At one point during the Colonial Pipeline shutdown due to a ransomware attack, 88% of gas stations in the nation’s capital were out of gas. At the height of shortages, 16,200 gas stations along the eastern corridor ran dry.
Although the U.S. is progressing toward greater adoption of electrical vehicles, the reality is that many consumers are still very dependent on filling up their cars for work, school, and recreation. Not to mention that the country’s 2.7 million miles of pipelines also transport natural gas (which provides 40% of the nation’s electricity) and other commodities, making our pipeline infrastructure one of the most critical elements of the U.S. backbone. Protecting it is paramount for fueling both our day-to-day lives and the nation’s economy.
The Colonial incident gave us just a glimpse of the significant implications of a wide-scale cyber attack on any facet of the nation’s critical infrastructure, which also includes power plants, hospitals, transportation, municipal water/wastewater plants, chemical plants, manufacturing facilities, and more. While the DarkSide ransomware hit Colonial’s IT side of the house, imagine the consequences had the intrusion moved toward the OT network that supports industrial control systems (ICS). Convenience isn’t the only thing at stake; public safety is, too.
The digitization of industrial processes has opened a window of opportunity for increased operational and energy efficiency, new digital business models, and better customer experiences (e.g., “mass customization” thanks to the industrial internet of things, or IIoT). Yet it also has created a much broader cyber attack surface.
While much is being done to reduce cyber risk to critical infrastructure, recent attacks make clear that we are still a nation at risk. The Colonial Pipeline attack raised awareness and moved many to action. We are well past a wakeup call for tightening securing controls.
Indeed, cyber risk to critical infrastructure grows every day. In its 2020 ICS Cybersecurity Year in Review, the OT security leader Dragos reported that, “Four new threat groups with the assessed motivation of targeting ICS/OT were discovered, accounting for a 36% increase in known groups.”
How are adversaries trying to reach what once were well-protected and closed-off OT networks, traditionally safeguarded by proprietary communication protocols and hard-wired connectivity? It’s simple: they’re exploiting remote access through stolen credentials and primarily coming in through the IT door. In fact, “The abuse of valid accounts was the number one technique used by named threats” (Dragos report).
The IT-ICS Linkage, from Dragos “Evolution of ICS Attacks and the Prospects for Future Disruptive Events” White Paper
Clearly IT security and OT security must go hand in hand. Yet adding a traditional layer of IT security such as endpoint protection or an often-porous firewall is not enough. Simply applying IT security controls to OT is not sufficient and ineffective, as the baseline of what constitutes normal behavior within an OT network is very different from that of an enterprise network. You therefore need complete visibility and correlation across IT and OT networks made possible by a holistic approach that can detect anomalous enterprise network behaviors as the first indicator that an OT network attack may be imminent.
Securing critical infrastructure with network detection and response
This complete visibility enables security analysts to spot early common IT attack vectors such as credential phishing, access compromises, and lateral movement that signal an early warning for the OT network. For once an adversary gains a foothold on the IT side and moves laterally, it potentially can use the stolen credentials to try to access the OT domain. Behavioral analytics are key to detecting these early threats on the IT network, and, in fact, most OT attacks can be stopped and blocked by preventing initial access to the enterprise network.
For example, below is an illustration of where IronNet behavioral analytics, the backbone of our IronDefense NDR solution, would have detected threat activity attributed to DarkSide’s toolkit, as identified by Sophos, during the early stages of intrusion. Although Colonial Pipeline shut down its operations from an abundance of caution once the IT network was compromised, this mapping indicates where (and why) a strong IT network defense is an essential aspect of protecting pipeline infrastructure.
IronNet detection capabilities as applied to DarkSide Colonial Pipeline attack
A holistic picture of attacks on critical infrastructure
IronNet and Dragos are accelerating a joint initiative designed to protect the nation’s critical infrastructure through an integrated IT-OT approach to cybersecurity. We announced our partnership in May of this year and have been working hand-in-hand to solve this problem.
The IronNet and Dragos joint initiative spans both companies’ respective technical and business domains and is focused on leveraging the IronNet IronDome for Collective Defense and the Dragos Neighborhood Keeper threat intelligence sharing and community-wide visibility solutions in order to increase the overall security posture of organizations — and enable them to focus on core business and digital transformation efforts.
Following the August 25th cybersecurity meeting in the Whitehouse, Tom Fanning, Chairman, President and CEO of Southern Company said in a release, “Virtually unchecked for years our adversaries have been stealing our intellectual property, disrupting our commerce and threatening our democratic way of life. In large part, this war is being waged on our nation’s critical infrastructure, in particular our energy sector, telecommunications networks and financial systems. The private sector owns and operates 87 percent of the critical infrastructure in the U.S., making collaboration between industry and the federal government imperative to thwart these attacks.“
Certainly the TSA Pipeline Security Directive is a good first start for many. To defend against ransomware and sophisticated attacks you need advanced detection capabilities in your IT and ICS/OT domains with the ability to correlate events between the two. But beyond that, we need to work harder to bring together the private sector, ISACs, and government agencies to defend as a unified front. By partnering with Dragos, IronNet is working to achieve this vision.
Connect with us at IronNet to learn more.