All operations on the natural gas pipelines for four different U.S. energy companies were running smoothly until the moment they were inexplicably shut off. It is a moment that sends panic down the pipelines and through the teams operating them.
Oneok Inc., with pipelines in Texas and the Rocky Mountains region, Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, and Chesapeake Utilities Corp.’s Eastern Shore Natural Gas were shut down temporarily in March within a week of each incident. This calamity was traced to a third-party provider: Latitude Technologies unit of Energy Services Group, which got hit by a cyberattack on their communication systems.
These attacks being investigated by Homeland Security come on the heels of a U.S. government warning that hackers were conducting cyberattacks on the U.S. power grid and other targets. It was also a wake-up call to pipeline and critical infrastructure operators that nation-state and other attackers are continuously probing critical infrastructure networks for weaknesses. One of the most serious malware to hit critical infrastructure systems last year was discovered by FireEye, who named it Triton because it targeted Schneider’s Triconex plant safety systems. This virus is capable of disrupting industrial processes.
In the wake of these increasing attacks, the National Institute of Standards and Technology recently released an update to its cybersecurity framework for organizations that gives additional instructions for managing the supply chain cybersecurity, which poses significant vulnerabilities. NIST is expected to release a roadmap for improving critical infrastructure cybersecurity later this year.
The ramping up of hostilities around the world combined with now various connections to the Internet for critical SCADA systems, combined with the ability to jump air-gap systems, has now provided a widespread threat landscape for attackers.
For decades, critical infrastructure operators have attempted to prevent breaches with a security strategy focused on perimeter defense or relayed on air-gapped systems. Technologies like firewalls, antivirus, intrusion prevention systems (IPS), network access control (NAC), and access control lists (ACLs) were leveraged in an effort to secure systems and were, for the most part, very successful. However, the last five years has brought significant change with new technologies that are propelling the industry at light speed. Combining the massive growth of attack surfaces driven by the Internet of Things (IoT), coupled with the increasing sophistication of malware and a seemingly infinite number of attack vectors, has led to a point where breaches are inevitable.
Critical infrastructure facilities must continue their efforts of prevention, but it is imperative that they also evolve their strategy to include technology, people, and processes dedicated to incident response.
Detection alone is not enough. Knowing there is a problem is just the first step. When the security team receives an alarm, they must be able to identify what the breach was, determine root cause, mitigate, and return to normal. This process requires forensic data that delivers context extending to network traffic associated with the event. Network Traffic Analysis (NTA) platforms incorporating artificial intelligence and historical forensic data are key to this shift in security strategies.
Effective incident response processes require four key capabilities that come from a combination of people and deployed technology:
- The ability to collect data on network traffic that goes far beyond syslogs. Teams must centrally collect information that spans all seven layers of the OSI model (physical all the way to application data).
- Security teams must be able to quickly correlate and navigate all of that data in a way that delivers context and insight.
- The team should have a documented response process, including advisory guidelines for specific types of attacks, to guide them through the investigation.
- There should be pre-defined automation mechanisms for dynamic mitigation. Advances in artificial intelligence will make this process more precise and efficient over time.
Critical infrastructure facilities are directly in the crosshairs of well-funded, sophisticated nation-state hackers. NIST is providing the guidance, but critical infrastructure operators themselves must be on the leading edge of security, going beyond strategies focused only on prevention and embracing the need for people, processes, and technologies dedicated to incident response. It is imperative that they be prepared to quickly react to inevitable breaches to avoid the catastrophic effects that are all too real.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.