Posts

Emergency at Colonial Pipeline

Another ransomware attack hit the headlines last week.  This time it’s Colonial Pipeline, the largest in the USA by some estimates, 8,850 km long, with carrying capacity of over 3 million barrels of petroleum products.  The attack has prompted the US Department of Transportation to issue an emergency declaration, easing restrictions on overland transport of supply by truck, a necessary but high-cost alternative for the company.

Colonial is wisely reluctant to release details, so we might never know exactly who did this or how it happened.  But that’s not the point.  One way or another, a malicious actor may have compromised a node on the IT network, which could have been used as a staging ground to launch an attack on the OT (Operations Technology) network.

What we do know is how to prevent that kind of attack from spreading.  There should be no need for emergency declarations.  As we have discussed previously, most people in the know―from government regulators and standards agencies to top management and on-site engineering staff―understand that you must isolate your networks.  In this age of cloud, IoT, and digital transformation, when it is becoming possible to connect everything together, we also need to implement ways to keep things separate.

A Well-Known Solution

Isolating a control network from an IT network is not difficult.  The technology has been around for decades.  It involves inserting a defensive layer, a DMZ (Demilitarized Zone) between the two networks, and using firewalls to protect them.

The challenge lies in moving production data securely across the DMZ in real time.  This is where Skkynet’s DataHub technology shines.  The DataHub can connect to equipment and SCADA systems on the industrial side, and pass that data through the DMZ to the IT side, without opening any firewall ports on either side.

We hope Colonial Pipeline recovers quickly from this emergency, and that oil and gas will soon begin to flow again up the East Coast of the USA.  Meanwhile, we encourage others to heed this wake-up call.  The attack surface of an entire company is huge.  Persistent hackers are bound to find their way in, eventually.  The best way to prevent damage to the production systems is to isolate the corporate network from the control network and insert a DMZ.  They may get that far, but no farther.

US Gas Pipeline Ransomware Shutdown – A Ready Solution

An entire US gas pipeline was shut down for two days due to a ransomware attack according to a recent report from the US Cybersecurity and Infrastructure Security Agency (CISA). The hackers sent a spear-phishing email to someone on the IT network that crossed over into the OT network and infected HMIs, data historians, and polling servers on the process control system. Although only one facility was hit, management shut down the whole pipeline for two days, resulting in loss of productivity and revenue to the pipeline, as well as to upstream production systems and downstream distribution networks.

This need not have happened. There is a simple remedy―isolate the OT network. They could have used Skkynet software on a DMZ to keep their firewalls closed and their gas pipeline system secure.

Using a DMZ

The first technical recommendation in the CISA report is to segment networks using a DMZ: “Implement and ensure robust Network Segmentation between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks.”

The easiest and most cost-effective way to pass production data securely through a DMZ is using DataHub tunnelling. Because it is secure by design, DataHub tunnelling can provide bidirectional data flow with no open inbound firewall ports, and no VPNs. The key is to access the data, not the network. This technology has been deployed in mission-critical systems worldwide for over 20 years, and was implemented recently in the TANAP project in which DataHub software was used to securely transmit process data from an 1800 km pipeline into a central control system through closed firewall ports.

Secure OT Assets

The second technical requirement recommended by CISA is to secure OT assets as much as possible.  The report said, “Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network.”

Again, DataHub tunnelling is a ready, off-the-shelf conduit for making the necessary connections.  It provides secure, bidirectional real-time data mirroring between logical zones of OT assets, and from OT to IT. Data traverses the tunnel using the DHTP protocol, and can be converted to or from industrial protocols at either end.

Of course, the most secure system relies on sound planning and operational strategies in addition to strong technical and architectural solutions. The choice of software is one element of a larger picture. But in this case, simply using Skkynet IoT software would have prevented this gas pipeline shutdown altogether.

Case Study: TANAP Pipeline, Turkey

Skkynet’s DataHub middleware was used by ABB for secure, real-time data networking on the Trans-Anatolian Natural Gas Pipeline (TANAP) project in Turkey.