Almost a year since the Colonial Pipeline ransomware attack on critical infrastructure occurred, the question still looms large: not whether such an incident could happen again, but when?
Now a string of ransomware attacks has affected at least 17 oil port terminals in Western Europe that caused tankers to be re-routed and supply chains disrupted. Hackers targeted the port terminal software used by Oiltanking (Germany), SEA-Invest (Belgium) and Evos (Netherlands), which is used to maximize throughput and minimize loading and unloading delays. It isn’t clear whether the multiple incidents were a coordinated effort to disrupt the European energy sector or whether the hackers were simply able to compromise the same software used by all three companies.
Two things about the recent spate of attacks underscore what is increasingly obvious about perceived operational technology (OT) attacks and how to prevent them:
Without cross-visibility, OT shutdown is SOP
First, as with Colonial Pipeline, the hackers did not directly target OT and never actually touched an OT network. With critical infrastructure attacks, the belief is that threat actors will use spear phishing, default passwords or other means to gain access to the IT network before pivoting into the OT network. But rarely do they need to pivot. As soon as the threat presence is detected on the IT network, company cybersecurity policies stipulate that they shut down OT and industrial control systems (ICS) themselves rather than risk harm to people and infrastructure.
In the case of Colonial Pipeline, hackers infiltrated the IT network through an exposed password for a VPN account. After they posted the ransom, company officials swiftly took the 5,500-mile pipeline offline. The oil logistics companies followed suit, reverting to manual operations as soon as the threat was detected in their software.
The Colonial Pipeline shutdown lasted five days, but the impact was lasting. Large, complex infrastructure controlled by OT can’t be taken off- and then back online quickly. Even after Colonial Pipeline paid the ransom (most of which they reportedly recovered), it took several more days to fully restart OT systems and for the supply chain to return to normal, at a cost to the company of tens of millions of dollars.
Security point solutions require orchestration
Second, we can assume the companies that were hit have mature cyber initiatives in place. Energy sector companies are typically ahead of the curve in this regard. They have already heeded advice to gain visibility into their OT networks and to carefully segment IT and OT networks to prevent breaches from spreading laterally. So, what went wrong?
Organizations that manage critical infrastructure rely on thousands of IP-connected devices to monitor and control operations that were once manual. To secure them all, companies invest heavily in point solutions from multiple vendors: asset management systems, endpoint security solutions, vulnerability assessment tools, SIEM and ticketing systems, and so on. These tools don’t always work together, and each one may or may not be properly configured and updated. The complexity can be greatly reduced by automating and orchestrating security operations across all assets with a single platform.
Organizations rely on Forescout to maximize the value of the standalone tools they’ve already invested in to make them work more effectively. Forescout orchestrates communication and workflows among point solutions by:
- Ensuring existing security products are installed, running and up to date
- Sharing rich device, user and network context between the Forescout platform and other IT and security products
- Automating system-wide policy enforcement across disparate solutions
- Accelerating response actions to contain threats and mitigate risks
By automating and orchestrating security operations, Forescout offloads the many activities that scarce resources are no longer available to perform manually.
Don’t shut down – automate and orchestrate
Pictures of stranded motorists and clogged shipping ports make great clickbait, but the real story is, where did the attack actually occur, and how could it have been prevented? After a high-profile attack on critical infrastructure, the impulse is to double down on ICS and OT security. But OT assets and networks should not be viewed in isolation. In recent malware and ransomware campaigns, attackers exploited weak device security posture, such as default credentials, vulnerable services and lack of segmentation to enter through IT systems. Uncertainty as to whether the OT network is vulnerable is sufficient for security teams to halt operations, at great cost. It’s time for a new playbook.
With proper visibility, segmentation and orchestration of point solutions across the entire threat landscape, companies can rebuff cyberattacks anywhere on their networks and carry on operations with confidence.