In this Webcast, Rob T. Lee invites Tim Conway and Jeff Shearer to review the recent ransomware cyber attacks on the Colonial Pipeline. Tim and Jeff go in-depth discussing the operational technology systems and the effects of cyber attacks on it, relative to the ransomware attack that hit Colonial Pipeline earlier this month and its drastic impacts across the nation. The Ransoming Critical Infrastructure presentation slides are available here to follow along.
Rob T. Lee:
My name is Rob Lee. I'm the head of faculty and the curriculum director here at the SANS Institute. And lots going on this week in the cybersecurity world. Executive order by the president came out yesterday with a lot of things actually related to the solar winds. But the timing of it is very applicable because of the recent cyber attacks that have gained nationwide and worldwide news as a result of the ransomware attack on the Colonial Pipeline that has caused a lot of disruption in the service as a result of them shutting it down. We at the SANS Institute believe that when these kind of events happen, we need to turn to our experts, our practitioner instructors who lead the different fields inside SANS from digital forensics, offensive operations, and, of course, industrial control systems that we end up having here that we're going to be focusing on today.
Rob T. Lee:
The main idea is that despite what you're reading in the news and despite everything else that we want to be able to tell you what is actually going on, our perspective on it, and you do it in a very balanced and crucial way to inform, not cause panic and also so people can make their own judgements on what this means for their own potential organizations or how it potentially affects you personally. This webcast is primarily focusing on the operational technology systems and the effect of cyber attacks on it, in this particular case with the ransomware attacks that hit Colonial Pipeline early this week and its drastic impacts that we're currently still feeling across the nation.
Rob T. Lee:
We've invited Tim Conway and Jeff Shearer who are two of our leading minds in the ICS side of the SANS world. Tim Conway is our director of everything ICS at SANS, all the courses and all the summits that we end up doing. Tim has his hand in working with Robert M. Lee and his entire team. Jeff is a co-author of one of our most popular courses, ICS612, ICS cybersecurity class, which is going to be making a new debut later this year once we return to in-person training again because it actually has a lot of components that you actually have to have in person. We cannot actually do that one remote, unlike a lot of our other classes that we can do live online.
Rob T. Lee:
I'm going to be turning it over to Tim and Jeff. Just a side note, they've already informed me that this presentation is going to take up the full hour. So what we're going to do if you end up having a question, we're going to collect the question and make a blog that both Tim and Jeff will respond to that blog and we'll post online to both Twitter and LinkedIn so everyone could see their questions answered in that format. That way, you can ask a question, think it will be answered because we may be short on time to be able to address all the questions that folks may have. Without further ado, I want to hand it over to Jeff and Tim. Thanks guys for putting this presentation together.
Tim Conway:
Thank you, Rob Lee. Appreciate it. Rob T. Lee, the most important part of that, to distinguish between Rob M. Lee and for those from Rob's team that are on... I don't know that Rob would say I'm deeply involved in things going on, but Rob and I do talk quite a bit. I appreciate the comments in regards to we are going to run the full time here. Jeff and I, if you've ever seen either one of us present, we're like water, we fill our space. I'm sorry, we will use every minute.
Tim Conway:
Just real quickly, appreciate the introductions for Jeff. I wanted to highlight a couple of things as when we get into parts of this presentation and we're talking about some of these specific design areas, things that he's seen across his career, I just want to highlight Jeff has been in this space active system integrator for over 23 years from a commercial engineering group at Rockwell doing quite a bit in regards to converge plant-wide designs across industrial automation control systems, industrial DMZs, a lot of architecture validation, site-to-site VPN converge, sort of plant-wide architectures.
Tim Conway:
This is an area where he spent a considerable amount of time and spending a lot of years in a number of different environments. So exposure to manufacturing chemical, oil and gas, lots of different sectors as well involving industrial control systems, distributed control systems, and SCADA environments. We're blessed to have him here with us and definitely when we get into some of the architecture discussions on why an attack that's impacting IT could potentially impact operations and just really how people are defining the differences between IT and OT.
Tim Conway:
Without further ado, we are going to move into what we're going to cover today. With the limited time we have, as Rob indicated, expect follow-ons from this webcast, either from the perspective of answering any questions that come in, but we are likely going to either create a blog post talking about some of the things we've covered here and expand on them, or move down developing some more resources as ransomware and its impacts on operational technology environments is only going to continue to grow and we're going to continue to see changes and different guidance and a need for additional resources for asset owners and operators.
Tim Conway:
We are going to really try to focus on the ransomware in operational technology elements throughout this talk. There's been a ton of other great talks and great resources that really talk a lot about the ransomware or impacts and how you can position your systems and defend in IT environments. We'll cover just a few minutes of that and then spend the rest of our time moving into the OT spaces.
Tim Conway:
So, first, in a lot of ways, we kind of throughout our careers, Jeff and myself, learning from events that occur in facilities that we've worked or in responding to events at other facilities and then learning from others through case study analysis in similar ways to safety programs and near miss or in some industries where they have events analysis and full details of what occurred, how it was discovered, the full root cause analysis of the details, and then really consuming that, even though it may be in a completely different industry than yours. It may be IT and financial sector, but what could have been learned there may apply to you.
Tim Conway:
It could have been a physical security event that impacted a large telecommunications company and how they had to respond to that with backup generators and switch gear and as you think about what that might mean for your data centers, depending on what sector you're in, or specifically an electric sector event or a oil event and how that applies to a place that you call home for your work environment.
Tim Conway:
Through that case study approach in this webcast, we're going to be talking about, as Rob indicated, the Colonial Pipeline events. Some of the details, I am certain everyone on this call is familiar with the recent events this week impacting Colonial Pipeline and their operations, just some details, some of their system maps working through 14 different states, largest refined products pipeline in the US, 100 million gallons of fuel daily across this 5,500 miles of pipe, about 280 different facilities. And that includes a number of different terminal stations and refinery input stations plus their own storage farms and various pumping and valve operation stations across their footprint. Ultimately moving a number of different products, supplying about 45% of those products to the East Coast.
Tim Conway:
Colonial Pipeline became aware to a number of people on Friday May 7th when they had to temporarily shut down all pipeline operations due to a ransomware attack on its IT business systems. We're going to talk a little bit about that IT business system specifics in a few slides here, just as an update since May 7th. So since May 7th on Friday when this occurred, there's been frequent updates being provided by Colonial Pipeline in regards to the restoration in their activities.
