Avoiding the Lose-Lose Choice Between Shutdown and Breakdown

image credit: Photo 47881491 © Bsenic |
Brian  Romansky's picture
Chief Innovation Officer Owl Cyber Defense

Creating business value through innovation and delivering new products to new market segments are at the core of my professional development. I have a strong emphasis on a user centered approach...

  • Member since 2020
  • 18 items added with 17,329 views
  • May 14, 2021

When Colonial Pipeline shut down its operations on May 8th, it marked the first time a cyber attack disrupted the United States’ critical infrastructure on a national level. Though the attack caused no injuries or environmental damage, the widespread gas shortage and rising prices that resulted from the shutdown are real-world consequences that have affected the lives of millions of Americans.

Based on the initial reports, Colonial appears to have shut down its pipeline as a precautionary measure. Once the malware was active on their IT network, the company may not have known whether or not the damage could spread to the operational technology (OT) systems that actually control the flow of fuel through the pipeline. Given the choice between a shutdown or potentially life-threatening physical breakdown, the shutdown was obviously the better option.

But what if Colonial didn’t have to make that choice?

When Russian hackers attacked the Wolf Creek nuclear facility in 2017, the plant was able to maintain operations with no disruption, because they trusted the isolation between the business network and the OT systems within the facility. The plant’s operators (and federal regulators) knew that even if the IT network was compromised, there was minimal risk that it would find a path from the infected systems into the plant.

To maintain that level of resilience, and to prevent disruptions like the Colonial Pipeline shutdown in the future, the critical infrastructure sector has two jobs to do:

  1. Get better at defending against ransomware and other cyber attacks in the first place
  2. Provide more assurance that OT systems are secure even when IT networks are attacked

Given the long and constantly growing list of IT vulnerabilities and threat vectors, it is probable that some attacks against the IT network will succeed, no matter how well organizations build their first lines of defense. But if critical infrastructure operators know their physical systems are secure, even when malware is shutting down laptops in the main office, they can avoid system-wide shutdowns and service disruptions.

Here are a few practical steps operators can take to defend their OT systems and minimize the risk that a cyber attack could affect critical operations. These are based on techniques that have been used to protect national security systems for years, and the same technology can be used to protect critical infrastructure.

Filter connections at the device

Widespread incidents like Solarwinds and other attacks have provided potential for a persistent presence on many networks, leaving backdoors that can be exploited at the attackers’ convenience. There is no reason for a PLC, pump or any other industrial control system to be exposed to unlimited traffic, even on a closed or private network. 

There are very specific protocols, commands and other data streams that a given piece of equipment is expected to produce or consume. By filtering connections at the device to make sure only “known good” traffic is allowed, operators can prevent an attacker from sending packets on unexpected ports or command combinations that the manufacturer hasn't tested.  This level of defense-in-depth at the individual device level dramatically reduces the potential for malware to spread through control networks. 

Implement rules for “acceptable” commands

The Oldsmar, Florida water system attack proved that threat actors can use standard commands and still cause issues. Critical infrastructure operators should put rules in place that prevent frequent or large swings in parameters when these types of changes aren't expected. A good approach would be to generate SNMP (Simple Network Management Protocol) alerts when significant changes are made, and set up a SIEM to watch for these events.

Isolate OT systems

Hardware-enforced isolation makes it much more difficult for an attacker to gain access to a critical system. One-way data flows and hardware-based protocol breaks help to stop many of the low-level attacks (like Ripple20) that can trip up software-based firewall solutions. 

No one yet knows the cost of shutting down the Colonial pipeline, but we’re all likely to feel it at the pump in the coming months. The cost of protecting OT systems and eliminating the need for a shutdown pales in comparison.

To learn more about strategies for isolating and protecting OT systems, join us on May 20th for Data Diodes 201: Digging into Use Cases [an Energy Central PowerSession™].


No discussions yet. Start a discussion below.

Brian  Romansky's picture
Thank Brian for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »