The June GTIC report from NTT Ltd looks at the Colonial Pipeline attack and the lessons to be learned. It also highlights how the lack of accurate information can lead to an inaccurate understanding of such attacks. This is important. When attacks such as the Colonial Pipeline happen, other companies in the same sector were keen to discover how and why it happened. It is information that allows them to check their systems and ensure they are not the next victim.
In the case of Colonial, much of the early attention was on the shutdown of the pipeline, OT systems and the ransom payment. However, Bruce Snell, VP of Security Strategy and Transformation, US, NTT Ltd, believes that was a mistake. What is now known is that the attackers went after the company’s back-office systems, not its OT network.
Snell says that what happened then was: “Colonial proactively shut down their OT systems to protect them from the internal systems which actually had been compromised.”
OT systems are often out of date
Snell continued: “For Colonial, this was probably their best option, as an infection throughout their OT network could have led to greatly extended downtimes for the pipeline and created massive fuel shortages that could have taken weeks if not months to recover from.”
One of the reasons OT systems are vulnerable is that they are often using out of date software. For example, Windows NT and Windows XP are all common in large OT networks. Microsoft replaced both some time ago and no longer issues security patches and updates. It means that many of the vulnerabilities identified with them are unpatched.
To protect them, companies often try and ringfence them behind internal firewalls. The problem, as Snell notes, is: “had their pipeline systems been impacted, a massive restart and restore operation would have been required.” This would have required network engineers to verify and even reinstall the software at thousands of often remote points on the pipeline. It is a task that would have taken months.
What have we learned?
Snell highlights several things that companies have to take away and do better. He lists the four stages of the breach:
- Infiltration: Attackers gain access to the systems, often through stolen credentials.
- Persistence: Multiple points of entry are established to ensure the attackers cannot be locked out of the system.
- Exfiltration: The attackers look for commercially sensitive or compromising data on the victims systems. That data is then exfiltrated to the attackers systems.
- Encryption and ransom demand: The victims systems are locked and a ransom demand issued. To persuade the company to pay, a sample set of data is made public.
But how do companies protect themselves? The solution, according to Snell, is to change how they think and defend. He gives three recommendations to improve security:
- Take a holistic approach: IT and OT systems have to be part of the same security solution. Unfortunately, in many companies, this is not the case. They are owned and installed by different teams with no coordinated security approach.
- Security training for everyone: This is a given, but it has to be effective. Snell says: “Everyone from the board to the front desk should have regular security awareness training to help prevent common issues like easily guessed passwords or clicking on malicious links in phishing emails.”
- Proactive security: When an attack happens, have an immediate action plan and use it. Colonial pulled the plug because it recognised the wider threat to its OT systems. Snell believes it was the right move but says the right tools could have provided a more controlled response.
Enterprise Times: What does this mean?
Perhaps the biggest lesson here is that things are not always as they seem. OT is often accused of being the weakest link in security, and rightly so. However, not every attack is against OT systems, and IT security teams need to remember that.
We have learned in the aftermath of the attack that the entry point was stolen credentials for a VPN service that had no multi-factor authentication. Colonial is not saying if the account was in use or one just forgotten about. Irrespective of that, it again highlights the problem of just relying on credentials that can be stolen and reused. There is no excuse today for not reviewing all accounts and ensuring that they are properly secured.