4 minute read
INDUSTRY DIRECTIONS
Lessons from the Colonial Pipeline Breach
By David Greenfield
dgreenfield@automationworld.com
Editor-In-Chief/ Director of Content, Director of Content, Automation World
Not long ago, most cyber-attacks on industry happened largely behind the scenes. The companies whose systems were breached rarely went public about the event and if information about these events was ever discussed publicly, it was usually years after the event and few specific details beyond the nature of the attack were ever revealed.
But that’s been changing as cyber-attacks have become more brazen and threaten the public at large. For example, on February 5, 2021, we learned about the remote access intrusion into the control system at a water treatment facility in Oldsmar, Fla., about 13 miles from Raymond James Stadium in Tampa where the Super Bowl was held just two days later.
In May 2021, cyber-crime gang DarkSide claimed responsibility for compromising the Colonial Pipeline Company—one of the largest fuel pipelines in the United States. As a result, fuel outages were experienced across states in the eastern U.S. supplied by Colonial Pipeline.
Advice for industry
Considering the ongoing rise in cyber-attacks on industry, Ron Brash, director of cybersecurity insights at Verve Industrial, a supplier of industrial control system security, highlighted five key areas of focus to help industrial companies mitigate the threat of a cyber breach affecting their operations:
Realize that industrial cybersecurity is not
IT vs. OT, as operations can be affected by attacks on both sides of the system. “Organizations need to work on bringing these two organizations together to protect the entire system. Visibility and protection across the IT-OT landscape is key to protecting operations,” he said.
The largest security gaps in industrial companies tend to be in the management and
maintenance of security. “Firewalls may exist, but personnel have adjusted rule settings to allow remote access and created servers that route around critical protection layers; patching policies may exist, but the manual tasks that are often standard do not get completed given the urgencies of operations; and standard secure configurations may exist, but exceptions are made, users adjust them, new software is allowed, and ports are opened, leaving gaps in that secure structure,” said Brash. “[But often] there is no central visibility of these gaps.”
Brash noted that the ability to consolidate
the security status across all systems into a common database to track and ensure pro-
tections are maintained is critical to strong cybersecurity protections. “Owners must patch, segment, harden configurations, ensure appropriate backups, and limit access to least privilege,” he said. “These core, fundamental elements of security can be the difference between being a victim or not.”
Rapid response and recovery are critical.
The real advantage a company can have is the immediate ability to take actions across endpoints—IT or OT—to stop the spread of malware, Brash said. “This integration of detection and response actions allows industrial organizations to significantly reduce the spread—and cost—of ransomware attacks.”
Have a plan for a conscious shutdown.
“Incidents like the Colonial crisis have become the new norm within the critical infrastructure cybersecurity community,” he said. “As such, organizations should be adequately trained and prepared to handle incidents like this via a well-defined procedure.”
IoT device security
“Good security is rarely retrofittable, especially when it comes to IoT devices. It needs to be built in as a core fundamental and planned for to exceed the anticipated lifetime of the product it is securing,” said Chris Hickman, chief security officer, at Keyfactor, a supplier of cryptography technology used to prevent network outages and secure machine identities in multi-cloud enterprises and IoT supply chains.
Mark Thompson, vice president of product management at Keyfactor highlighted three common mistakes Keyfactor sees being made in industry as they relate to IoT device security, and how to avoid them:
• Hardcoding credentials onto the device:
Some IoT devices are limited due to hardcoded credentials, Thompson said. “This is a common outcome when manufacturers embed passwords or shared keys into firmware to help simplify development or deployment at scale. If [these keys are] accidentally leaked, threat actors or individuals without proper authority can access an entire fleet of devices.” To avoid this problem, Thompson recommends using strong mutual authentication between any connected devices or applications within the overall deployment. • Unsigned firmware: “It’s strongly recommended that device makers sign firmware with a tightly controlled code signing certificate that only permits access to authorized individuals,” said Thompson. “Another critical step is to keep an internal audit trail of all code signing activities. Using a trusted public-private key pair is the most effective means to secure device firmware and have the ability to check and verify the device’s signature before booting the device or installing firmware updates.”
• Weak authentication and encryption:
“Implementing strong cryptographic keys and algorithms that match the device’s use case applications are critical to hardening its long-term security,” Thompson said. “Equally important is ensuring sufficient entropy to produce an encryption key; randomness in key generation is a priority through this process.”
