The Colonial Pipeline cyberattack is a (another) call for zero trust and resilience in industrial companies
The incidents of the past month have confirmed the lack of cyber resilience in many industrial companies and is another reminder of the benefits of zero trust in mitigating the effects of ransomware.
On Friday, May 7, 2021, Colonial Pipeline safely shut down its pipeline operations due to a ransomware incident in its corporate network. Colonial Pipeline transports 45% of the fuel along the East Coast of the United States through 5,500 miles of pipeline. To mitigate the disruption of Colonial Pipeline, the US government allowed a temporary hours of service exemption for trucks transporting fuel, but many states in the Southeast USA still experienced fuel shortages. The incidents of the past month have confirmed the lack of cyber resilience in many industrial companies and is another reminder of the benefits of zero trust in mitigating the effects of ransomware.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The industrial community must improve resilience in operational networks using zero trust strategies
Digital transformation (or IT/OT convergence, or Industry 4.0) has been great for industrial companies’ ability to deliver products efficiently and reliably. But, we have collectively failed to appreciate how fragile these systems are and how easy it is for cybercriminals to affect business operations and potentially create unsafe conditions in industrial environments. Colonial Pipeline isn’t the first-time ransomware or destructive malware in a corporate network has disrupted or degraded industrial operations, and sadly, it will not be the last. Over the last few years, Norsk Hydro, Honda, Merck, Maersk, Johannesburg’s electric utility, and other industrial companies have all seen ransomware significantly affect their core business operations. For companies with significant industrial operations, corporate IT should be viewed as the “add-on,” not the main network.
OT should function without IT
Operational technology is where a business makes money. If petroleum flows, turbines spin, and assembly lines move, then a company can withstand a breach in the corporate IT environment and continue to serve customers and partners. Furthermore, a breach in OT should not shut down all of OT. Some social media pundits have criticized Colonial for not “air gapping” its business and industrial networks. As explained at length by Joe Slowik, air gaps are not practical or required outside very few scenarios, usually around nuclear energy. With a zero trust strategy primarily focused on protecting industrial processes, industrial companies are better positioned to withstand a ransomware attack and maintain operational uptime.
IT and business leaders likely have heard myths that a zero trust architecture is too costly or complex. In reality, organizations can implement many zero trust strategies with current technology and updated policies and standards. For example, using unique identities to access critical information or processes doesn’t require new technology. Baselining industrial automation systems and configuring allow lists so that only authorized systems can communicate with them is a great strategy to reduce the risk of a cyber-physical attack.
This post was written by Senior Analyst Brian Kime, and it originally appeared here.