The world runs on an invisible yet critical wheel- the essential infrastructure. From power plants to national energy grids to oil supply lines – these complex systems ensure our safety and enable a better lifestyle. These systems do not make headlines and are often taken for granted unless they malfunction or fall prey to cyberattacks. Thus, when last week the Colonial Pipeline, a US-based oil pipeline corporation which is the carrier of nearly 50% of all fuel consumed on the American East Coast was cyber-attacked using ransomware, the world was greatly shocked.
This cyberattack has been labeled as one of the most significant and successful attacks against the critical US infrastructure. Within days of the incident, the federal security agencies identified the group responsible – DarkSide operations – that had targeted the fuel giant using a customized ransomware code. And while the TTP (Tactics, Techniques, and Procedures) used by DarkSide aren’t unique, what’s unique is their targeted approach with custom ransomware executables and corporate-like method of communication representing the rising Ransomware-as-a-Corporation (RaaC) trend.
Such an incident echoes other such cases of cyberattacks from over the years – the 2015 power outage in Ukraine perpetrated by the BlackEnergy malware, the 2017 WannaCry attack against healthcare infrastructure, and perhaps even the 2020 targeted attack against the supply chains like SolarWinds and Microsoft Exchange that involved data extraction and penetrating the government agencies worldwide. This is yet another wake-up call for the IT, OT, and cybersecurity leaders dealing with critical infrastructure serving the nation as they are more vulnerable to cyber threats.
While an Executive Order was issued in the aftermath of the breach and DarkSide had to shut its operations after losing control over its infrastructure, there is still a long road ahead for organizations to be prepared and face such attacks from other RaaC operations in the near future.
Some critical first steps that must be taken by the organizations to establish a robust IT/OT cybersecurity capability for dealing with such attacks and their aftermath. While none of them are new, most of them require a certain level of urgency and expertise to accelerate their execution:
- Business Actions
- Brief your board and secure funding and mandate for your cybersecurity plans. Seek sponsorship to eliminate organizational silos that become a hindrance in building this capability.
- Map/Define IT and OT interdependencies and conduct a thorough risk assessment and business impact analysis to better define BCP processes and mitigate the risks of cyber threats. Ensure that there are some manual workarounds built in to support operations during such critical business disruptions.
- Technical Actions
- Secure the identity: Review your access processes and policies to Crown Jewel IT/OT applications and critical OT networks, and integrate cyber threat intelligence and cybersecurity solutions. Deploy strong MFA (Multi-factor Authentication) and PAM (Privileged Access Management) for critical servers, networks, and applications. This will reduce the ease of remote entry into the network to cause major havoc.
- Secure the endpoints and email systems with Advanced AI/ML-based protection: Include un-patchable PCs/HMIs through blacklisting/whitelisting and other compensatory controls to stop zero-day exploits from accessing the network through a weak application/supply chain software.
- Reduce impact/attack surface: Implement a strong network segmentation across IT and OT by creating logical OT zones to avoid lateral movements across IT/OT networks. This also aids the isolation of a network zone in case of an attack.
- Be ready with a backup: Implement strong data, image, and source code backup policy with testing through DR/BCP plans. The ability to recover is as important as the ability to protect and respond.
- Be vigilant: Last but not the least, strengthen threat monitoring, threat intelligence, and incident response processes by creating a playbook for detection and response, not only for the SOC but also for the OT teams.
- Human-Centric Actions
- Review the current training programs and include cybersecurity in the operational safety manual for the on-ground OT teams to ensure that they can spot phishing campaigns and can check on any weak access methods.
Industrial digitization and pervasive connectedness led by Industry 4.0 and 5.0 aren’t something we can roll back, as that forms the basis of embracing innovation and evolution. Organizations, therefore, need to accelerate the buildout of cybersecurity capabilities and adopt a "dynamic cybersecurity posture" to prepare and respond to cyber threats and attacks impacting businesses every day. The Cybersecurity Executive order and CISA’s advisory recommendations are a “call for action”, as similar attacks and campaigns could unfold in 2021 and beyond.