News broke this week of a ransomware attack bringing an unnamed US gas pipeline facility to its knees. According to news articles, “an entire pipeline facility” was rendered inoperable for two days and several physical locations were affected by the attack.
I have recently been working with colleagues here at CyberCube to construct a “realistic disaster scenario” that focuses on attacks on industrial control systems (the “operational technology” that powers automation of critical infrastructure). This work is important to the insurance industry as it allows insurers to examine “worst case scenarios” and what impact they might have on them from a financial perspective. During this work, many discussions and debates have been had about the likelihood of something as common as a ransomware outbreak adversely affecting critical IT systems that, in some people’s view, are (in most cases) – bulletproof.
Let’s examine the known facts from the recent story..
Like most ransomware campaigns, this started with a “spear phishing” attack. Essentially, an email message targeting key individuals in the organisation, carrying a malicious payload and relying on social engineering technique to trick recipients into opening its content. I used to construct these types of email attacks (all in the name of staff education, of course) and was constantly amazed at how the mention of “payroll” or “holiday entitlement” in an email’s content was, often, enough to get 70% of recipients to open it…. But I digress…
The email attack here could have been avoided through the implementation of tools and, much more importantly, a trained and aware set of users. However, in the context of bringing critical infrastructure down, it should not have been enough.
Why? Because the internet-connected Information Technology (“IT”) systems at the company should not have been connected in any way to the Operational Technical (“OT”) systems that are critical to the operation of the gas pipeline. If this were the case, any malicious payload that the email attack managed to propagate would have had the effect of bringing “business important” systems (email, payroll, CRM, ERP…) down but would not have affected “business critical” (OT) systems. In security, we called this “segmentation”. Essentially, limit potential damage by dividing assets up into discrete silos that can only influence themselves.
Connecting IT and OT networks has, for a long time, been seen as a “no-no” by security professionals but, in a recent survey conducted by security firm Fortinet, 100% of the 429 firms that they surveyed have their critical industrial control networks connected to the internet in some way (mainly through GPS tracking technologies or internet-facing security systems… oh!, the irony).
This recent cyber-attack and resulting downtime was bad. It was, however, not nearly as bad as the “realistic disaster scenario” that myself and the team at CyberCube have been constructing (which shows an effect of an almost nation-wide power outage for a period of days). An unlikely event? Hopefully. An impossible event? It would appear not.
