Stefan Schachinger, Product Manager, Network Security – IoT, OT, ICS at Barracuda
Just a few weeks ago, we saw pictures of people queuing at gas stations, as the news reported that airports could run out of jet fuel. While large parts of the population previously perceived cyber-attacks as something abstract without any real impact, the recent attack on the Colonial has challenged this perception, causing real problems society.
With the Middle East Oil & Gas sector historically being a prime target of cyber-attacks, there’s good reason for regional producers to take note of the Colonial Pipeline attack. Given its scale, and the fact that this was executed in the home nation of ‘big tech’, it is particularly concerning. Most importantly, there are many lessons to be learned from this incident that can help Middle East Oil & Gas companies prevent themselves from similarly falling prey to ransomware.
Targeting the low-hanging fruit
The exact details of the attack method are still not known in that particular example, but it has become clear that it was not a highly sophisticated technical attack that was long planned on a military level. Both the hacker organization Darkside and its ransomware or ransomware-as-a-service (RaaS) offering have been known since mid-2020.
According to media reports, the pipeline or its control systems were not attacked directly. Rather, the attack is likely to have originated in office IT systems and infected the billing system there, which is essential for the unfettered operation of a pipeline.
It is not known whether there were incentives or indications from foreign government organizations for this attack, but it is certain that computers with a Russian or Eastern European system language will not be attacked by Darkside.
When worldwide news media are looking at a critical infrastructure operator and waiting for them to decide whether to pay the ransom or to deal with significant restrictions in public life for a period of time that is difficult to estimate, the decision is obvious. The double extortion approach, in which data is not only encrypted, but the victim is threatened with publication, also increases the pressure. The question remains whether it was really a targeted attack or just an open vulnerability uncovered.
Traditional attack vectors
The most popular attack method is still email. The chances of success are good and — even if it fails — there is no risk of any consequences for the attacker. Of course, email-based attacks work better when cybercriminals are prepared.
Widespread phishing mails with generic content have a lower chance of success than targeted and well-prepared attacks. Last year COVID-19 turned out to be perfectly suited as a hook for phishing emails. Above all, it is important that the recipient feels like they are being addressed personally, whether out of curiosity or financial promises, etc. When someone clicks on a malicious link, a piece of software is usually downloaded, and things take their unpleasant course.
In Operational Technology (OT) networks, for example in industry, production, or infrastructure, remote maintenance accesses are often a problem. A large number of employees and external service technicians have to access devices for a wide variety of reasons, for which very often different methods are used. Just recently there was a critical incident at a water utility in Florida in which remote maintenance access could be abused to manipulate safety-relevant settings.
The attack methods are diverse, and there are many different ways of penetrating a foreign network. The problem with OT networks is they are flat and open, and the devices are vulnerable. This means that attackers or malware that have found their way into the network can spread unhindered.
In order to successfully protect industrial networks, structured security measures are necessary. The example of Colonial Pipeline also shows that IT and OT systems are now closely connected and that there are dependencies here that require both sides to be protected accordingly. If an attack on a billing system or traditional ERP system causes a large-scale outage, it demonstrates a high degree of system interaction, as would probably be found in many similar companies. The air gap between IT and OT no longer exists, and both sides need to be protected accordingly.
Protective measures include technical and organizational measures as well as employee training and user awareness. A comprehensive email security suite should definitely be part of a solution, as this is the most common attack vector. But even with the best technical solution, it must always be assumed that something could still slip through. For this reason, employees must also be trained in such a way that they are able to recognize an attempted attack.
Email is not the only way into a company. Remote maintenance access is a major risk, especially in industrial networks. Instead of a proliferation of different remote access solutions from different vendors, a standardized method that is easy to use and extensively secured should be provided. Multifactor authentication is mandatory, and remote maintenance access should also be timed. And if a piece of malware or an attacker still manages to get into the network, segmentation is the key to protecting against the attack spreading to the company’s resources.
Physical attack vectors such as social engineering or USB sticks and malware on mobile devices must also be considered. Therefore, organizations should always assume that security measures at the perimeter can be overcome or bypassed somehow.
Segmentation separates the office IT network from operating technology, and within the OT network the control level is separated from the process level. Legitimate connections are allowed but restricted as much as possible and checked for malicious content with next-generation security, such as antivirus, IPS, and advanced threat protection. In order to prevent horizontal spread — for example from one machine to another — individual or small groups of assets are isolated from one another using micro-segmentation. With the additional use of anomaly detection, suspicious activities in the network traffic can be detected and automatically blocked on the firewalls. This way, in the event of a breach, at least containment can be achieved.
Protective measures must therefore always be diverse or multi-layered, and each individual measure must claim to be insurmountable. If this is taken seriously, your own network is no longer an easy target for attackers.
The recent events of the Colonial Pipeline ransomware attack have likely captured a lot more attention than the hackers wanted. That can be seen as a wake-up call that will certainly prompt many companies, especially those in the Middle East, to carefully review their own security measures.