd3/attachment.html>
More information about the systemsafety
mailing list