On June 8th, 2021, the CEO of Colonial Pipeline, Joseph Blount, testified in front of the Senate homeland security committee. He provided additional facts surrounding last month’s cyberattack and the logic of his company’s response. Significantly, it was shown that Colonial was operating with limited information concerning their own architecture and limited information concerning the true extent of the breach. The testimony further indicated that, while unfortunate, the attack could have been mitigated with greater security awareness and better OT asset management. The testimony stands as a reminder to all system operators about the importance of an up to date asset inventory, anomaly detection, and vulnerability monitoring.
[video width="1280" height="720" mp4="https://www.industrialdefender.com/wp-content/uploads/2021/06/Legacy-VPN.mp4"][/video]
According to the testimony, the ransomware attack exploited a legacy VPN that was “not intended to be in use” and that they “could not see and did not show up in any pen-testing.” Furthermore, despite assurances that the password was “complicated”, the VPN lacked two-factor authentication and was still responsible for the security breach. Fundamentally, it was Colonial Pipeline’s ignorance of their own network architecture that was weaponized directly against them.
[video width="1280" height="720" mp4="https://www.industrialdefender.com/wp-content/uploads/2021/06/OT-Systems.mp4"][/video]
As a result of this lack of situational awareness, Colonial was unable to determine the true extent of the penetration. According to Blount, the company was unable to determine if the OT system had actually been compromised. They were instead forced to determine that “[i]f there was 1% chance that OT system was compromised it was worth shutting the pipeline system down.” They were, in effect, forced to shut down their entire OT system because they could not determine, or isolate, the compromise. Had the company been more diligent about monitoring their systems, they could have produced a more tailored response and mitigated damages.
[video width="1280" height="720" mp4="https://www.industrialdefender.com/wp-content/uploads/2021/06/TSA-Security-Check_1.mp4"][/video]
To this effect, much attention within the hearing was dedicated to potential mistakes that led to the exploit. In particular, Colonial’s decision to not participate in a TSA organized security check received significant attention. It was observed by Mr. Blount, however, that this program only provided a voluntary questionnaire and not any sort of actual system level checks. Therefore, it would have been very unlikely to have raised any awareness of the legacy system responsible for the exploit.
This highlights the insufficiency of voluntary guidelines and the need for regulatory improvement. While perhaps helpful, questionnaires are insufficient when the problem is asset ignorance on the part of the corporation. Instead, this event should offer a moment reflection for OT system operators. Questionnaires and voluntary discussions are never a replacement for robust centralized OT asset management, vulnerability monitoring, and real-time cyberattack detection and alerting.
This testimony highlights the importance of cybersecurity controls for both corporate stakeholders and the public more generally. This moment of cyber warfare in our nation presents major problems for a diverse set of private sector companies, from large utilities to healthcare facilities. To meet this challenge, these industries must apply these 5 foundational security controls:
By applying just these 5 controls, companies can reduce their cyber risk by 85%. If you’re looking to get started with an OT cybersecurity program, we recommend looking into the NIST Cybersecurity Framework. Our NIST implementation guide covers how to apply this framework in OT environments and offers tips for measuring your security maturity.