[SystemSafety] Colonial pipeline attack

Bruce Hunter brucer.hunter at gmail.com
Mon Jun 7 08:25:57 CEST 2021 

Thanks Jon.


This wake-up call moment from a month ago has some interesting lessons for
safety and security that span People Processes and Technology risks.



I was waiting for the "dust to settle" and more substantive and trustworthy
information before commenting.



In the aftermath, several US agency have published or updated the guidance
and directives:

   - US Department of Homeland Security (DHS) Cybersecurity &
   Infrastructure Security Agency (CISA) with the  FBI have published a
   joint advisory on DarkSide Ransomware: Best Practices for Preventing
   Business Disruption from Ransomware Attacks (20-131A)
   https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/joint-cisa-fbi-cybersecurity-advisory-darkside-ransomware
   and CISA Alert  *https://us-cert.cisa.gov/ncas/alerts/aa21-131a
   <https://us-cert.cisa.gov/ncas/alerts/aa21-131a>* on May 11, 2021 to
   supplement previous advice (some errors in documented year)
   - US DHS Transportation Security Agency (TSA) has updated Pipeline
   Security Guidelines (2021)
   https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf
   - US TSA has issued Security Directive Pipeline-2021-01 (May 28, 2022)
   https://assets.documentcloud.org/documents/20791875/security-directive-on-enhancing-pipeline-cybersecurity.pdf



This is not the first attack on pipeline companies nor critical
infrastructure. I guess what makes it stand out is the impact of losing
access to fuel for airlines and road transport in a large area of the US
and the exponential growth of ransomware and its targeting of critical
infrastructure. The outcome could be much worse than losing fuel supply.



I feel for the political and business pressure placed on the operation and
support engineers working to limit the damage of the ransomware attack and
get fuel flowing safely again.



The key points with Colonial Pipelines as I see it are:

   - The company has a history of environmental damage and fines from
   spills (precursor #1 – August 14, 2020)
   - It has been criticised for poor cybersecurity practices (precursor #2)
   - Poor security practices have meant uncertainty of OT network
   segmentation reliability (precursor #3)
   - It pumps hundreds of million USD value in fuel per day – loss of this
   income is a critical issue of the company (precursor #4)
   - Company uses live flow measurements for billing of customers
   (precursor #5)
   - Company supplies about 45% of east US coast fuel making it a major
   risk to US transport operations (precursor #6)
   - Lack of confidence in Operational Technology (OT) safety
   segmentation/independence. Ransomware could have made safety functions
   ineffective or even trip dangerous actions such as spills, overpressure
   etc. (precursor #7)
   - Ransomware criminals move their target from individuals to business
   and especially were quick payment of ransom is lower than daily cost to
   business (precursor #8)
   - Oil and gas industry has strongly lobbied against cybersecurity
   regulation (precursor #9)
   - DarkSide ransomware attack locked out the business operation of
   Colonial Pipeline (loss of control #1 – prior to 7 May)
   - Colonial Pipeline as a precaution shuts down Operational Technology
   system for pumping. (response #1 – 7 May)
   - US East Coast loses 45% of is fuel supply causing panic buying and
   logistical issues for road and air transport (outcome #2 – 7 May)
   - Federal Motor Carrier Safety Administration (FMCSA) declared a state
   of emergency in 18 states to help with the shortages (Outcome #3 – 9 May)
   - Colonial Pipeline paid ransom (USD 4.4M) to assist in recovering from
   attack (outcome #4 – prior to 13 May)
   - Colonial Pipeline eventually re-established pipeline operation
   (outcome #5 – 13 May )
   -  FBI and CISA issue alert on pipeline ransomware threat (outcome #6 –
   11 and 19 May)
   - TSA update to Pipeline Security Guidelines (outcome #7 – April 2021
   replace criticality guides -naturally)
   - TSA issues Security Directive Pipeline directing a whole range of
   mandatory report and assessments with significant penalties for
   non-compliance (outcome #8 – May 28)
   - United States Department of Justice (DOJ) gives critical
   infrastructure ransomware attacks equivalent priority to terrorism.
   (outcome #8 – 3 June)



Pipeline and critical infrastructure regulators have consistently advised
effective and proven separation between Information Technology (Purdue
Layers 2 to 4) and Operational Technology/ Safety-related Systems (Purdue
Layers 0 and 1) and this would have helped minimise disruption (precursors
#2,#3, #7 and #9). Company reaction influenced by previous fines for
environmental spills (precursor #1) and business imperatives (precursors
#4, #5 and #6) to cause “knee-jerk” reaction to safety shutdown (outcomes
#1 and #3).




Regulators have had no choice but to increase oversight and reporting
(outcomes #5 to #8). It is yet to be seen whether this improves the
resilience of critical infrastructure.



Lesson for safety include:

   - Safety and security must be coordinated. It was a matter of luck that
   safety elements of the pipeline weren’t compromised.
   - Segregation between OT and IT is not assured. Air gapping is not
   certain (see RSA 2FA lesson).
   - Software defined perimeters, such as in IIoT and Factory 4.0, increase
   cyber-attack surface for OT and safety-related systems.

 Probably worth writing a paper on this...

Bruce Hunter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20210607/fa542cd3/attachment.html>

More information about the systemsafety mailing list