I’m scheduled to join @jimsciutto on @CNN at 10am Eastern to talk about ransomware and intrusions into our industrial infrastructure in context of the Colonial Pipeline incident. Join me if you can and thanks for tuning in.
In my opinion there’s some bad takes out there but overall it’s completely reasonable that folks are paying attention. This is the most disruptive incident we’ve seen on US energy infrastructure from cyber intrusions. Colonial Pipeline is the victim and has done a lot right.
They contacted a top tier incident response firm (FireEye/Mandiant) for the enterprise compromise (only IT impacted it seems) to lead the response. They informed the USG who had great folks from CISA/FBI/DOE supporting. They focused on safety and took operations down proactively.
Congress and others will reasonably ask: “if a criminal can do this, what more could a state adversary could do?” While we should avoid hype this is a very reasonable question. The reality is our infrastructure is undergoing a rapid digital transformation.
While the ransomware was confined to IT this could have been much worse if it had hit OT and at Dragos we have handled such cases and they candidly suck. As our industries change the historical mindset of “segment and disconnect OT” just isn’t practical in most cases.
75%+ of many of the standards/regulations/frameworks/etc. push for preventive controls (segmentation, authentication, anti malware, patching, etc.) all good controls but that leaves an under investment in detection and response. As our infrastructure changes so will our threats.
What we see most commonly is without visibility and monitoring in OT networks the preventive controls are not applied everywhere and atrophy over time unknowningly to the defenders.
Many realize this though. The current White House administration has rightfully pushed for a 100 day action plan to encourage visibility, detection, and response enhancements in OT in the electric sector and likely following suit in water and natural gas to raise awareness
To the practitioners out there thinking about their OT networks I would encourage engaging firms with OT/ICS incident response experience. Conduct a TTX to rehearse. Use burn down to do an Architecture Review of what you have today and it’s state. Then move into monitoring in OT
For the executives out there realize your IT and Security staff are usually already under invested in. Picking up a whole new mission set with focus (OT) requires additional resources. Elevate the conversation in your org and invest in your people to enable your business.
To the policy folks out there - realize our infrastructure owners largely know what to do. They don’t need silver bullets and it’s not a need to invent new technologies. It’s about communicating clearly on what investments are needed and enabling them to make those investments
The governments best role isn’t fly away teams and technology deployments. It’s amplification of what works, relevant and actionable information sharing, consistent messaging, setting the rules, holding foreign actors accountable, and investing in the ecosystem. That scales.
All in all this incident isn’t anything to be fearful over. But it is a public example of what many are concerned about and it could have been much worse. Colonial Pipeline is doing a great job so far as we can tell. Others may not. If we approach this thoughtfully we can win.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
