By Caitlin Huey, Joe Marshall and Thomas Pope.

Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. However, we collectively have not responded in a meaningful way to these attacks. This inaction has now led to a failure to protect our oil and natural gas (ONG) infrastructure, resulting in some fuel shortages in wide swaths of the U.S. earlier this year. This, in turn, has prompted federal executive action emphasizing protecting critical ONG infrastructure and responding to ransomware attacks in this space. ONG companies must take heed – proactive and wholistic security can protect their enterprises and critical infrastructure. In May of 2021, adversaries targeted petroleum pipeline company Colonial Pipeline with the DarkSide ransomware-as-a-service (RaaS), causing the company to shut down its pipelines and temporarily halt petroleum delivery. This is significant, as Colonial Pipeline handles 45 percent of all petroleum delivery on the U.S.’s East Coast. While this attack didn’t directly affect industrial control systems (ICS) within its operational technology (OT) network, Colonial Pipeline could not effectively deliver its products, which are vital to the East Coast, creating a weeklong delay in fuel supply. This in turn created panicked gas buying and fuel shortages in the southeast of the U.S. Gas stations across the south-east reported vastly reduced supply, for example on May 13, North Carolina alone reported that 71 percent of the state’s gas stations were out of fuel.

There were clear warnings about the fragility of our petroleum infrastructure. As discussed below, these attacks are not new; we observed in 2018 and 2019 oil and natural gas infrastructure companies were targeted by cyber attacks with few governmental or policy reactions stemming from those incidents.

A history of attacks on U.S. oil and natural gas infrastructure

Attackers have targeted ONG and third-party providers involved in the drilling and distribution process (upstream, midstream and downstream) for years. The attack against Colonial Pipeline is not novel or particularly new. However, the biggest differentiation is the effect of this attack and the implication that we have seen this before.

Energy Services Group (ESG) serves as an Electronic Data Interchange (EDI) for companies to purchase and fulfill services, and most notably, for natural gas transportation and distribution. In 2018, these services were directly affected by a malware incident, causing companies to use either redundant processes or manual operations. While the attack did not directly affect operations, the consequences could have been far worse if ESG was used as a pivot point into third-party connections at these companies.

In 2019, the U.S. Coast Guard released a report of a natural gas compression facility that experienced an outbreak of Ryuk ransomware in their IT and OT networks. During the incident, there was a loss of view and loss of availability for OT devices. According to CISA, human-machine interfaces (HMIs), data historians and polling servers were all affected because of the underlying Windows operating systems. The outage lasted 30 hours while the company replaced encrypted systems and installed known-good configurations.

The incidents discussed above are examples of when ONG is affected by cyber attacks that may not have specifically been intended to affect OT. These events draw direct parallels to the Colonial Pipeline attack and serve to highlight how serious the attack was.

How did we get here?

In a word: Convergence. For the uninitiated, this is an oft-cited term meaning that industrial OT networks and information technology (IT) networks have merged or are merging processes and infrastructure. There are tremendous amounts of technology that overlap in these networks – routers, switches, radios, operating systems and architecture that are near identical to a traditional IT network. In theory, to minimize the attack surface, these networks are strictly physically air-gapped and logically segmented. This architecture concept implies that OT and IT networks are self-reliant. This is a fantasy. The hard reality to address is that IT and OT are converged.

The difficulty is determining when it happened. Unfortunately, there is no hard data or threshold that signifies when we collectively crossed the “Convergence Rubicon.” However, it is quite easy to understand why it happened. Beginning in the 2000s, IT services organically found their way into OT environments, allowing a transition of data and control from an OT network into an IT network. Businesses naturally seized upon these converged efficiencies. Nowadays, OT networks are incredibly dependent on IT networks, and vice-versa. It might be easy to attribute these convergences as poor network design or carelessness for security. The reality is that to fulfill business imperatives and remain competitive, OT and IT had to converge. With the Norsk Hydro and Colonial Pipeline ransomware attacks, OT was affected because of attacks in IT. From logistics to billing, to data analytics, IT/OT systems are mutually supportive and mandatory for daily operations, should one falter, the other folds.

