Never Assume: Key Learning from the Colonial Pipeline Attack

There is a lot of attention on Operational Technology (OT) networks and critical infrastructure companies as of late. The Russians have targeted the Ukrainian energy sector since 2015, and now Russian-based actors are believed to be behind the Colonial Pipeline attack. In the United States, a water treatment facility in Florida suffered an attack in early 2021. Targeting these companies and networks is not new and is something that governments and the companies that run these networks have been trying to address for many years.

OT networks often involve unique technologies and run and control vital public services, like oil and gas, energy, water, and telecommunications. There is a long-standing assumption that these networks are air-gapped, or separated from the Internet and traditional corporate IT networks. Most cybersecurity practitioners have known for years that this isn’t true, but security has still had a split focus: how you secure your IT network won’t work for your OT network.

One of the most significant issues is that governments, and especially these companies, are not addressing the problem despite their best intentions. They make false assumptions about these networks and how adversaries operate, which prevents them from understanding their vulnerabilities and security gaps and taking the right actions to mitigate risk. They often view OT networks as entirely separate from standard corporate IT networks because they involve different types of technology, hardware, and software, that you don’t find in traditional IT networks. They also need to operate in very specific ways with very specific timing to maximize efficiency and availability. And for many years, these networks were set up to require a malicious actor to have physical access to part of the network to access it and do any harm.

But times have changed, and organizations need to adapt and acknowledge the changing threat landscape. Now, OT networks connect to IT networks and the Internet. These networks are now connected in order to ease maintenance and sometimes to support modern operations leveraging today’s connectivity. And often, there are many more external and internal connections than companies even realize: it takes an adversary looking around to find these avenues of communication and exploit them to execute a cyberattack.

The reason these blind spots exist is that organizations don’t think of security holistically.

The reason these blind spots exist is that organizations don’t think of security holistically. Instead, they tend to focus on OT security for their OT network and IT security for their IT network. Furthermore, the teams responsible for these respective networks often don’t interact. I consistently speak with people and groups that don’t want to talk about IT security if they deal with OT networks. They just want to deal with the vulnerabilities present in their unique, and what they perceive to be separate, environment.

The reality is that all the attacks we have seen against critical infrastructure and industrial companies have leveraged the IT network or the internet to affect or gain access to the OT networks. Attackers target users with spear phishing emails and then scan the IT networks for access points into the OT networks using Remote Desktop Protocol (RDP) or similar technologies.

Companies need to recognize this and plan and adapt accordingly. Here are three concrete steps to help you start this journey:

1. Verify and know where you have connectivity between your networks. Have third parties conduct red team assessments to find these connections. Don’t assume that they don’t exist or that you know about all of them. Acting as an attacker, these experts will conduct reconnaissance to determine access points adversaries could leverage to infiltrate your IT and OT networks.
2. Tap into the vast and growing knowledge base available from government sources and others around how these attacks are happening and protect yourself accordingly. Cyber threat intelligence is a critical tool to raise awareness of potential vulnerabilities and other security weaknesses within your IT networks. Then, shore up your defenses, and limit access to your OT networks to only essential, authorized users, devices, and applications.
3. With greater visibility, you will have a better understanding of your environment and how attackers operate. The next step is to conduct simple architecture reviews, identify jump points, and perform scans for external Internet access or remote desktop/SMB access points. You can determine exactly what controls—both processes and technologies—are needed and begin implementing them to mitigate risk.

No company wants to make headline news because of a cyberattack. And many are now realizing that luck was on their side—this time. To keep a low profile, don’t assume that your networks are separated and therefore secure. As attacks have shown, that is a false assumption, and you may pay dearly.

Jonathan Couch is the senior vice president of strategy and corporate development at ThreatQuotient. He leverages 25+ years of experience in information security, information warfare and intelligence collection to focus on the development of people, process, and technology within client organizations to assist in the consumption, use, and communication of cyber threat intelligence. Prior to ThreatQuotient, Couch was a co-founder and vice president of threat intelligence services for iSIGHT Partners. Couch also has previously served in the U.S. Air Force at the NSA, Air Force Information Warfare Center, and in Saudi Arabia as the regional network engineer for the Joint Task Force (SW Asia). After leaving the military, Couch led a 25-member research and development team at Sytex Inc., later acquired by Lockheed Martin’s Advanced Technology Labs in 2005.