Introduction

Now that the situation at the pump seems to have recovered and returned to normal, it is time to figure out what actually happened in the Colonial pipeline attack and what lessons, if any, we can learn from yet another high profile cyberattack involving ransomware.

First, a few introductory words and some background on ransomware: ransomware is a common form of cyberattack in our time, and it involves attackers deploying code onto the victim’s network that results in encrypting files and folders throughout the network. According to the FBI, the best way to contain the attack is to block the code from moving across the network. For recovery from the attack, companies often rely on sound backup practices that allow them to restore encrypted files and folders without losing too much data. Of course, victims of ransomware attacks can also pay ransom, but that practice is still discouraged by the FBI and in some cases actually forbidden since the groups behind the attack are deemed sanctioned foreign entities.

By now, most of us know that the pipeline hack caused a massive disruption of the gasoline supply to the East Coast, particularly affecting North Carolina. Early on, the company stepped forward and indicated that the attack impacted its IT network and not its operational network involved in transporting the gasoline. The announcement indicated that operations were shut down out of an abundance of caution. Some experts question why no switch to manual operation was possible if the operations network was not impacted and also wonder why restoring the flow of gasoline took so long. Rather than question the approach that Colonial took to halt and then restore operations, I want to focus on why Colonial was even in a position to state that the attack was limited to the IT network.

The Why and How of Network Segmentation

Like many critical infrastructure organizations, including many companies involved in the power grid, Colonial uses supervisory control and data acquisition (SCADA) architecture to manage infrastructure networks because SCADA allows IT management of a number of unique purpose-built devices. Pipelines and electrical grids must manage a large variety of devices that were not originally built with IT in mind and while some oversight is given to electrical companies and pipeline companies, the oversight is not reaching the levels that health care or payment card industry companies are experiencing. In addition, infrastructure architecture was developed many years ago when security was an afterthought, similar to the early days of the Internet.

Network segmentation is a commonly used security measure. It is a form of access control and used to isolate network segments by restricting access through the use of firewalls or access control lists (ACLs). This segmentation is useful if several vulnerable systems have to be kept online and cannot be upgraded, such as legacy data that may still be needed, but an upgrade to a current version is not possible for technical reasons. Isolating these systems will reduce the risk that an attacker can move into the segment.

The Payment Card Industry Data Security Standard (PCI DSS) does not require segmentation to isolate cardholder data from the rest of the network, but recommends it to reduce the scope of the network subject to payment card industry controls. In this case, segmentation will save costs by maintaining the tight controls required for cardholder data on select systems as compared to on all systems. In health care settings, clinical systems, for obvious reasons, tend to be segmented from office or IT control systems to minimize the risk that malware can jump from an infected user device, following a phishing email, to an ICU pump control.

To ensure that segmentation controls are in place, regular testing is recommended. For companies that are subject to PCI DSS, the standard requires testing of the segmentation on a quarterly basis. Does that mean that four times a year a penetration test is required? No. Segmentation testing is focused only on the separation of various network segments and will not try to take ownership of devices or find non-public information. A segmentation test can usually be completed in a few hours rather than several days allocated for a penetration test.

Segmentation On-premise Versus in the Cloud

Even where a company is not subject to compliance requirements such as PCI DSS, companies with on-premise or cloud presence should consider adopting segmentation. Segmentation is beneficial for on-premise security because it provides access controls to servers and restricts which user computers can connect to a network segment that houses sensitive systems such as security appliances. Restricting access across network segments will, in case of an attacker gaining access to a computer, by extension also restrict which lateral movements are open to the attacker.

This also translates into the cloud. Merely moving to the cloud is not associated with security gains; the architecture of the network and the configuration of the deployed devices must still meet security best practices. And just like on-premise, segmentation is also an important control in cloud environments. Especially if a cloud environment mixes publicly accessible devices, such as web servers, with administrative devices, such as backup servers or log servers, segmentation is critical to prevent a compromise of a public web server allowing an attacker to move on to an administrative device.

Conclusion

While we may never find out what precisely happened in the Colonial pipeline hack, cybersecurity experts point out that this latest ransomware attack is just more evidence as to how fragile U.S. infrastructure is, and more protections are needed. Did Colonial make mistakes? That is likely the case, especially if the initial attack vector occurred via a vulnerability that for some reason was not patched; similar to the Equifax hack a few years ago. The ability for Colonial to recover and start pumping oil is (to some degree) due to the fact that segmentation was in place. That segmentation allowed the company to state early on that only the IT network was impacted – the incident did not impact the actual controls for the pipeline delivering the gasoline.

It is important to note that the U.S. government is now taking the ransomware threat to infrastructure seriously. As a consequence of the attack on the Colonial pipeline, the Department of Homeland Security (DHS) has now published cybersecurity guidelines for pipeline owners and operators that range from reporting of cybersecurity incidents to reporting cybersecurity risks to the DHS.

June 10, 2021/by Privacy and Data Security