Tim Conway:
As of today, so starting yesterday at 5:00 PM, they began operational startup, so the ability to start restoration of delivery of product. And today in about an hour, they are estimating full operation across all lines by noon Eastern. The lines in green here are the markets that are currently being serviced, the lines in blue are those that they anticipate service to begin by midday today. So noon Eastern in about when we end this webcast, everything should be good. Keep your eye on their website. They have been providing very frequent updates and this was provided earlier this morning. Along with the updates they're providing on the operational side, they are also providing updates and information sharing on the cybersecurity front.
Tim Conway:
So a couple of items to highlight here, there's been some discussions recently in some testimony and some other items in regards to who did Colonial Pipeline reach out to and what did they share and when? This is a very confusing thing from a asset owner perspective when you start to look at who do they notify and when do they notify them and who's their sector-specific agency, and specifically if there's confusion around should a particular company notify DOE, FBI, TSA, CISA, DOT FERC? All of these acronyms and names of organizations circle around Colonial Pipeline for different reasons and different authorities.
Tim Conway:
Some of those authorities have been discussed kind of who should be responsible for product and pipe? Who should be responsible for the pipe itself? And should there be differences? Who should be responsible for markets? A number of different questions. From an entity perspective, usually the guidance that is provided is pick one, pick one that you work with routinely. In this case, most likely, routinely doing work with state FBI points of contact. Put that notification requirement in an IR plan, practice it through exercises, test it, make sure it works.
Tim Conway:
During an event, actually leverage it, provide that information sharing and make adjustments if you determine that you could've gotten to other resources faster and possibly gain some additional help quicker had you changed your notification and reporting. In this case, the reach out to FBI and then FBI bringing in a number of different interagencies that worked from the perspective of FBI has posted an FBI flash very early in regards to what they've been tracking with the notification that this was ransomware related and then specifically DarkSide. So any of the indicators that they have and being able to start moving and providing information and information sharing through a TLP green report out to other critical infrastructure. The development of a joint CISA and FBI advisory on this manner.
Tim Conway:
And with that information, that allowed other organizations that have been tracking DarkSide and have been doing work in the space being able to also provide additional information to the community so that we could have a well-informed response. And again, understanding that we're talking about this here today because Colonial talked about it to who they reported to. There's a number of ransomware cases that occur at organizations that don't hit media. There's a number that occurred that could have operational impacts at organizations that we don't get the opportunity to look at, talk about, see the impact, try to understand it, learn from it.
Tim Conway:
I'm really, really happy that Colonial Pipeline had the approach where they shared information and they provided details to organizations so that we can all learn from this. Looking down once we became aware it was ransomware, once we became aware it was DarkSide, some information started coming out where a number of people started hearing about DarkSide for the first time. First time, you've learned of Colonial Pipeline and what they do and the role in critical infrastructure and for a number of other people that might be an ICS or OT environments learning about ransomware and these various organizations and groups and tool sets and learning about this DarkSide ransomware-as-a-service. The approach unique here, kind of the double extortion. You're going to pay to unencrypt your data sets and you're going to pay to ensure that your data isn't released operation through a number of affiliates. So kind of people coming in and having various work for hire almost programs.
Tim Conway:
Since this event happened, there's been a number of other information posts in relation to DarkSide that they claim no geopolitical affiliation and that finance and cash is their only driver. You could imagine as they were performing these actions and looking for the ransomware payout and the cash and seeing what this turned into by this target taking proactive steps to ensure a safe operations and taking down facilities, it is probably fairly high levels of confidence to assume this wasn't what this adversary group anticipated happening. Some additional comments from adversary group or from a DarkSide providers along the lines of in the future they intend to provide more moderation and review of future targets to ensure a reduction in the social impact.
Tim Conway:
Definitely, this is a sign of ongoing progression into full business models of organizations. This is going to continue to blend to the criminal and state-sponsored actors, and it's going to just continue to create this ever-increasing challenge for defenders to distinguish through the fog of war criminal actions, state-sponsored actions, actions that are intended for IT, actions that are intended for OT. It's going to be this fog of war moving forward.
Tim Conway:
Also, I just want to highlight a recent blog post from FireEye on DarkSide that is absolutely a must-read for everybody. This is highlighting the common utilized commercial available and legitimate tools, vulnerabilities that they're using for initial compromise or for privilege escalation. A number of those vulnerabilities being exploited depending on the actor here in DarkSide and a variety of different approaches observed across this attack life cycle. For anybody listening, that is on the defender side or consuming data sets. The indicators of compromise provided here should definitely be looked at and leveraged to inform your action and your detection activity.
Tim Conway:
All right. That was the lightning round cover of the basics. With the basics covered and a general understanding of the initial compromise, the adversary, the tie to ransomware, the foothold establishment and some of the attack approaches that has been seen across organizational IT environments, we really want to move and focus the majority of our time on discussing the operations impacts of this case study.
Tim Conway:
I will call this the elephant in the room question and many conversations I've had with Jeff over the last few days and people in different industries and sectors along the lines of OT and ICS practitioners centering around this discussion of, A, so everybody's saying it's ransomware, that everybody's saying it's impacting IT only. So why is there no product flowing? And this discussion of what are we actually talking about? And is this an issue of a nuance between how somebody is defining these strict differences between IT and OT and how those things in reality blend, or is this a bit of a misunderstanding of what was stated?
Tim Conway:
So two things that I'll say here, one I can't really comment on because I'm not inside of the organization, but I can say that when a company during an event like this, whether it's storm-related outage or a physical impact or some type of a targeted attack, when they're making a public statement on their site for everybody to read, that probably goes through many, many layers of organizational review to ensure accuracy of the statement that the company was providing the best information available to all of its stakeholders in the communities they service.
Tim Conway:
So words really, really matter. The first couple of sentences here in the statement, I'll paraphrase, basically, Colonial became aware of a cybersecurity attack that involved ransom. That's paraphrasing the first part. The second part is the important, after the discovery of ransomware, in response, we proactively took certain systems offline to contain the threat. That has temporarily halted all pipeline operations and affected some of our IT systems. That's saying the actions to contain the threat temporarily halted operations and affected some IT systems. It didn't say ransomware only impacted IT.
