Understanding the Ransomware attack on the Oil Pipeline
Follow me on Twitter https://twitter.com/dewan202
I have spent 20+ years securing and responding to cyberattacks on OT — ICS/SCADA environment. I have worked with dozens of large pipeline operators globally and dozens of the DNG (downstream natural gas) operators who help distribute natural gas to homes and feed gas turbines to produce electricity. Congress identified America’s oil & gas pipeline infrastructure after 9/11 as one of the most critical assets in America due to the massive negative impact an attack on the pipeline would impact the country’s national & energy security.
I have responded to nation-state cyberattacks on pipeline infrastructure in the past, and I can tell you that the attackers had the resources to include human assets on the ground to help facilitate a cyberattack. Therefore, when responding to the pipeline cyberattack, we would know by the level of sophistication that these attacks were conducted by groups that have the resources to utilize to plan a sophisticated cyberattack. For example, using rouge networking devices, performing man-in-the-middle attacks to trick the SCADA master by sending fake data sets pointed toward attackers that knew the pipeline system well enough to cause damage/disruption.
Now to break the hard news to everybody!
The past five years of my involvement with responding to cyberattacks on critical infrastructure was not the Hollywood Spy-themed script people would love to hear. But, the worst attacks I’ve seen on OT — ICS/SCADA environment resulted from the same ransomware that targets your grandmother. In the pipeline world, as complicated as control systems are, they are typically being controlled by Engineering Workstations running HMI tools like ezXOS (Telvent now a Schneider Electric company) on a Windows operating system.
The majority of the SCADA networks for pipeline operators I’ve assessed are Air Gap networks (no connection to the internet or corporate enterprise network). Imagine the technician of a pipeline operator who needs to update a server, firmware, pull/push data on an “air gap” network. The technician will majority of the time, use a USB drive to put files he or she needs, then plug that USB into an engineering workstation that can open/close/monitor pipeline valves.
What happens when the USB drive they use has ransomware on it, and they plug it into a Windows computer with no anti-virus, nor is the operating system locked to reduce cyber risks. The machine gets infected, and it will propagate/infect other Windows machines on the same air-gap network. Now you have a pipeline operator who is operating blindly and requires running their operations in a manual mode.
To make the matter worse technological resiliency is not always a priority for them, so they lack the adequate backup needed to restore operations quickly. Large companies spend money on protecting their IT assets from cyberattacks but hardly spend on protecting their “crown jewels” that help operate their pipeline infrastructure. I’m surprised that it took this long for a major incident to happen for a pipeline operator.
Do not be surprised if the Federal government start putting pressure on the pipeline operator to improve their cybersecurity posture. Two groups that have the power to do this would be the Office of Pipeline Safety (US Department of Transportation) and DHS’s TSA (Yes, the same people that pat you down at the airport have a role in securing the Nation’s pipeline systems)
5 Ways a Pipeline operator can reduce ransomware risk to protect their Pipelines.
1) Disable “AutoRun” function on the Windows Operating system, so the malware won’t just automatically run when the infected USB is plugged in.
2) Back Up, Back Up, Back Up — Ensure the data is backed up and can be restored quickly. Virtualizing the environment can help with the recovery time. Test the backup and run disaster recovery scenario.
3) Network Segmentation — Enabling network segmentation can drastically reduce the risk during a cyberattack to prevent malware from spreading on the network to contain a hacker.
4) Have AntiVirus even if the updates are weeks old — If somebody offered you a bulletproof vest from the 1980s and you are about to walk into a gunfight, you would take it!
5) Locking down the Windows operating system using cybersecurity guidelines like CIS Benchmark or DISA STIGS.
