By NERC CIP Reliability Specialist Greg Matejka

Colonial Pipeline Company has 5,500 miles of pipeline, running the largest refined products pipeline in the US. They transport more than 100 million gallons of fuel per day through its combined infrastructure, according to their website. Located throughout the Southeast and Atlantic Seaboard regions of the United States, the portion of the pipeline impacted by the May 7, 2021 ransomware attack accounts for 12-15% of daily oil capacity in the US (hstoday.us, 5/11/21). The attack on Colonial is yet another example that no-one is immune from the threat of ransomware.

So, what should industrial organizations do to mitigate the risk of the ransomware threat? In the Cyber Security realm, it boils down to security controls. Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information (Wikipedia).

The Center for Information Security (CIS) is a non-profit organization responsible for developing best practices for internet security. The CIS Controls, formerly the CIS Top 20 are as follows:

1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses; Limitation and Control of Network Ports, Protocols and Services
9. Data Recovery Capabilities; Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
10. Boundary Defense
11. Data Protection
12. Controlled Access based on the Need to Know
13. Wireless Access Control
14. Account Monitoring and Control
15. Implement a Security Awareness and Training Program
16. Application Software Security
17. Incident Response & Management
18. Penetration Tests and Red Team Exercises.

Do you know/trust your security controls? How robust are they? The list of controls recommended by the CIS far exceed those required for NERC Low Impact rated facilities. This makes it even more critical that they are implemented effectively. Do your implemented controls offer defense-in-depth? Most successful prevention methods don’t work in a vacuum. These methods implement several controls working together, utilizing a defense-in-depth strategy. Have you implemented security controls in both the Informational Technology (IT) and Operational Technology (OT) networks? As in the case of Colonial Pipeline, attacks on the IT side of your infrastructure may have impacts on your OT environment. Have you considered the impact of an IT breach? Both sides of the organization need to work together. Properly implemented strategies reduce the overall impact of malicious attacks and improve the bottom-line for your business.

Detection is key. What visibility do you have to the data provided by these controls to effectively monitor situational awareness? Having the technology, but no visibility to the data reduces your ability to respond in a timely manner. How quickly can you respond across all critical access points in your infrastructure? Do you have personnel and processes in place to respond in a timely manner? Timely response is a critical component to minimize the affect in any impacted environment.

What is your containment strategy? Consider running a Cyber Security Incident Response Plan (CSIRP) exercise where the scenario happens on the IT environment. A CSIRP ran using this scenario could expose issues and provide for an opportunity to gain important insight into the relationships between the IT and OT sides of the business to be more prepared for an actual event.

The information being shared regarding why Colonial Pipeline took down their operations network in response to the ransomware attack is limited and varies from source to source. Although we cannot say that implementation of the cited controls would prevent an attack on the operations network, it would most certainly improve visibility and reduce the likelihood of a successful attack.

Cyber Extortion – Colonial Pipeline Lessons Learned – Part 1 was published in the Power Services Quarterly issued June 17, 2021.