Tim Conway:
The next piece is really where we get into the what is IT and what is OT and where these things blend and overlap and where one starts one stops. If you very simplistically consider a bookshelf with IT on one far end of it and OT on the other end, there's a whole bunch of stuff that lives in that in-between. And that's really where we want to cover these topics of traditional ransomware attacks in corporate business enterprise environments. And then this pivoting into industrial DMZs and these in-between zones where you have business operational technology assets and business intelligence and how they operate their actual facilities.
Tim Conway:
All the way at the bottom of the stack, you have kind of the in the field, what they're doing at their pumping stations and at their valve control and at their refinery storage bowl and at their delivery as well as their terminal stations. That's clearly the OT side and nobody's saying that this ransomware had some intelligence infected that, or impacted it in any way. But there's a lot of stuff in-between that in order to safely and reliably run your system you need. There's also some additional discussion around in this in-between zone where you have between IT and between OT, you may have connections into other third party environments and that you want to ensure you're taking actions to prevent your attack from becoming somebody else's attack where you may have liabilities.
Tim Conway:
If you consider their operations, very simple to draw a box around, "Hey, they've got pipeline storage facilities, they've got refined products that are moving down a pipeline, they own and operate those pipelines." They have tons of digital communications infrastructure and control systems in place, and they operate multiple different products down that delivery system, kind of product sequencing those in, loading them in as batches so they're pulling from these refinery storage product delivery sites and they're delivering in the local terminals. And those two things are outside their box of assets that they own and operate, but certainly they have technology reaching into those environments to do that portion of their operation.
Tim Conway:
Loading these things in as batches, blending them and separating at the interface points when they're delivered, using large area control center of SCADA systems to monitor flow, pressure, quality, leak detection, just beyond the facilities that they own, consider the connections into edge environments and consider the the overall communications and control systems that are in play here. As we move into what are all the other systems that they're using from a business perspective, I'm going to ask Jeff to jump in here and cover some of those additional thoughts on what we'll call for the purpose of this discussion trying to get away from the stuff in-between IT and OT and maybe business operational technologies. Jeff, you can see the slide, just let me know when you'd like to advance, and you're muted. Somebody needs to unmute Jeff, whoever our moderator is. I can ask to unmute, but I can't unmute.
Jeffrey Shearer:
Okay, I think I'm there. I think they got me squared away. As Tim's elephant in the room slide talked about, as people were Googling and looking around, one of the biggest questions that we found was how does an IT system actually interact with an OT system? I wanted to take a moment and explain that most large companies have different systems that take everything from customer orders and supply chain management systems and actually bring that down into the OT environment in order to be able to make a product.
Jeffrey Shearer:
If we look over at the right-hand side at the top part of the slide, there's a system is called enterprise resource planning or ERP. And that system is used to take an order to understand what raw materials, what things do I need to make my product, and also to communicate back out, "Hey, I've made a product." And eventually, that ERP system will talk to a manufacturing execution system and 99% of the time with large companies, whether you're making bread or you're pushing pipeline products.
Jeffrey Shearer:
There is a point in time when I say it's time to make an order and that MES is the bridge between a true IT system and then it communicates down into the OT, your operational technologies systems, and tells it like, "Here's your recipe, or I'm bringing back quality assurance information, or..." It helps me track work in progress or WIP. It also does things like performance management. It tells managers and stakeholders, "Here's how fast I'm running. Do I expect to have my run done at the end of the day?" It also does material tracking, everything from raw material to work that you've done.
Jeffrey Shearer:
And those MES systems then effect the capacity of the plant. So, for instance, they could say, "Hey, I know that this machine is idle. Let's go actually make some product because we have it in our bins, or we have physical screws, nuts, raw material." It affects the quality, it affects visibility, "Where are these pieces? Where's the fuel in the pipe." And then eventually, it helps us ship that product. So it does everything from here's the labels that are on the side of it and here's where it's supposed to go. And then it can communicate back up to the ERP system and says, "Hey, my product is actually shipped."
Tim Conway:
A real quick 30-second example here, if you look to the different case study of Notpetya and you think about some of the entities that were impacted there, kind of these systems in-between and the importance of those systems in-between where a particular company like Maersk may very well have had zero problems on the far end OT side with port operations and crane or ship to shore crane control that may have had zero problems with maritime and shipping and delivery on all those different OT systems and use and tracking. But if the issue is they didn't know what was inside the containers, that impacts all of operations and how you would delineate was that an IT attack, was it an OT attack, and really focusing on these systems in-between similar to what we're talking about here with Colonial.
Jeffrey Shearer:
Yep. One more common is that MES system back up to the top is normally made up of a database, it's made up of some kind of business rules that we're going to talk about, and then some kind of way to read how are we doing on our product. I thought I would start talking a little deeper dive about autonomous control or controllers or automation systems that are making a product and then reporting back when they're completed. It's like a band and a director. So the band, each member can play their own instrument, they can play their own music, but it's the director of the orchestra that says, "Here's the music that we're going to play. I'm going to hand you all of your sheet music and then we're going to actually start."
Jeffrey Shearer:
So, for instance, if we go over to the left-hand side, the MES system on bubble one is going to determine what products do we even have. In this particular example, I drew up... There's three tanks. Tank A has 5,000 pounds of product and tank C has 1,000 with B being empty. It would move to its business rules and it would say, "Well, I can't make product one and I can't make product two because B is involved in both of those. But I could make product C because I could do A and C. It's going to do something like then move over to step three, create a production order. And that production order could be build this product using these particular weights, using a temperature, and I need a mixer and I need to mix this product for 30 minutes.
Jeffrey Shearer:
And that could be something simple like it creates that production order and it gets entered into a separate terminal where production makes a schedule and it says, "Okay, I have a customer that wants this, so I'm going to make product three," or it could be like what we're doing with digital transformation, where it's sending a product request in bubble four and bubble five is saying, "Hey, I understand that I'm supposed to make this product," and then the automation takes over. This is where the autonomous control happens.
Jeffrey Shearer:
I know the music I'm supposed to play, I know that I'm supposed to work on this product and make it. I don't need you to tell me what to do anymore. I'm just going to go make that product. In bubble C, it starts to arbitrate for resources like a tank. So it says, "Okay, I've got 1,500 pounds of product." I go over and I look at tank number two is capable of that, tank three is not. I arbitrate for it. I make the magic happen, I make the product. And then bubble eight, I'm sitting there waiting to tell you how I did during that production run. And in bubble nine, I'm sitting there holding the product, waiting for you to tell me, "What do you want me to do with it?" This is at a high level the orchestration that happens from very high-level systems to autonomous control, making the product and reporting back what happened.
