Update
Given the widespread coverage on virtually every news outlet, updates on the Colonial Pipeline ransomware incident probably don’t need to be covered here. However, in case you missed it, a restart of pipeline operations was initiated Wednesday at approximately 5 PM ET – moments within the White House’s announcement of President Biden’s signed Executive Order designed to strengthen U.S. cybersecurity. Following the Colonial Pipeline restart, it will take several days for the product delivery supply chain to return to normal, a company spokesperson told SecurityWeek. As expected, “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.”
Recommendations – Assess Atrophy of the “Air-gap”
In light of the Colonial Pipeline ransomware incident – the most disruptive incident Dragos has witnessed on US energy infrastructure from cyber intrusions – Dragos offers some poignant observations and recommendations from similar ransomware cases it has worked to help all critical infrastructure owners and operators build resilience within their operations.
Observations (excerpts taken directly from the post):
- Like any pipeline, Dragos would expect Colonial Pipeline to have so many dependencies between their control and SCADA systems into their business systems that it becomes hard to reasonably delineate and separate. With this in mind, out of an abundance of caution, halting operations becomes the safest choice.
- Once initial access is achieved, they quickly bring in tools focused on gaining Domain Administrator access to enable them to then deliver their ransomware. Dragos often finds shared credential management between IT and OT networks such as connected Domain Controllers as a mechanism to impact OT.
- Although this attack was carried out on the Enterprise network, it brings to light the highly interconnected nature of OT operations that businesses must consider.
Dragos’ assessments and cases consistently observe that OT networks are not as highly segmented (or even as air-gapped) as organizations believe. Despite the “movement” toward IT-OT convergence, in reality, Dragos views that much of that convergence took place a decade ago, and the preventative controls, such as segmentation, that the organizations had in place have atrophied over time through misconfigurations, additional devices, or just the nature of needing increased connectivity for the business.
Regardless of critical infrastructure sector – energy (e.g., electricity, natural gas, petroleum), water, etc. – there are “pipelines” involved that rely on careful orchestration of control system components to protect civilization as we know it. As a vital, critical, essential, non-negotiable, dare we even say, “mortal” (ability to cause death due to a process breakdown) lifeline sector, all water and wastewater utilities have a duty to comprehensively assess the cybersecurity posture of their facilities. Some of the basics that Dragos recommends (note, these are also included across many authoritative and other industry sources):
- Review existing segmentation and preventative controls that may have atrophied over time.
- Identify shared systems or infrastructure on the IT side that could allow an adversarial group to pivot and deploy Ransomware to the OT side.
- Review dataflows of critical business system applications reliant on OT communications and document them.
- Engage firms with OT/ICS incident response experience if internal resources are not trained or readily available.
- Ensure backups are being performed across critical OT systems, such as data historians, SCADA servers, and their databases.
To improve sector asset owners and operators’ ability to effectively respond to incidents, members are highly encouraged to review the complete blog text of Dragos’ Summary of Recommendations. For more detail and examples of each recommendation, visit Dragos.
Incident Response
As was stated in Tuesday’s Security & Resilience Update post on Why IT-Based Ransomware Matters for ICS Operations, the Colonial Pipeline attack presents another opportunity for members to review, exercise, or develop their incident response (IR) plans in response to someone else’s incident. In that same vain, Dale Peterson asks for forgiveness for “yet another article inspired by the Colonial Pipeline incident” as he provides three must have OT Incident Response Playbooks:
- Playbook 1 - Enterprise Network Compromised - Scenario: The enterprise network has been compromised, and there is currently no evidence of a related compromise in OT.
- Playbook 2 – Ransomware in OT – The reality of ransomware in OT, not just on the enterprise, makes this a great playbook to use for the generic recovering from a compromise of OT that takes out all of your computers scenario.
- Playbook 3 – Operations Down …. Is It A Cyber Incident? – The most publicized examples of when this playbook was needed are Stuxnet and Trisis/Triton. The attacks caused outages, and the cyber incident cause was not identified in the early outages.
For more on each Playbook, visit Dale Peterson.
Analysis – DarkSide Ransomware
Several cybersecurity experts and organizations have published reports and analysis of the DarkSide ransomware that has been attributed to the Colonial Pipeline incident. The following reports are being heralded as two of the more valuable. The analyses include observed behavior and activity before and in light of the attack on Colonial Pipeline. While DarkSide may seem less likely of a threat to water and wastewater utilities, many observations are common to ransomware attacks broadly. And since ransomware attacks have ubiquitous relevance for all organizations, members are encouraged to review these reports for indicators and other concerns.
