The decision to take the entire Colonial Pipeline Co. system offline following a cyberattack raises questions about whether the pipeline industry will be able to avoid disruptive whole-system shutdowns in the future.
Cybersecurity and information technology professionals warn that following industry best practices alone may not prevent cyberattacks from infecting the systems that control the nation's vast energy infrastructure. With legacy pipeline assets becoming more connected and ransomware on the rise, attacks that shut down physical infrastructure are becoming more commonplace, they said.
"Now we're seeing five to 10 a year. While that might not seem high, this is one of them, and you have an entire coast shut down for a pipeline," said Nicholas Friedman, national managing partner and governance, risk and compliance strategist at enterprise risk management firm Templar Shield Inc.
The event is one of the highest-profile cyberattacks on U.S. energy infrastructure to date. It brought to a halt a major artery that provides the East Coast with nearly half of its fuel and prompted the federal government to convene inter-agency meetings and take emergency measures. The impact on fuel prices and supplies continues to be in flux.
Uncertainty around Colonial shutdown
The exact reason for the shutdown remains unclear. In public statements, Colonial has disclosed that it became aware on May 7 that it was the target of a cyberattack involving ransomware, which holds company data hostage. The company said it "proactively took certain systems offline to contain the threat." That response stopped all pipeline operations and affected some of Colonial's information technology, or IT, systems, Colonial said.
U.S. national security officials offered additional details during a May 10 White House press briefing. Colonial shut down the system in part to ensure the ransomware would not migrate from IT systems to operational networks, which control physical assets in the field, according to U.S. Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger. She said she could not disclose whether Colonial detected malware in its operational technology, or OT.
Cybersecurity solutions firm Tripwire Inc. said the Colonial incident appears to be limited to IT functions, but warned that cybercriminals are increasingly targeting industrial companies and utilities because they often have limited visibility into OT devices on their industrial network. "Here we saw the direct impact of an IT event on OT systems, which reinforces the importance of maintaining visibility of assets across your entire network," Tripwire Vice President for Industrial Sales Alex Bagwell said in a May 11 blog post.
Visibility entails creating a picture of the relationship between physical and digital worlds that allows companies to immediately identify which assets are associated with an anomaly once it is detected, according to Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy AG.
That could in turn allow a more precise response to attacks, he added. Simonovich noted that the Colonial cyberattack has one thing in common with a previous attack that shut a gas pipeline system: Both companies took the blunt approach of shuttering a whole system.
"I would argue with visibility, and with defense in depth, we can take a more surgical approach to containment ... where we're quicker at detecting the anomaly, contextualizing that anomaly, understand what kind of impacts it could have on production, and then take an action that's proportional," Simonovich said. "That may be that we need to shut down one asset, or maybe that we need to shut down a portion of the system, but ultimately, that puts us in the driver's seat to respond quicker and to respond with a higher degree of precision."
Siemens Energy has recently invested in this space, partnering with AI company SparkCognition Inc. on a product called DeepArmor that provides autonomous, continuous protection in disconnected environments.
One of the key questions to be asked during a postmortem of the incident is whether Colonial lacked sufficient visibility, and therefore did not have confidence that it could prevent the malware from spreading to OT systems, according to Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers.
"If they had visibility into each segment, why did they take the extreme reaction of shutting down the whole system?" she said. "What piece of best practices did they feel they were not mature enough in that they had to make that decision? Somebody there has that answer."
Best practices are not impenetrable
Industry groups have for years advocated a defense-in-depth posture, in which companies implement multiple layers of protection and redundancies to prevent cyberattacks from spreading throughout their systems. Those include dividing networks into segments, with a particular focus on dividing more exposed IT systems from highly sensitive OT systems.
Colonial did not respond to questions about whether it follows that guidance, but most companies do, according to cybersecurity and information technology management professionals. However, those practices are not ironclad.
Most companies strictly enforce network segmentation, particularly between IT and OT, according to Johan Vermij, a research analyst at 451 Research who specializes in the internet of things. However, that firewall too often gets breached simply because an IT solution is patched directly onto the OT segment to make updates easier, Vermij noted.
The American Petroleum Institute said it was premature to craft regulations in direct response to the Colonial Pipeline hack until the details of the incident are known. Rather, the trade group said it was more constructive to adopt more flexible policies down the line that allow companies to adapt to evolving threats. API also said the incident demonstrated that the U.S. needs more pipeline infrastructure to ensure redundancy in the system.
Tackling OT security will be an uphill battle
Friedman, the Templar Shield strategist, acknowledged the possibility that Colonial's decision was based on lack of visibility, but said there could be another reason for shutting the entire system. Colonial might have had extensive, mature and robust monitoring, and with the information available, determined that the extent of the attack warranted such an extensive response, he said.
The energy industry is very mature when it comes to IT security because it prioritized securing its perimeter over the last 10 years, Friedman noted. The sector has since turned its attention to OT over the last five to six years, but securing these assets will be more challenging, he said.
OT assets have been linked to a network of sensors and monitors in recent years, but OT systems were not designed to be internet connected or scanned when they were deployed, sometimes decades ago, he said.
To secure OT devices, companies can deploy solutions that detect changes in control on pipeline segments, substations or other assets, Friedman said. That allows them to detect unauthorized control changes at specific locations, but also requires keeping a detailed inventory of all OT devices, their location and who has access to them.
Many companies do not have a comprehensive list of their OT assets, Friedman said, and many of these assets also run constantly, so they are harder to maintain than IT assets, he added. To wrap their heads around the issue and establish priorities, Friedman said pipeline operators should run a business impact analysis on all their OT systems, both old and new.
"What that all boils down to is controls assurance and controls monitoring, and being able to track all that in a central repository and not have any gaps between that communication," he said. "Because a gap could potentially equal a vulnerability."