A May 7 ransomware attack on Colonial Pipeline largely shut down the largest refined products pipeline system in the U.S., demonstrating the atypical cybersecurity risks and vulnerabilities faced by organizations with geographically distributed networks.
Just as oil and gas can flow up and down the pipeline, so can malware, reaching remote facilities whose IT and operational technology systems may not be adequately fortified to defend against an attack. Consequently, one point of compromise can have a cascading effect that impacts fuel distribution across the nation, which in turn can harm businesses that rely on these resources, spike gas prices and damage the economy.
Indeed, the situation still unfolding with Colonial demonstrates the distinct vulnerabilities that face any organization with network sprawl, as multiple, often unique points of potential failure must be properly hardened. For critical infrastructure sectors, those risks are compounded by challenges tied to OT integration and outdated security protocols.
John Cusimano, vice president at aeCyberSolutions, said that cybersecurity in the pipeline industry is “far behind that of other energy sectors,” noting that a common problem is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks, which "connect the pipeline control center to every terminal, pumping station, remote isolation valve and tank farm along the pipeline."
"These are very large networks covering extensive distances but they are typically ‘flat’ from a network segmentation standpoint," Cusimano added. "This means that once someone gains access to the SCADA network they have access to every device on the network.”
The Colonial Pipeline, which runs between the U.S. Gulf Coast and New York, is roughly 5,500-miles long and reportedly transports about 45 percent of gas, diesel, jet fuel and home heating oil consumed on the East Coast. The path it carves is dotted with various facilities that are connected to the overall network.
“Some of those facilities are in very remote places with little to no physical security – meaning that if an attacker breached the security of one of those facilities, they could gain access to the network” as a whole, Cusimano continued.
While IT and OT have traditionally remained isolated from each other, that’s not always the case as these systems increasingly converge.
For instance, Cusimano said that certain data or software programs can pass between the firewalls often separating IT networks from pipeline SCADA networks. This includes production figures, operational metrics, back-up and recovery software, antivirus software and network monitoring software from companies such as SolarWinds. “This was one of my greatest concerns when I learned of the Solarwinds attack,” he said.
Grant Geyer, chief product officer at Claroty, identified another risk factor associated with highly distributed environments: “the tools that are used to enable asset operators’ remote connectivity are optimized for easy access and not for security,” he said. “This provides attackers opportunities to sneak through cyber defenses as we saw in the water utility attack in Oldsmar, Florida earlier this year.”
Other critical infrastructure operators that face similar distributed network challenges include the electric grid and water and wastewater treatment utilities, said experts.
With electric power, for instance, “you have assets that are unmanned in the field… that are pretty much operating 24-7,” said Tobias Whitney, vice president, energy security solutions, at Fortress Information Security. “There's not a tremendous amount of time to plan outages to perform updates, there are a ton of suppliers and technology vendors that provide technologies to the footprint. So there are some unique challenges. When you have a more traditional IT-oriented breach, there are always concerns about [if] this particular breach or threat will traverse into the OT side of the equation.”
Indeed, the fact that Alpharetta, Georgia-based Colonial Pipeline has shut down its four main pipelines, despite stating in a press release that its IT networks were infected, is a worrying sign to some experts. It’s possible this move is for precautionary reasons to ensure the malware didn’t migrate into the OT environment; it’s also possible that the situation is worse than the public realizes at this time.
“We do a lot of work with pipeline companies on incident response planning and talking through different scenarios – and the decision to shut down an entire pipeline obviously is one that doesn't get made lightly. So there had to be significant concern. It would have had to be an executive decision to shut down the entire pipeline,” said Cusimano.
It’s telling, he noted, that Colonial Pipeline isn’t even trying to operating the pipeline manually. “It almost suggests that their entire IT infrastructure may have been compromised [and] it may have bled into SCADA,” or at the very least, “their operations are so tightly coupled that they didn't feel that they could safely operate.”
“It would strike me to be a bit odd that you do that level of a precautionary activity because of a cyberattack [supposedly] isolated to your IT environment,” said Whitney, noting the palpable “downstream implications” of cutting off the distribution of oil and gas. This “tells me that there could have been some convergence there. There could have been some points where the IT risk exposure could have cascaded into the OT side.”
There is no indication as of yet as to whether Colonial Pipeline management plans to pay the ransomware actors – identified as the DarkSide Russian cybercriminal gang – in order to hasten the recovery of its disrupted systems. If that is not a viable option, then Colonial Pipeline and its downstream customers could be feeling the effects for quite some time, as recovery will be tedious.
“You have to have the backups – and that's where it really gets challenging,” said Cusimano. While the main control centers of central operations likely have robust backup programs in place for their servers, “it gets much more challenging when you go out to the field. All the pump stations and terminals and tank farms – they all have computers out there as well, and they may not have been backed up with the same level of rigor than typically what we see. The further you get away from the corporate main operating centers and data centers, backup and recovery gets a lot weaker.”
If malicious code did end up proliferating across the OT network, then recovery could be even more laborious. “We'd be talking about months,” said Whitney, “especially if the code was operated in such a way to cause physical damage to the infrastructure.”
It may be early for takeaways, but Whitney said this incident demonstrates that critical infrastructure operators – and frankly all organizations – “need to be more practiced, more operationally prepared for ransomware-type events,” including “how they're going to mitigate and manage these efforts while they're happening.”
"Colonial Pipeline continues to dedicate vast resources to restoring pipeline operations quickly and safely," Colonial Pipeline said in a statement that was updated on Monday. "Segments of our pipeline are being brought back online in a stepwise fashion, in compliance with relevant federal regulations and in close consultation with the Department of Energy, which is leading and coordinating the federal government’s response."
"Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time. In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems. To restore service, we must work to ensure that each of these systems can be brought back online safely."