
<div dir="ltr">


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>Thanks Jon.</span></span></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><br></span></span></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>This

wake-up call moment from a month ago has some interesting lessons for safety

and security that span People Processes and Technology risks.<span></span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>I was

waiting for the "dust to settle" and more substantive and trustworthy

information before commenting.<span></span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>In the

aftermath, several US agency have published or updated the guidance and

directives:<span></span></span></span></font></p>


<ul><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>US Department of Homeland Security (DHS) Cybersecurity

& Infrastructure Security Agency (CISA) with the<span>  </span>FBI have published a joint advisory on DarkSide

Ransomware: Best Practices for Preventing Business Disruption from Ransomware

Attacks (20-131A) <span class="gmail-MsoHyperlink" style="color:blue;text-decoration:underline"><a href="https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/joint-cisa-fbi-cybersecurity-advisory-darkside-ransomware" style="color:blue;text-decoration:underline">https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/joint-cisa-fbi-cybersecurity-advisory-darkside-ransomware</a></span>

and CISA Alert<span>  </span></span><span style="font-family:arial,sans-serif"><span class="gmail-resulturldomain"><u><span style="color:blue"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-131a" style="color:blue;text-decoration:underline">https://us-cert.cisa.gov<span class="gmail-resulturlfull">/ncas/alerts/aa21-131a</span></a></span></u></span> on May

11, 2021 to supplement previous advice (some errors in documented year) </span><span><span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span class="gmail-MsoHyperlink" style="color:blue;text-decoration:underline"><span style="color:windowtext;text-decoration:none"><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span></span><span dir="LTR"></span><span>US DHS Transportation Security

Agency (TSA) has updated Pipeline Security Guidelines (2021) <span class="gmail-MsoHyperlink" style="color:blue;text-decoration:underline"><a href="https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf" style="color:blue;text-decoration:underline">https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf</a></span><span class="gmail-MsoHyperlink" style="color:blue;text-decoration:underline"><span style="color:windowtext;text-decoration:none"><span></span></span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>US TSA has issued </span><span style="color:rgb(30,30,30)">Security Directive

Pipeline-2021-01 (May 28</span><span style="color:rgb(66,66,66)">, </span><span style="color:rgb(47,47,47)">2022) <a href="https://assets.documentcloud.org/documents/20791875/security-directive-on-enhancing-pipeline-cybersecurity.pdf" style="color:blue;text-decoration:underline">https://assets.documentcloud.org/documents/20791875/security-directive-on-enhancing-pipeline-cybersecurity.pdf</a></span><span><span></span></span></span></font></li></ul>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>This is

not the first attack on pipeline companies nor critical infrastructure. I guess

what makes it stand out is the impact of losing access to fuel for airlines and

road transport in a large area of the US and the exponential growth of

ransomware and its targeting of critical infrastructure. The outcome could be

much worse than losing fuel supply.<span></span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>I feel

for the political and business pressure placed on the operation and support

engineers working to limit the damage of the ransomware attack and get fuel

flowing safely again.<span></span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>The key

points with Colonial Pipelines as I see it are:<span></span></span></span></font></p>


<ul><li><font size="2"><span style="font-family:arial,sans-serif"><span>The company has a history of environmental damage

and fines from spills (precursor #1 – August 14, 2020)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>It has been criticised for poor cybersecurity

practices (precursor #2)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Poor security practices have meant uncertainty of

OT network segmentation reliability (precursor #3)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>It pumps hundreds of million USD value in fuel per

day – loss of this income is a critical issue of the company (precursor #4)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Company uses live flow measurements for billing of

customers (precursor #5)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Company supplies about 45% of east US coast fuel

making it a major risk to US transport operations (precursor #6)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Lack of confidence in Operational Technology (OT)

safety segmentation/independence. Ransomware could have made safety

functions ineffective or even trip dangerous actions such as spills,

overpressure etc. (precursor #7)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Ransomware criminals move their target from

individuals to business and especially were quick payment of ransom is lower

than daily cost to business (precursor #8)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Oil and gas industry has strongly lobbied against cybersecurity

regulation (precursor #9)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>DarkSide ransomware attack locked out the business

operation of Colonial Pipeline (loss of control #1 – prior to 7 May)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>Colonial Pipeline as a precaution shuts down

Operational Technology system for pumping. (response #1 – 7 May)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>US East Coast loses 45% of is fuel supply causing panic

buying and logistical issues for road and air transport (outcome #2 – 7 May)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>Federal Motor Carrier Safety Administration (FMCSA)

declared a state of emergency in 18 states to help with the shortages (Outcome

#3 – 9 May)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Colonial Pipeline paid ransom (USD 4.4M) to assist

in recovering from attack (outcome #4 – prior to 13 May)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Colonial Pipeline eventually re-established

pipeline operation (outcome #5 – 13 May )<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"> </span></span></span><span dir="LTR"></span><span>FBI and CISA issue alert on pipeline ransomware

threat (outcome #6 – 11 and 19 May)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>TSA update to Pipeline Security Guidelines (outcome

#7 – April 2021 replace criticality guides -naturally)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>TSA issues Security Directive Pipeline directing a

whole range of mandatory report and assessments with significant penalties for

non-compliance (outcome #8 – May 28)<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>United States Department of Justice (DOJ) gives

critical infrastructure ransomware attacks equivalent priority to terrorism. (outcome

#8 – 3 June)<span></span></span></span></font></li></ul>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>Pipeline and

critical infrastructure regulators have consistently advised effective and

proven separation between Information Technology (Purdue Layers 2 to 4) and

Operational Technology/ Safety-related Systems (Purdue Layers 0 and 1) and this

would have helped minimise disruption (precursors #2,#3, #7 and #9). Company

reaction influenced by previous fines for environmental spills (precursor #1) and

business imperatives (precursors #4, #5 and #6) to cause “knee-jerk” reaction

to safety shutdown (outcomes #1 and #3).<span></span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><br></span></span></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>Regulators

have had no choice but to increase oversight and reporting (outcomes #5 to #8). It

is yet to be seen whether this improves the resilience of critical

infrastructure.<span></span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span></span></font></p>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span>Lesson

for safety include:<span></span></span></span></font></p>


<ul><li><font size="2"><span style="font-family:arial,sans-serif"><span><span></span></span><span>Safety and security must be coordinated. It was a

matter of luck that safety elements of the pipeline weren’t compromised.<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span>Segregation between OT and IT is not assured. Air

gapping is not certain (see RSA 2FA lesson).<span></span></span></span></font></li><li><font size="2"><span style="font-family:arial,sans-serif"><span><span><span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal"></span></span></span><span dir="LTR"></span><span>Software defined perimeters, such as in IIoT and

Factory 4.0, increase cyber-attack surface for OT and safety-related systems.<span></span></span></span></font></li></ul>


<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><span> </span></span><span style="line-height:107%">Probably worth writing a paper on this...</span></span></font></p><div><font size="2"><span style="font-family:arial,sans-serif"><span style="line-height:107%"><br></span></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><span style="line-height:107%">Bruce Hunter<br></span></span></font></div>


</div>