Jeffrey Shearer:
What can happen in this scenario is if the MES system at the highest level gets ransomware or goes offline, then no longer can we send product request or say that we've actually built it. So we have to sit there and we have to hold that data and hold that product until we can offload that information. And so it's not uncommon that we do this store and forward methodology where I'm just going to wait for you to tell me what to do, or I have some manual method to actually purge the product, move it somewhere and call that work in progress.
Jeffrey Shearer:
In most cases, autonomous control will finish the last task and hold until further notice. It doesn't need that higher level system to actually do its nice closed loop job. And then depending on the work in progress, it can unload it, or if the work in process is going to be finished later, it'll hold that genealogy and wait to be offloaded, or sometimes it can hold enough and say, "Hey, I'll arbitrate for my neighbor and I'll ship it to them and I'll let you know about it." And then there's some sectors that might be handling live product or time-sensitive product, where they'll have manual control and they'll move that product somewhere else and they'll hold it or continue to finish it.
Jeffrey Shearer:
So winding that back to Tim's example is in the pipeline, there's going to be different customers products. So 5,000 miles of pipeline will not be filled with one customer's product. Inside of that pipeline, there will be probably a SCADA system that is remote and it'll have some of the pieces of the puzzle to say, "I know where customer's one product is, I know where customer two's product is, I know where customer's three product is."
Jeffrey Shearer:
I might also have another SCADA system that's out on the tank farm that says, "I know that I'm full and I know what product I'm holding. So I have some of the puzzle pieces, but yet I can't ship that up to critical systems in the middle like doing some product tracking," or as one of the news outlets said, it might be a financial system that can't put all those puzzle pieces together. And technically right now what a news outlet is saying is that those ransom puzzle pieces were able to be reconstituted so that they could pull all these things together and continue to move product and as Tim showed on the map make product flow again and resume their business operations. But that's how IT and OT can be heavily interdependent on this whole entire process.
Tim Conway:
All right. As we look at the very beginning, IT ransomware, kind of the great information that's been pushed out from Krebs and from Wired and from FireEye and others and how that impacts IT environments, that's on your one end of your bookend. We've just talked about the stuff that's in the middle. These systems that some may classify as IT, some may classify as OT, they're really the in-between space with architectures and segmentation supporting it.
Tim Conway:
But once you build those architectures and build those segmentations, you're still going to have to allow trusted communication flow from system to system, from interactive users, variety of different needs, communication paths for not only the systems that Jeff talked about with the ERP and manufacturing execution system, but also there's some devices and some application sets and solutions that are being put in that are for cybersecurity purposes. So collecting data from the OT environment out and aggregating it in this in-between zone or patch repository or AV updates or signature update repositories and being able to go pull from there from an OT environment.
Tim Conway:
So not just the financial or the billing systems that are in-between, but think of all the stuff that as a cybersecurity community we often talk about where OT environments aren't doing appropriate patching or they're not doing monitoring and alerting and log collection or sound security practices. But as begin to start to do those things and you have appropriate architectures of where those types of solutions are being placed, those types of solutions are also providing that in-between zone. From ransomware, it escalates beyond just IT and it moves into these in-between spaces. The next discussion that we need to have as a industrial control system community and critical infrastructure is what happens when it moves to the next pivot from that in-between zone down into the operational environments.
Tim Conway:
We're no longer talking about, "Well, it wasn't an OT attack, or was it not? Did it impact? How do you define IT and how do you define OT?" But we need to start talking about the cases that clearly move into OT and begin to impact those types of assets. The number one thing to think of is just ensuring resilient operations. This is an area where the different types of OT attacks that could occur, the different types of impacts on system operations, this is where the operators and the resilience of the organization can look towards things that they have done through normal events. So while this was cyber related, and there's uniqueness there, had this been a physical event or storm related, if you look specifically just the Colonial and the operation across this pipeline over the last 20 years, they've had more than 30 events that have impacted pipeline operations either in full or in partial.
Tim Conway:
Most of us have never heard of Colonial Pipeline. A number of people that are on this call, this is a company that is unknown to you, especially if you're not in the US. Depending on where you are in the US, you may have familiarity. But in regards to what they're doing or what products they're pushing or what would be the impact if it wasn't occurring, depending on where you've worked, this may be unknown, and they've had more than 30 different events that were either rupture or physical impact or Hurricane Harvey, Hurricane Katrina. The Harvey outages were probably doubled in length in regards to how long this cyber-related outage is.
Tim Conway:
The difference here and as those past events have happened and you look at those 30 different events, none of them really bubbled up to, "Hey, we've got a whole of government response, we've got executive orders, we've got fact sheets and declarations of emergencies in states and federal agencies declaring different waivers for EPA or DOT." The other kinds of events that have happened didn't reach that. I think it's just from the perspective of when there's a physical impact. So from electric sector or natural gas or pipeline operation when there's a storm, you know where it was, when it was, what the impact was, and you have a general idea from routine operations of decades of what that restoration and repair is going to look like, time-wise and when you can anticipate full operations to restore.
Tim Conway:
When you move into the cyber area and you're starting to now focus on how do we ensure we have integrity of our system before we begin operations, how do we ensure safety for our employees, for our customers, for the communities that we service, and now you're talking about integrity of a system that if you were buying that system brand new, you would have had system specification, factory acceptance test site, acceptance test, 1,000-hour performance tests, you would have walked through full field point verification, may have been a multi-year project to bring it online.
Tim Conway:
And now, some adversary was in and you can see through forensics where they've gotten to and what they may have impacted, but are you certain? And at what level are you positive that you have in a system with full integrity that you've restored from, recovered from, and now you can begin to operate? That becomes a less clear path and really will only become clear with more and more exercises and activity and practice the way you play approaches. Jeff's going to walk through a couple of other additional considerations for OT environments as we start to dive deeper into where ransomware attacks may go in the future.
