Pipeline Cybersecurity – The Colonial Ransomware Attack

While it is still early in the investigation, the ransomware attack on the Colonial Pipeline IT systems has had a definite impact on the operation of their East Coast pipeline. Apparently, the control systems involved in the control of the pipeline were not directly affected, but the company shutdown those systems to prevent the attackers from pivoting into the industrial control system networks. An excellent article (to be expected, certainly) from Kim Zetter points out the reasons that the two networks (IT and OT) are connected.

IT-OT Connection Risk Assessment

Pipeline managers have to make the risk assessment about how much interconnection there should be between their IT and OT networks. This attack may (probably not) make some managers change their risk assessments and disconnect the two networks.

Pivoting from the corporate IT networks to the operational networks needs to be difficult. Colonial apparently had controls in place to help prevent that move. They also realized that the longer the attacker was present in their IT networks, the more likely it would be that a route bypassing the security measures in place would be found. Shutting down the control systems until the IT attack could be remediated was a prudent act.

But, as this ransomware epidemic (yes, I used ‘that’ word) is showing the world, corporate IT networks are increasingly vulnerable to this attack methodology. And we are increasingly seeing that the IT/OT nexus has allowed control system networks to become targetable for ransomware attack.

Old Fashioned Air-Gap Security

If the system had been designed to allow for physical network segregation while continuing operation, the effect of the ransomware attack would not be as drastic as the East Coast may be facing in the coming days. Completely air gapping a pipeline control system is probably not possible. Sensors, valves, pumps and other equipment along the length of the pipeline all needs central oversight and control. This means that communications between all of the components of the pipeline control system must exist. And those communications nodes must be adequately protected.

Companies need to be able to physically isolate their control systems from the IT network. This would allow them to continue manufacturing and/or transportation activities while it was working to remediate the ransomware problems on the IT networks. Thus companies could continue money making operations while they worked on their other problems.

Cybersecurity Regulations

I have said before (see here for example) that the federal government has to be careful about what operations they try to regulate for the purpose of protecting control systems from outsider attack. There is simply not enough money or qualified workers available to regulate every control system in the United States. The government does have an interest, however, in overseeing the safety and security of critical infrastructure like fuel pipelines and that should probably include regulating cybersecurity of those facilities so that the populous can rely on the timely delivery of that fuel.

TSA is the agency that is responsible for overseeing the security (including cybersecurity) of pipelines. It is easy to fault TSA for lax oversight, but in truth Congress has been very slow to provide TSA with any specific regulatory authority over cybersecurity of these pipelines. That means that any specific cybersecurity requirements are going to have to go through the legislative process before TSA can start crafting any real regulations.

I would like to suggest that Congress consider (probably as part of their annual pipeline oversight authorization bill) requiring that TSA prepare a regulation for pipeline control systems requiring that they are able to be physically isolated from corporate IT networks when there are indications of a cyber attack (probably should specifically include ransomware attacks) on the IT networks.