by Andrew Ginter, VP Industrial Security, Waterfall Security Solutions
The Colonial Pipeline has resumed operations, again delivering millions of barrels of gasoline from refineries in Texas to markets in the Eastern United States. Bloomberg reports that Colonial paid $5 million to the attackers, who have been confirmed as the criminal group Darkside. This is after 6 days downtime and widespread gasoline shortages.
The CISA alert AA21-131A reports that the ransomware was deployed on Colonial’s IT network, and that at the time of the alert, there was no indication that OT or industrial networks were affected. Why is it then, that the pipeline had to be shut down?
Read Waterfall’s special coverage of the Colonial Pipeline cyber attack
Well, CISA reports that the attack was targeted ransomware. A targeted attack is where the attackers gain a foothold on a target network, usually the IT network, with a RAT – a Remote Access Trojan. The RAT connects to an Internet-based Command and Control center, and the attackers operate the RAT manually and remotely through that center. They send instructions to the RAT to spread through firewalls to find more valuable targets, and eventually to encrypt everything the RAT can touch.
Targeted ransomware can affect physical operations in one of three ways:
- Modern RATS are powerful tools – once in the IT network there is a real chance of the RAT “leaking” into operations accidentally. Even without evidence that the attack has migrated into operations, an organization might shut everything down in an abundance of caution. CISA reports that this was the case with Colonial Pipelines.
- Attackers can deliberately push the RAT into industrial and OT networks, specifically targeting physical operations. This is what the TRITON attackers did in 2017.
- And the ransomware attack might shut down IT systems that operations needs. In hindsight, these IT systems should probably have been protected as part of the OT network, not left on the Internet-exposed IT network. This was the case with many of the manufacturing sites that targeted ransomware took down in 2020.
The root of the problem is connectivity. Targeted ransomware breaks through firewalls routinely. The attackers send commands right through firewalls to operate the RAT.
The solution that many pipeline companies deploy is a Unidirectional Security Gateway at the IT/OT network interface. The gateways are physically able to send information in only one direction – from the OT network out to the IT network. Unidirectional Gateways give a business access to industrial data to increase efficiencies, without providing any access to industrial systems. Unidirectional Gateway Hardware is physically not able to send RATs or RAT commands, key strokes, mouse movements or ransomware into the operations network.
Waterfall Security Solutions invented Unidirectional Security Gateways over a decade ago, specifically to defeat targeted attacks. Back then, nation-state actors were behind the worst targeted attacks. Today these attacks are organized crime using the tools and techniques of nation-states. These groups punch through layers of firewalls and extort money from all kinds of businesses. The time has come to put Unidirectional Gateway protections in place for all important OT networks.
Pipelines and other critical infrastructures all over the world are turning to Waterfall for security. For a free consultation with a Waterfall expert to see how Unidirectional Gateways can help your organization, please visit the Contact Us page on the Waterfall website.
- The OT Security Revolution - March 13, 2023
- ISO 27001 – OT Confusion - January 4, 2023
- NERC CIP Tricky Bits – Active Directory Servers - January 3, 2023