Jeffrey Shearer:
Thank you, Tim. Right now, ransomware attacks are limited to computer systems and not embedded systems like PLCs. I want to special note here is there have been embedded system malware. Right now, ransomware is just getting its day in the sun, so to speak. If you look across the fruited plain of industrial control systems and the computer systems that are in there, you would lose and have effects of not being able to get to your engineering workstation, which means no design tool. You'd lose visibility to HMI, to alarm servers, to historians, possibly analytics. Everybody's putting analytics on the edge or in the cloud. It brings another vector in. You may lose SCADA function if you've had ransomware on a SCADA server and inability to authenticate users. The big news here is right now we're talking ransomware on computers. Eventually, there will be ransomware on embedded system devices.
Jeffrey Shearer:
I want to walk through an architecture. When I worked for Rockwell, we made this famous architecture model. It's based off the Purdue model. It's just our own little colors here. But at the top is the enterprise. And that is the internet-facing carpeted space traditional IT. What we found or what I've found in a lot of assessments is they aim the guns or they aim and they look for the intrusion to happen through the enterprise facing outwards, and they spend a lot of money and effort. And as we can tell, or as we think, a lot of companies or companies that are getting hit with ransomware, this isn't really effective. Well, we also need to think about this in a different way as well.
Jeffrey Shearer:
In many cases, there are trust rules that allow the industrial zone to communicate freely to the industrial demilitarized zone or the buffered zone between the carpeted space enterprise or the concrete space where we're making products down in the industrial zone. A lot of times, we just see trusted communications from plant level on a... They just say, "Allow it. From security levels, we trust the industrial zone." Well, this bring certain interesting side effects.
Jeffrey Shearer:
Many times remote sites are nothing more than an extension of the industrial zone. And so I find customers a lot of times will have secured communication through VPN or whatever, and they'll allow that trusted communication or allow it in his trusted communication. They'll say, "Well, I'm fine because I have encrypted communication or VPN technology," but I'm like, "Well, it depends on what information you're sticking through the tunnel. You're just allowing you to be trusted." And so this is one of the warning signs is that from remote site communications we need to be aware that this could be a trusted entry into many places.
Jeffrey Shearer:
And then the industrial zone is often very wide. We don't do very good in OT as segmenting. And because we have things like we don't know how many users want to consume our data in that top bubble I'm trying to say, in many cases, we'll not only say, "Allow this particular asset to talk to the enterprise," but we'll allow entire networks to talk. So that can be a compact in.
Jeffrey Shearer:
And then last but not least is these MES systems, in many cases, the vendors don't know how to work through a demilitarized zone. We'll pop the ports directly from the enterprise zone down into the industrial zone because there is no proxy, there is no way to do it. I've worked with customers where we've actually done peer-to-peer mapping of MES and saying, "How many things actually need to talk to MES?" We find that the MES system really should be located down in the industrial zone with very few connections to the enterprise that can be more secured. Again, technology is fine, but architectures are really important how you do this.
Tim Conway:
We've walked through the areas of traditional IT ransomware, where that bleeds into these in-between systems and some considerations of targeting and access either direct at an organization or indirect through pure communications to other facilities and possibly even other third parties that could slowly start to see ransomware moving into OT and these areas, definitely at that layer that Jeff talked about from the engineering workstations, the operator HMIs, but also the information that those systems rely on and how you would restore and recover a particular operation from project files to different HMI screens and tag lists, kind of the data sets and the systems in play.
Tim Conway:
But Jeff also alluded to getting further in ransomware cases on endpoints, on industrial control system devices. And that's an area where Jeff and I will likely be doing some work in the future to talk about how to think about those kinds of things and maybe even some proof of concept areas that people should have in their minds as they're considering architectures and monitoring solutions.
Tim Conway:
As we look towards ransomware in those different spaces and we look down into incident response planning in this last part of what we're going to cover here, really intended to just highlight a couple of key components across an operations-specific IR plan, and really specifically highlighting if you are an organization, don't point to your IT incident response plan and assume that it's good in coverage of your operation-specific environments. Really, look towards OT-specific IR plans and maybe even site-specific because one facility to the next may be doing things completely differently, and you may have different operational avenues of continuing to provide safe, reliable operations through a breach or through a contested attack at one facility, where at another facility you may not. At another facility, if access is gained, there may not be a way of continuing operations safely. So definitely in OT-specific IR plan, possibly site-specific OT IR plans depending on what that operation entails.
Tim Conway:
As we of look at this across different time horizons and we say, "What should you be doing before your attack? What should you be thinking about during and what should you be thinking about after?" And really focusing on this approach of OT-specific actions, I can't say enough the training of workforce so that they are aware of the environment and the kind of operation that they are supporting. This is where a hybrid individual comes into play with IT-specific knowledge as a lot of these operational environments have traditional IT assets, OT-specific knowledge as you get down into the specific controllers and the specific industrial switches and protocols, operations knowledge in regards to understanding how those things are used and how they're implemented and how they failed and what emergency operations may need to rely on different than normal operations.
Tim Conway:
And then adding this overall cybersecurity knowledge across all of those different domains. You're really looking for very unique individuals and this hybrid skill set or joint teams if you have multiple team members with people with different roles and responsibilities that all share and respond together, and taking those joint teams and running them through exercises and ranges and talking about how you would respond to different events, taking this webcast, taking this case study and replaying it for your organization, talking about those systems in-between and talking about looking at firewall rule sets and firewall rule audits and saying, "What are we allowing in and what are we allowing up from the different OT environments? What specifically could somebody pivot from a impacted IT zone into this industrial DMZ and then down into the OT space, or what if the OT space gets infected from a third party connection? Do we have the rule sets to stop it from infecting up as we're looking to try to restore that environment and ensure that it doesn't impact our backups and other other devices?"
Tim Conway:
Look at those architectures, look at that information sharing and really focus on this operations sustainability and operations resilient architectures and segmentation. OT-specific detection, we're going to talk about that a little bit on the next slide. But for a long time, we didn't have visibility into these types of environments. We didn't have the capability to switch port span, work with industrial switches in ways where we can acquire the data sets. We had to go with breakouts or tap points or individual hubs to even see communications.
Tim Conway:
Now, in most environments, we have the ability to acquire that data and gain visibility. So moving towards tools that actually understand those industrial protocols and can help you identify abnormal, a variety of different procedural reviews to ensure that your OT IR plan is adequate. During to the degree that you can move to manual controls or control inhibit or some type of operation to sustain operations and continue to produce your product, absolutely, that should be considered in your incident response plan.