The government’s increased focus on ONG attacks

Since the Colonial Pipeline attack, there have been more awareness and policy around how organizations should best report, respond, and mitigate ransomware in ways that did not previously happen following an attack against U.S. ONG.

On May 12, nearly a week after the Colonial Pipeline attack, the Biden administration signed an Executive Order mandating certain security mitigations to improve response and security around attacks against critical infrastructure. While these are not necessarily CI- or ONG-specific, such as implementing multi-factor authentication (MFA) and encrypting data, these are incremental improvements aimed toward increasing the security posture for CI. Shortly after, another wave of policy was made on May 27 when the U.S. Department of Homeland Security’s (DHS) and the Transportation Security Administration (TSA) issued cybersecurity requirements for critical pipeline operators and owners, requiring reporting of confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA), a move to regulate cybersecurity practices in the pipeline industry. While it may not prevent future attacks similar to the Colonial Pipeline incident, the increase in policy and awareness is meant to acknowledge that changes need to be made. The current administration also highlighted the need for federal prosecutors to observe new guidelines looking to improve the reporting of ransomware victims and the creation of waivers and rules for pipeline operators.

The issue that arises is that multiple government agencies, including DHS, CISA, TSA, and the Department of Energy (DOE), are trying to enact regulations on pipeline operators. This may make it difficult for the operators to work toward each agency’s standards. In 2010, the electric utility vertical had similar issues with the crossover between the North American Energy Reliability Corporation (NERC) and the Nuclear Regulatory Commission (NRC) around regulations of nuclear plants. This was settled by dividing which entity handled each area (NRC for the plant and NERC for everything outside of the plant), helping power companies understand necessary compliance measures. Something similar needs to happen for pipeline security since reporting to multiple agencies that are jostling for position could be counterproductive.

A recent announcement by the U.S. Department of Justice (DOJ) highlights how ransomware is being prioritized. This is a step in the right direction, but additional approaches are needed for the community to respond to ransomware — such as the ones being suggested by groups like the Ransomware Task Force, whose goal is to ultimately dismantle and disrupt these ransomware groups. How governmental bodies prioritize ransomware, disrupt ransomware actors, share information about ransomware attacks, and establish response and recovery plans are among the 48 recommendations that the task force has made in recent months.

Now is the time: Protect yourself

Recovering quickly and safely is paramount for ONG companies. Shutting down critical services should only be done if there is a risk to equipment or people. In some cases, blunting the effects of an adversary moving through an environment can also have detrimental effects to customers, which may have unforeseen consequences. There are several processes to undertake proactively to keep business up and running or recover quickly.

Companies with an OT footprint need to map out and perform process analysis to understand where the intersections of IT and OT exist. As seen in the Norsk Hydro and Colonial Pipeline incidents, it is crucial to understand what the downstream effects to OT are if an incident or failure in IT were to occur. During an incident, knowing the company’s “crown jewels” is imperative to response and restoration. This mapping should inform decisions around topics such as segmentation, backup strategy, disaster recovery, and, most importantly, operations.

There need to be recovery plans and primers, for threats such as ransomware, in place that cover both IT and OT. Companies can recover faster and cleaner if these plans and technologies are exercised in a disaster recovery (DR) scenario. There should be some offline or “cold storage” backups if the backup systems are also rendered unavailable. There are several questions that every company with an operational footprint needs to ask themselves:

Where does IT and OT intersect?

  • Can OT disconnect from IT and still operate?
  • How much time is needed to recover IT systems? OT systems?
  • Are there incident response plans for IT? If so, do they exist for OT as well?
  • Is there visibility into the OT environment? If not, how would you respond to a possible cyber incident?
  • If an incident is outside of your capability to handle, who do you call? Government, third-party, another company?
  • Are the IT and OT networks appropriately segmented and is traffic that passes between them appropriately analyzed and controlled?

If you are experiencing an emergency or in need of an incident response retainer, Cisco Talos Incident Response is available for proactive and emergency response.