As I was writing this, news reached me of a cyber-attack against an oil pipeline in the USA. A couple of days later, the story is still unfolding. Here’s what we know so far.

A well-organised gang of cyber-criminals identified as ‘DarkSide’ launched a ransomware attack against the Colonial Pipeline. The largest of its kind in the United States, the pipeline moves in excess of 100 million gallons of fuel every day, supplying of 45% of the East Coast’s diesel, petrol and jet fuel.

News reports confirm that in addition to locking the networks of Colonial Pipeline DarkSide has stolen 100Gb of data, which it has threatened to leak on to the internet if a ransom isn’t paid.

The US government has passed emergency legislation which allows the use of oil tankers to transport the fuel to New York. Two days later the pipeline is still out of action. Colonial Pipeline is just the latest victim of cyber-attacks aimed at industrial operational technology. There will be others.

The target of choice

Every month there are hundreds of thousands of cyber-attacks across all industries, right around the world. No one is safe. According to research firm Statista, ransomware alone accounted for 304 million attacks in 2020. And a rapidly growing number of these are now being perpetrated not against IT systems but against OT (operational technology) – essentially, any sort of industrial control system.

There are several reasons for this, not least of which is that IT security is pretty good these days. It’s become a tough nut to crack. OT, on the other hand, is a much easier and juicier target. 

For hackers, the bigger and more complex the factory, facility or production line, the better. Not only does the profusion of legacy control systems offer more ways in, but a successful attack is hugely damaging. The greater the damage that’s inflicted and the more expense is incurred, the more likely you are to pay a ransom.
The hacker holds all the cards. Once a ransomware attack is in play he has nothing to lose by playing a waiting game. Meanwhile the damage mounts up. So what can you do to stay safe?

The role of SOCs

You have two options. Option A, which is preferred, is to make sure that your OT and every single direct and indirect connection to the internet is continually monitored and protected. The scale of the task makes outsourcing an attractive option for many.

Third party Security Operations Centres (‘SOCs’ for short) have been extremely successful in protecting IT networks and data and they are getting better all the time. SOCs use a combination of threat intelligence, automated monitoring and skilled cyber security analysts to provide dependable 24/7 protection. SOCs work.

Option B is to wing it. But be prepared to mitigate the effects of an attack which could (and probably will) cost you hundreds of thousands or even millions. It’s not a quick option, either. Statisticians at Ponemon Institute estimate that the average downtime caused by a ransomware attack is 12.1 days. Others put it higher. You will probably survive this but by now the details of your IT, OT and security weaknesses will be on the dark web, available to anyone for a nominal sum. Expect more attacks.

What about simply extending the reach of your IT SOC or security provider to cover your OT? We know that the approach works well and surely the software is scalable? Well, yes. Of course it is. But simply scaling up the operations centre isn’t going to work. And here’s why.

Living with dinosaurs

Industrial control systems have been around for a long, long time. Some of them predate the internet. Many of them are bespoke. Maybe you acquired a manufacturing plant as part of an acquisition. Perhaps you have a blend of recent and vintage systems cobbled together in an entirely unique way to perform a specific task. There could even be an unauthorised and undocumented 4G connection, quietly installed by an engineer for convenience and faster response times. OT is often a big unknown.

The shorthand for all this is that you can’t expect modern IT security software to automatically discover and monitor operational technology which might be 10 or 20 years old. And if you don’t know what the equipment does, or how it does it, or what it’s connected to, you have an unquantifiable risk. So you need to start with a careful and comprehensive asset discovery programme.

Network probes give you a lot of information and are always a good place to start discovering what’s connected (emphasis on ‘start’). But to really map out your OT estate and the thousands of connections that are found even in factories of a modest size, you need boots on the ground. You need experienced engineers to get hands-on, physically inspecting your entire estate . There is no substitute for engaging people who know what they are looking for and, more importantly, what they are looking at.

Now fast-forward a bit and assume that you now have a good understanding of your equipment and connections and that you’ve plugged the immediate holes. And let’s say that you’ve scaled and reconfigured your IT security to monitor all these connections. You’re not done yet. The third and final part of your security solution is creating a new playbook.

The all-important playbook

A playbook is a set of instructions on how to react to any given attack, such as ransomware, phishing, unauthorised access, and so on. It sets out what needs doing, who is responsible for each action and the order in which these steps should be taken. It is a calm voice in the midst of panic. You need it to be comprehensive and constantly updated as new equipment is acquired and new threats are discovered.

In the world of IT, writing a playbook is relatively straightforward. The usual approach is to start with a generic template and simply tailor it to meet your specific needs. With operational technology, however, it’s an entirely different matter.

Writing a playbook from scratch, to cover every one of your control systems and connections, complete with detailed responses to the many ways in which they might be compromised, under every circumstance, is a monumental task and fabulously expensive. And your IT SOC provider is unlikely to have any OT playbook templates.

So you need to look outside of your normal IT circles. Reach out to engineering firms because they are the ones who employ the people who know how to attack the technology and, more importantly, how to protect it. Ask around. Find the people who work in the ’non-carpeted’ domains. Talk to others in your industry and see how they are managing things. There’s no need to reinvent the wheel.

The other advantage of an engineering-based provider is that they can test different scenarios with real equipment in real life. Maybe you want to add a new system or repurpose some legacy equipment. That can be tested offline with simulated attacks. It means that you don’t have to rely on ‘it will probably be OK’ because they will be saying ‘we know this works.’ They can prove it to you.

Choosing option A

Your IT and OT estates are becoming more and more connected to each other and to the outside world. That’s great for efficiency. But more connections mean greater risk.

There is a wealth of IT security knowledge out there but that’s not your starting point. It can’t be. The place to start is finding an engineering company – a firm which makes the type of systems that you’re trying to protect – and knows how to protect them. It is easy for engineers to learn security. It is hard for IT people to learn engineering. That’s just how it is.

I’ve said this before and I stand by it today: it is not a matter of ‘if’ your OT will be attacked, it’s a matter of ‘when’. Right now, you have two options. Tomorrow, you might have just one.