Tim Conway:
We've seen in a number of cases the ability for organizations to do that. That is well-understood by operations. But the people who are aware of the cyber event are focusing on tracking and identifying and containing the adversary action from a cyber perspective and no one is doing the operational containment to ensure that the operation isn't impacted. Again, not only making sure your joint teams of cybersecurity practitioners are working together, but that joint team includes operations, because in many cases, operators during emergency operations can move to manual or control inhibit. An assessment approach of evaluating the integrity of the system and ability to operate through or a decision to move to a scheduled outage and overall information sharing.
Tim Conway:
After this restoration and validation step, that could be a very, very long process, including safety walk downs, analysis, a whole series of after-action actions. If you look at this from the perspective of Colonial Pipelines starting this plan, startup and restoring and operations, that they have a long tail to this event that's going to go on for a number of years in regards to information requests, data requests, upgrades, or changes to their environment, looking at how they can operate differently, tremendous amount of lessons learned. We can only hope that there's still continued information sharing so that others can learn from this as well. The one piece that I've heard is kind of the... Clearly, this has impacted an IT side of the organization. And again, we can talk about the stuff in-between, but having this resulting outage, that would indicate to most people that they weren't prepared.
Tim Conway:
And to this point here, I would counter that and say the fact that they detected it, the fact that they were aware, the fact that they moved down to the next step of seeing where it had gotten to and they had likely run through exercises to develop a procedure to say, "If this condition exists, it presents this risk to us and we need to start contemplating how to contain and how to potentially impact or perform a scheduled outage," that they had walked through all of that thinking prior to this event and they moved to proactively taking down an operational asset out of an abundance of caution, I think that is indicative that a number of these other things had to have occurred prior to this event, from a training, from an exercise, from discussions of when to disconnect or how to disconnect, and then actually executing on that with approval from leadership understanding what the financial impacts and risks are.
Tim Conway:
That's a lot of conversations and a lot of activity that had to occur in order for this system to be determined to be taken down on Friday based on what they knew. If none of that had occurred, likely it would have been up and operating and available for an adversary to continue on to the next step and further impact assets and have a longer extended outage under the control and authority of an adversary group instead of the asset owner and operator.
Tim Conway:
As we talk about these detection times and the need for OT-specific detection capabilities, at this point when things move from the traditional IT into the in-between space and then down into the OT segments, you're really looking to where can you place sensors? Where can you place detection capability that you can start to reduce this ICS compromise to detection gap, and you can start to then further inform response teams to further reduce this detection to containment gap?
Tim Conway:
And then ultimately, if there is an effect on your system because of all the actions and how you've positioned this and what you've detected, you've taken a series of steps that even if there is some effect, you've reduced the overall impact of that effect and now you're reducing the containment to remediation gap as well. Jeff, we are going to have you walk through a couple of these different types of assets and thinking about specifically from a ransomware perspective how these assets could be impacted and how you could better prepare yourselves from an IR perspective prior to the event and during and after it.
Jeffrey Shearer:
Sure. Yeah, absolutely. Within industrial control systems, some of those things are foreign to our IT brother and very comfortable to the OT engineering group or maintenance group. And so what needs to happen is... this is my method, is I take all the ICS assets, the types, and I break them down into their individual parts or their atomic elements or whatever fancy words you want to use. But for instance, on the PLC side, I've got firmware, I've got a program, I've got data, I've got configuration, I've got design software. And so I take those elements and I say, "Okay, during a complete outage, I need to have available to me for restoration purposes the firmware, the program, very specific kind of data which we'll talk about, any specific configuration and the design software to be able to load it." I walk through an entire environment and determine what those things might be.
Jeffrey Shearer:
As we moved to the HMI, same thing, smart valves, switches, routers, and firewalls, so we would call that infrastructure. I divide that off into a separate category and I go get switch, router, and firewall experts. Not every OT person is familiar with that, so we might lean on the IT side to say, "Hey, can you help us restore this or configure this? Help us get visibility back." And then last but not least, from the server and application side, what was I running from an operating system? Can I even put it back?
Jeffrey Shearer:
It's surprising some of the old operating systems that are running current ICS systems and we need to be able to put it back because that was what was validated. We need to have access to the patches, the applications and the application patches. And so what tweaks? Jason Dely kindly reminds me, "Hey, remember when we tweaked the operating system for this or that to get this running?" I was like, "Oh, yeah." So somewhere we need to have this kind of design methodology when we back things up and we have to go back into a restore.
Jeffrey Shearer:
Truths about ICS, some axioms for us. A lot of times backups in the ICS absolutely exists, but they're hardly ever current. We can do things like get in there and we can force IO subsystems to be in a certain state and we never back it up. You can plan for number two, which is plan for your worst day scenario, where you're going to rebuild from scratch, where scratch means you can get current day operating systems and you'll have some out-of-date artifact, and you're going to put it back together and then you're going to start working through the problems. That will take you a long time. I've seen it happen, I've been part of that scenario. It's not comfortable.
Jeffrey Shearer:
Last but not least, don't expect that your OEM, the people who provide that equipment to you or your system integrator, will save you because they will not. They will not have backups that are equivalent to what you're running. These are kind of the things that I've learned the hard way.
Jeffrey Shearer:
I wanted to specifically talk about code. People will run around saying, "Hey, we need to back the code up, hey, we need to back your code up." And that is true. However, the code needs to be protected as well not just from a restoration standpoint, but also from, "If I get my hands on code, I can understand the operational importance of the machinery and things that I can do inside the code either to the data or to the code itself in order to make the machine behave not as intended." The code, yes, we need to back it up, and yes we need to understand that it is current, but we also need to know that it tells an adversary how things are running.
Jeffrey Shearer:
As part of the recovery plan, data types will tell us what kind of recovery plan we need. Generally speaking, I've broken it down into four categories. There's dynamic data which we don't have to really include backup because it's computational data. It's something that is constantly changing. As soon as we turn the system on is going to be computed. There's recipe data which we can restore and we can say, "Hey, put the vowel settings to this, put the temperatures to that. We're going to run this product. It is not real sugar, it's brown sugar. So let's do these batch kind of things." We can put them back, but that can be held for ransomware. So we need a recovery plan for that kind of data.
