It’s been less than a week since Colonial Pipeline, the Georgia-based operator of a petroleum product pipeline network that runs across 13 states from Texas to New Jersey, revealed that it had been hit with a ransomware attack. The attack appears to have been carried out by DarkSide, a for-profit operation that specializes in double extortion schemes, which involve locking down the target company’s networks and also releasing stolen data if the company does not pay the ransom demanded.
It also appears not to have infected any of Colonial Pipeline’s operational technology (OT) networks. Nevertheless, the company took its 5,500-mile (8,851-km) network offline in order to ensure that DarkSide malware could not spread from corporate information technology (IT) systems into the OT systems that manage the flow and distribution of fuel through its pipelines.
Since Colonial Pipeline accounts for about 45% of all the gasoline, diesel, and jet fuel consumed along the East Coast, the shutdown is already having significant consequences. It has triggered the shutdown of the largest refinery in the United States. It has led major airlines to revise their fueling arrangements in order to avoid shortages. It has caused hundreds of filling stations to run out of gasoline and diesel because they can’t secure supplies through the usual channels.
The company has said it hopes to restore service by the end of the week, provided that security threats have been adequately contained. Nevertheless, it’s probably going to take a few weeks to bring U.S. fuel markets back to normal.
Objective reasons for beefing up security
It will also take time to sort out the consequences of this incident on the cybersecurity side. Even so, companies active in the oil and gas industry – and in all other sectors of critical infrastructure – should start thinking now about how to guard against the next attack.
There are objective reasons for increased vigilance. On the one hand, the number of cyberattacks targeting the oil and gas industry is on the rise, not just in terms of absolute numbers, but also in comparison to other sectors of the economy, as a recent Kaspersky report has detailed. This means that oil and gas companies – including upstream, midstream, and downstream operators, as well as service providers – should all assume that they’re on the list of targets, no matter how big or small they are.
On the other hand, the consequences can be dire. Shutdowns, lockdowns, and other disruptions are usually expensive for the companies involved, as well as a drain on the economy at large. They can lead to regulatory violations, legal troubles, and poor public relations. Even worse, they have the potential to pose direct threats to the health and safety of workers and nearby communities.
Time to take a closer look
But what exactly should oil and gas companies be doing to prepare? First, they should be taking a look at their own cybersecurity solutions. If they don’t have any, now is the time. But even if they do have something in place, they ought to take a closer look and make sure those solutions are up to the challenge.
That process will probably involve one or more of the following steps.
Steps to strengthen cybersecurity posture
Asset discovery: Companies active in the oil and gas sector should take a look at all of their assets and determine exactly what their IT and OT systems consist of, including both hardware and software. They should also determine how these systems are connected – and how all the components of each system are linked (For oil and gas companies, this would involve identifying every asset involved in the performance of both administrative and operational duties).
Asset inventory: It’s not enough for companies to draw up a list of assets. They also need an organized inventory that explains what each asset does and how each asset works with other parts of the system. Additionally, they need a way to manage the inventory to ensure that it’s updated each and every time there’s a change in the line-up – for example, if new devices are added to a network or if existing software is updated (Again, for an oil & gas company, this would involve an explanation of what role every asset played, both individually and within the system as a whole).
Vulnerability assessments: An inventory isn’t enough either. Oil and gas companies also need to know which parts of their systems are especially at risk. They also need to know why those components are vulnerable – for example, whether it’s because they are legacy technologies that aren’t compatible with newer equipment used elsewhere or whether it’s because they rely on a specific type of software that can’t be updated without voiding the terms of service. Pinpointing these vulnerabilities makes it easier to decide where safeguards such as firewalls and sandboxes are needed most (In similar cases, we’ve seen where vulnerability assessments have informed decisions to close down pipelines in order to prevent the malware that had infected IT systems from spreading into the OT realm).
Visibility: Identifying weaknesses within the system isn’t enough either. Companies should also look for cybersecurity solutions that help them make sense of the information they have through visibility. That is since they can’t secure what they can’t see, it is imperative these security solutions have complete packet data to provide a clear representation of the systems being inspected. We are seeing more and more companies turning to Data Diode TAPs to ensure unidirectional monitoring traffic so OT environments aren’t exposed. Solutions of this type help put everything together by allowing users to see what’s in their networks, what’s connected to their networks, and who’s active on their networks on the packet level (This is very important information for companies, whose petroleum product pipeline network is considered critical infrastructure).
This diagram represents how Data Diode TAPs send unidirectional monitoring traffic to security solutions, ensuring hacked data cannot flow back into the operation systems.
Continuous, real-time monitoring: Visibility is even more useful when paired with monitoring solutions that allow users to detect threats and anomalies as they happen and respond to them as rapidly as possible. With continuous, real-time monitoring, it’s easier to act quickly to contain security breaches – even in situations where fast action may be difficult, as in the case of Colonial Pipeline (Similar company pipeline systems can be extensive and sprawling, with some facilities that are in remote rural locations and many others that are distant from headquarters).
Preparation, practice, and prevention: Oil and gas companies should also take a proactive approach to cybersecurity, not just reacting to attacks and anomalies, but also preparing for them, practicing for them, and looking for ways to prevent them. In concrete terms, this means instituting a regular program of maintenance for security systems, developing a strategy for responding to threats, and conducting drills and simulations through penetration testing and/or red-teaming (Oil & gas companies will benefit from stepping up such practices, given that the oil and gas sector is known to be at risk).
Industry-specific expertise: Oil and gas companies would also do well to seek cybersecurity solutions from providers that understand their challenges. These include but are not limited to the wide geographic dispersion of assets, dependence on legacy systems that are aging but reliable, monitors and sensors that generate so much data that they may make cyberattacks hard to spot, and the need to avoid shutdowns that can damage equipment or cut off supplies of vital commodities. Security providers that are not accustomed to accommodating such conditions are likely to have a hard time setting up an effective solution for oil and gas companies.
We know we’ve given you a long list of things to think about. But you don’t have to solve the problem by yourself. Garland Technology is happy to discuss network TAP visibility and other solutions that oil and gas companies can implement to keep their critical infrastructure systems working.
Join us for a brief network Design-IT consultation or demo. There’s no obligation – it’s what we love to do.
