The recent Colonial Pipeline ransomware attack in the US raises awareness of Operational Technology (‘OT’) risk. We can all learn a few things from this still evolving event. Please note my comments are based on limited information in the public domain so far.
The Colonial Pipeline provides 45% of fuel to the US East Coast. So very important to society and business. Disclosures from Colonial so far seem to imply traditional IT systems were hacked and regular business data was encrypted by the hackers. Pipeline operations were shut down (apparently) not because they were compromised by the ransomware attack but out of an abundance of caution. Probably a good idea. Ransomware groups have evolved to find and target organisations that have important systems and specifically a high availability requirement- either long term like a pipeline or short term/ situational like a merger/ acquisition or just plain old quarterly reporting for a public company.! Point is the victim has pressure to solve the problem sooner rather than later. These hackers now deliberately exploit the ‘worst case’ availability risk scenario.
This hack has been attributed to DarkSide, which is based in Russia. Although known as an organized crime group, it is certainly a legitimate question to ask how an organization such as this can operate with the freedoms it does within Russian borders. .Is there some undercurrent of ‘don’t ask, don’t tell’ provided DarkSide targets the regime’s adversaries and not its friends? If a a real or perceived fuel shortage causes price increases, who bought options before the incident, and who benefits from this industrial and societal disruption? Perhaps this is a test, and thus a warning of ‘more to come’?
We only have a partial picture today, but we can reflect and ask ourselves the following questions:
Big Picture issues and questions:
Are Canadian IT and more importantly OT systems at energy supply and other critical infrastructure players adequately secured to ensure availability of light, heat, power? Maybe not, but the recently appointed Ontario Broader Public Sector Cyber Security Expert Panel is looking into it, and is an acknowledgement of the significant inherent (and likely controls) IT and OT risks that needs to be calibrated and figured out.
While I might be optimistic, perhaps this event, following on the heels of the Solarwinds ‘software supply chain’ hack in December, 2020, will cause business and industry groups and citizens (voters!) to be more aware of their reliance on critical infrastructure and ask Federal and Provincial Governments some hard questions and signal their expectations. My experience is when a customer (voter) asks repeatedly for something, the supplier (government) eventually takes notice.
Sure, but what does this mean for my small, medium or enterprise business?
Classic consulting answer: it depends. Seriously:
- How dependent is your organisation on not just traditional IT and data, but OT and Internet of Things (‘IoT’)? This means you need some reasonably accurate inventory of your IT, OT, and IoT systems and data and what business processes they support and automate. What level of confidentiality, integrity and availability is required (the classic info sec CIA triad)?
- Do you have some clear view of how these are connected to each other and eventually to the internet? If the pipeline operational systems at Colonial were air-gapped from IT, would they have had to shut down pipeline flow?
- How vulnerable are you? This is a question in two parts: what vulnerabilities are inherent in the current/ legacy design and operation of your business activities and systems (inherent risk)? For example: do they operate in a ‘hostile’ environment like outside in the Canadian winter that means they could freeze or be vandalised? Second, do you have good controls over physical and logical access to these systems (controls risk)?
- Are the IT and OT systems ‘old’ and unable to be patched to close known holes that hackers can drive a truck through? Can we update them? If not, can we ‘ring fence’ them using firewalls and strong authentication and restricted access permissions?
Based on the answers to these questions, you can take an educated guess at the likelihood and the impact of a disruption. Note it is important to break the risk down like this to properly understand it and plan the right mitigations/ controls improvements. For example: very low likelihood and high impact points to insurance, but maybe not much else.
Or you can accept the risk, but at least you are aware of the risk you are accepting.
Stay tuned, we will all learn more over the next weeks/ months, just like the Solarwinds incident in winter. But don’t be fooled, this is a warning shot for us all to understand our general and specific dependence on IT and IT, and an opportunity to embrace good governance of these systems that benefit us all. There is value in not being afraid to “overstate” the impacts of sustained and co-ordinated attacks on strategically important targets. And, for small and medium size business owners not to minimize or discount the probability that this could happen to you despite your size (or at least impact you).