Jeffrey Shearer:
Current batch or product data. So we saw in the Colonial Pipeline, I'm sure they had current data about what was in the pipeline, about what was in the tanks. And so we needed to understand that if we hit the go button, what's the real current batch data that we need to make sure that we do? Sometimes we can get a good snapshot of that before an event occurs. Not all the time, we may have to reconstruct that. And then last but not least, I call it conditional. So there are some machines where you actually have to zero machinery and you have to build pressure and you say, "This is zero. Literally, it's zero, pressure-wise it's zero," or I turn on a pump and I say, "This is the new idle pressure, or a robot I got a holding." These are the types of data that will actually drive a recovery plan.
Tim Conway:
Thinking about that recovery plan that Jeff just walked through the different pieces of data that you would need from the various devices and systems that if that is impacted or made unavailable and you're looking towards how do we restore or how do we recover, and that's really where this discussion that is should be familiar to many from an industrial control system perspective. If you're needing to go back to an as designer, an as built kind of recovery because that's all that's left after a ransomware attack, you likely have a lot of things to do to move it back to an as operating condition.
Tim Conway:
So it's that difference between as built, as designed versus many, many years into the future the as operating and all of the changes and modifications that have happened across operator displays, across device configurations and ensuring that you have those absolute current capabilities to restore from, and not just sitting on an engineering workstation, but also elsewhere. Considering some of these things, that would squarely fall into the preparation side of where do those recovery capabilities exist. And then if you move down this operational IR plan, being able to access those and use them and then validate when you're in a recovery phase.
Tim Conway:
Two areas to highlight here, this containment piece is looking towards an effect that's achieved in an environment, and then being able to walk back up to say, "Based on what was demonstrated, based on what was observed, or based on what was discovered with our OT detection, here's where adversary must be, or this is how they likely gained access through based on trust relationships." In order to do that, you absolutely need to understand all your data flows, all the communication components that are coming in through industrial DMZs, through third party vendors, and even getting that documentation and getting it all put in place as part of the preparation side to know what you know, kind of the inventory of hardware, the inventory of software, the configurations of various devices, the data flows that exist in your environment.
Tim Conway:
That is a large effort that needs to be done before the incident in the preparation phase so that you can understand it. On the side operation side, the point Jeff just made in regards to what was the state of the system in before the event and happened? So what were the current products and customers delivery points? What was our current state of operations before it happened? So using things like historians and trendlines and others stuff that you could go look at to reconstitute the state of the system.
Tim Conway:
Also, the ability to have some isolation and manual control so that you can operate through an event, or the decision-making in place to say when you can't. That based on what we're seeing, based on adversary position, based on demonstrated capabilities, and the ultimate risk to safety of personnel, of equipment, of the communities that you serve or customers, and the decision-making clearly in place on when to move towards these scheduled outages. Absolutely looking through this from the perspective of an OT lens, consider your OT-specific response plans.
Tim Conway:
We only have one slide left and we'll be seeing Rob T. Lee emerge soon with the hook to take us off the stage. But one thing that we would talk about here is this response, all of government response that has come. And this is generally not what you would want to see if you were in a ransomware team impacting a company, kind of an all of government response with nine different agencies all operating waivers for EPA, for noncompliant fuel delivery, DOT extensions and waivers for tanker trucks to have alternative means of delivery, individual state actions that went down expanding weight limits to exceed for tanker trucks and operations, considerations of alternate transportation on rail or maritime vessels.
Tim Conway:
This has bubbled up very, very high in regards to how do we continue to operate through this attack and what actions should we take and how should we prepare as a nation and how are we going to respond to this? Assume at that level of bubble up, this isn't going to go away now that everything's restored. There's going to be ongoing discussions of who should have what authorities, there's going to be ongoing discussions around what regulations or what requirements should be put in place, there's going to be just a tremendous amount of activity geopolitically about how do we start to respond to these types of ransomware cases differently as we expect they're going to continue to rise as well and move more into critical infrastructure, more into OT-specific impacts and really become this fog of war in regards to is it a criminal action, or is it a state-sponsored action?
Tim Conway:
And being able to understand that and differentiate, and then the need for defenders to have that training, have that visibility, have the skills and abilities so that they can respond to these increasing levels of attacks and complexity. Again, slides will be provided in PDF, so a number of the different resources that we use that fed into this. I believe today we have a SANS ransomware page that has been put up with a number of different resources available. There's a lot of different areas of the SANS is you look at training or an educational institute that may have a college of business, college of law, college of education in our curriculums where we have forensics and blue team operations and pen testing and offensive ops.
Tim Conway:
Ransomware has sprinkled throughout and something that we're all facing and all dealing with, not just in the ICS space, but in a lot of different areas. From a user perspective on security awareness and resources there to a forensics perspective, just a tremendous amount of resources and activity occurring in the space, would highly recommend going to check out some of those resources on this page and plugging into some of these talks that are scheduled for future.
Tim Conway:
With that, we are four minutes over, which I'm actually impressed that Jeff and I landed four minutes late. But here's some additional resources. Jeff, thank you very much for joining me today. And Rob, I turn it over to you. I think you're muted and you likely need to request an unmute. So whoever your operator is needs to unmute you. In the meantime, we can say whatever we want. Jeff, anything you've got?
Jeffrey Shearer:
Two computer strings walked into a bar.
Tim Conway:
Oh, Perhaps humor is something you really got to get used to!
Jeffrey Shearer:
Yeah, it takes a while.
Tim Conway:
Rob, I don't know if... I cannot unmute there. See, no. And I do not know-
Rob T. Lee:
Now I'm unmuted. Yay, okay.
Jeffrey Shearer:
Yay, there you go.
Tim Conway:
Thank you, Rob
Rob T. Lee:
Thanks, guys. Tim, one of the things that you said earlier about the number of events that happened on the Colonial Pipeline, no one had even heard of it, you said less than 30 of similar shutdowns that have occurred over... What was the timeframe again? I was trying to get-
Tim Conway:
Over 20 years, CNBC has a good timeline of this where they're walking through kind of, "Hey, when Hurricane Katrina hit, it impacted the refineries that were bringing product in." And so pipeline operations was not occurring. And that lasted for 8, 10, 12 days, and the speed of this product moving across the pipe, I believe, Jeff referenced a five mile an hour delivery speed. So even when it started to restore the time it would take to make its way all the way up to different terminal stations, extended restoration, Hurricane Harvey actually impacted pipe from flooding conditions and other issues, so also caused full disruption.
