Takeaways from The Colonial Pipeline Hack

by
2 0 CISA Logo

Sitting on a beautiful beach in Seaside, Florida, I enjoyed a vacation from business and technology-related topics last week. While I was away, you may have read that the company that runs the Colonial Pipeline suffered a ransomware incident where critical pipeline operational data was suddenly encrypted and inaccessible (in all likelihood, the intrusion happened months ago). The Colonial Pipeline is a crucial player in moving refined petroleum products (gasoline, jet fuel, etc.) from Texas and the Gulf Coast to markets in the East and Northeast. The pipeline is privately held; otherwise, you could have predicted a multi-billion dollar hit to their market cap.

You may have seen on the news, as a result of the ransomware demand, Colonial shut down its 5,500 miles of pipeline around May 7th. The cascading effect curtailed the gasoline supply to the Florida panhandle. It caused price increases and panic buying, which got worse once convenience stores started running out of gasoline. We learned that Colonial paid the ransom (and in doing so could be violating US law) around May 12th, restoring pipeline operations, and at this time, inventories are returning to normal.

While the Colonial Pipeline is not a utility per se, it could be classified as Critical Infrastructure, along with electric gas and water utilities. I’ve talked a bit about utilities in the past year. This incident provides a chance to dive a little deeper to understand what happened and the implications for your companies. This starts with a discussion of technology and architecture.

There are two broad classes of systems in a utility or pipeline: (1) information technology (IT) and (2) operational technology (OT). Most of us are familiar with IT systems, consisting of websites, customer billing, business data, business intelligence, accounting, supply chain, HR, and the like. While IT systems are typically attached to an externally facing network, most utilities invest a lot in securing them from unauthorized access. You may not be as familiar with OT systems, also referred to as SCADA systems. These control and monitor processes associated with generation and transmission, whether electricity or refined products in a pipeline.

Architecturally, many utilities keep OT systems firewalled from the outside and segmented from the IT systems. Why? Because their integrity is of utmost importance. Many of you recall the Stuxnet virus that ultimately destroyed centrifuges in Iran’s nuclear program several years ago. While that facility’s OT network was firewalled from the outside, someone snuck a virus inside the firewall using a USB drive. Because most SCADA systems are “air-gapped,” they do not expect (and are not as well prepared) to have to deal with viruses as IT systems do.

The Federal government has a program, NERC CIP (critical infrastructure protection), which requires critical infrastructure owners to maintain specific standards to prevent or recover from cybercrime. In Colonial’s case, they are not currently subject to NERC CIP requirements, such as most electric and gas utilities.

Colonial’s owners reportedly paid $5 million to obtain the encryption keys (which seems like a bargain to me) and the incident probably caused billions in economic disruption across the East coast.

How vulnerable is your company to a cyberattack? Email and let's talk about it. As always, I welcome your comments and suggestions.