The Grid Wasn’t Attacked in the Colonial Pipeline Hack – But It Sure Was Close

As the head of GlobalSign’s operations for North and South America, I’m always interacting with a wide variety of businesses from the B2B to retail and consumer goods. But as it turns out, the segment I have focused on much of the last decade is the energy market, working especially with the North American Energy Standards Board (NAESB). In doing so, I have been fortunate enough to get quite a bit of exposure to the electricity market, as well as the broader energy industry.

And so, when the news broke about the Colonial Pipeline hack, you can be sure it caught my attention (of course, the incident captured people’s attention worldwide). Having said that, I do want to make some very important points.

First, of course the Colonial Pipeline hack was noteworthy because it was the most significant ransomware attack to date on a U.S. energy transport system versus an actual fuel provider such as Exxon.

Hype vs. Reality

Despite the hype about the grid being attacked, this simply wasn’t the case. The energy grid was NOT attacked. Nor was the industrial control system that Colonial Pipeline utilizes.

No, this was not a nightmare scenario where hackers were remotely controlling valves and switches.  But the truth is, it could’ve happened.

What’s also very true is the Colonial Pipeline hack caused mass panic in many parts of the nation, especially the East Coast due to concerns that fuel would run out, and that gas station pumps would be empty for an unknown period of time. The fear of the unknown is powerful.

But once Colonial Pipeline’s CEO Joseph Blount made the very tough decision to pay the ransom – to the tune of $4.4 million ransom – the company obtained a decryption key, and the fuel was flowing again, allowing millions of U.S. residents to breath a collective sigh of relief. Soon after, the long lines at gas stations began to recede.

What happened?

What was attacked was Colonial Pipeline’s IT system. The ransomware was likely injected through well-known attack vectors such as phishing and spear phishing. But as we saw with SolarWinds, malware can be deployed through seemingly routine firmware updates.

Once Colonial Pipeline discovered it had been hit by a cyber attack, it took some systems down to isolate the threat, temporarily halting fuel flows on the pipeline. The company later announced it discovered the cyber attack involved ransomware.

While no evidence emerged that the attackers penetrated the vital control systems (because this deeper layer of controls is vulnerable to cyber attacks), spreading the infection would have had dire consequences.

Understanding the difference between IT and OT systems

 
Image source: Coolfire Solutions

While IT controls business processes like billing and administration, OT systems control valves, engines and other machines to regulate temperature, pressure and flow.

Colonial has a modern OT system, which uses Supervisory Control and Data Acquisition (SCADA) systems to control and monitor industrial control systems.

Advances in OT have created enormous productivity, reliability and safety advantages, but have also opened the door to increased vulnerability. These previously “manned” operated functions are now performed by computers, allowing even the most remote incident to be quickly detected and fixed.

The lines between IT and OT are blurring so one must take any breach to an IT system extremely seriously, although it appears it wasn’t the case with Colonial.

What can be done?

Today, everyone has a role to play in doing whatever is possible to alleviate a cyber incident. Following are some important tips to keep in mind.  

1. Greater education on detecting suspicious emails – hover over the domain, only trust digitally signed message, check for obvious typo. Don’t click on any suspicious links without first reporting it to your IT department.

2. Up the ante on your business resumption plan. We are way past the time when we asked, “will we get hacked?” Because now we know that most businesses will. The better question is “How will we respond and restore our systems?”

3. Back up your data in a separate network.

4. Increase cybersecurity controls – especially in OT systems.

5. Take advantage of PKI technology’s flexibility by using separate private CA hierarchies to issue for user and machine authentication certificates used to authenticate people and machines. What you want is segregation of IT and OT access control rules to minimize the risk of having an IT breach impact your OT systems.

6. Monitor your systems very closely. Many hackers are patient and will take numerous steps, often with phishing emails, to worm their way into systems that – if penetrated – could have devasting consequences in terms of data breach and, worse yet, control over industrial controls (using a code signing solution can help). Moreover, don’t run any executable that hasn’t been verified by a trusted code signing certificate where the software publisher has been clearly verified via strong identity proofing.

7. Secure your code signing private key on a Trusted Platform Module (TPM) or USB-type hardware.

8. Look to NAESB and other industry-specific standards organizations for cybersecurity best practices.

Interested in learning more? Check out our Q&A with energy expert Richard Brooks and visit our website to find out how GlobalSign is working with NAESB to provide compliant digital certificates for a variety of use cases including secure authentication to online services, access to the NAESB Electronic Industry Registry (EIR), digitally signing email and documents, and the encryption of server communications.