Tim Conway:
Across those 30 events in 20 years, there was other smaller ruptures and pipe leaks and other things that were partial impacts. Like any other critical infrastructure where you're operating physical assets deployed throughout the field, there's outages and events that occur all the time, but the resilient operations make it so that there's all kinds of other emergency plans like tank storage and alternate delivery methods where the customers and communities they serve are often not aware of the different failures that have happened throughout time. This one being unique as it's cyber, and it's less planned, less predictable and an emerging issue.
Rob T. Lee:
And national news, yeah. I really thank you guys for putting this together. The amount of expertise and insight that you're able to bring to this and just general knowledge of information just like that really brings a steady hand to the current events that are going on. For everyone who's attending these slides, the presentation and additional resources that were linked in this presentation will be making its way onto a blog that we're going to be posting on both Twitter and LinkedIn and on the SANS website.
Rob T. Lee:
But I really appreciate both of you for taking the time to put this together. This is no easy task. The amount of information in-depth in here is flat out amazing. I really appreciate everything you guys do to continue to contribute to SANS and the overall information security as a whole. Without further ado, thank you all for attending the emergency webcast. Pay attention to social media at SANS Institute and on LinkedIn for the posting of the blog that'll link to the slides in the webcast. Thanks, everyone.
Jeffrey Shearer:
Thank you.
Tim Conway:
Thank you.
Q&A from Ransoming Critical Infrastructure - Emergency Webcast
1. Did colonial pipeline pay $5mil ransom? Why are victims still paying?
The most recent reporting available on this topic is from Bloomberg, we are not confirming this report in any way just pointing to it as the most recent reporting on the topic: https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
For the second part of the question, general guidance discourages payment, however each incident is evaluated uniquely by the asset owner and operator as they evaluate all options to protect stakeholders and service their customers and communities safely.
2. In your opinion, do you observe any gap or area of improvement in Colonial Pipeline's incident response to this attack?
Identifying the lessons learned from an event and areas for improvement will always come in the later stages of the incident response process and I am certain there will be lessons learned from the event as there always is.
3. Is it really useful to make the distinction between IT and OT?
Indeed IT is an area where most of us know our way around the protocols and OT isn't but I don't think that OT has other IT security and IR principles then IT. There are very important distinctions between traditional IT environments and cyber to physical OT environments that drive significant design and operating criteria. Let’s walk through a couple of differences as viewed from the OT operator and engineering perspective. First, let’s look at response time. From the “traditional” IT perspective, having a customer fill out an issue ticket and processing them in order of incoming que can be detrimental to operations. This has caused friction between IT and OT teams for generations. Around the clock response teams for OT is traditional whereas IT support teams may not be staffed to support around the clock response no matter where or when the call comes in. Another example is the OT assets control physical devices so when something malfunctions, there is probably going to be a physical consequence to the malfunction. If an IT system malfunctions, it is unlikely that a physical asset will be affected. Another topic that often comes up when we talk about differences of IT and OT is “time”. Within an ICS environment we require network latency and jitter in milliseconds and sometimes microseconds. Most IT networks are not designed to support this requirement. Also, Quality of Service (QOS) on the network is a major consideration within an ICS network whereas it is less important for an IT network. Bottom line, IT and OT need to work together to define the difference in each environment.
4. Regarding the MES example for IT/OT integration - would it be fair to say that the IT/OT level of integration is not that significant when it comes to utilities (transmission and distribution).
Technically, a SCADA system should be able to run if completely network air gapped from the IT network. There are many examples of IT/OT integration on the T&D side – study and analysis tools, market operations, billing, metering, outage management, work management, GIS, and many others. In relation to the air gapped part of the question, in many cases connections exist in and out of SCADA system environments specific to data exchange across organization IT networks for primary and backup control center environment replication and data feeds into distribution management systems, further connections to ICCP peers, and possibly out to some facilities or peer utilities directly. Lots of variations here in regards to network architectures and communications paths depending on the type of entity and operational assets.
5. Do you have any thoughts on how ransomware could manifest itself/impact OT in Power systems (generation, distribution)? Does the electricity stop?
Short answer for the first part of the question in regards to thoughts on impacts – yes I have many and as an industry we consider those possibilities and exercise them. In regards to the second part of the question, there are scenarios where impacts can be achieved, but the complexity and specifics of a ransomware attack that moves to OT and causes specific impacts would need to be evaluated and considered based on the uniqueness of each entity.
6. In your opinion, is "exercise abundance of caution" the right approach for critical infrastructure operators or should they be mandated to have a more solid disaster recovery / incident response plan to resume/recover within x number of days/hours/minutes/seconds ahead of time?
I believe the operators and asset owners are the right people and the only people capable of assessing potential safety concerns to their operational environments and in turn making decisions on how to position the system due to assessed risks. In regards to restoration and recovery, there is an important concept of recovery of function, which can happen through alternate emergency operations while other activities focus on restoration of services and returning to normal operations.
7. OEM's love to bypass DMZs and access straight into level 3 and below "because they need to for the contract" - how do we manage the risk in those direct links?
So many variations on this potential answer determined by frequency of access, defined need for action / control, method of access, and duration of access. These factors can point to a variety of different technical controls and potential architecture implementations to reduce or eliminate the risk.
8. Colonial reportedly (NY Post) paid $5 million. Are some entities paying to provide confidentiality of exfiltrated data without paying for unlock of data in-house?
Many ransomware groups have shifted approaches to take advantage of this additional option for payment.
9. Not to come off as a dinosaur/grey beard, but, on the topic of critical infrastructure/operations like this current target/topic, at what point does the exuberance/convenience/risk around OT data visibility outweigh the benefits of having the access and bidirectional hooks to it? I know it is a philosophical question/can of worms, but, days of yore we didn't have to even worry about these attack vectors as the systems were not subject to these interdependencies that brought colonial to a screeching halt. Might there be a case/justification for air gap level security to similar OT systems?
There have been some approaches along these lines pursued in high impact sectors and at specific facilities where unique risks exist. The senate has passed the Securing Energy Infrastructure Act (SEIA) in 2019 which will research benefits of "analog and nondigital control systems."
10. Has it been identified what the attack vector was that allowed Darkside to gain initial foothold?
A number of initial infection vectors for Darkside have been provided in the fireeye report: https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operation.html
11. Brian Krebs mentioned, and I heard this brought up in the past, that DarkSide and some other malware won't run on systems with certain Cyrillic keyboards installed. Presumably this is some kind of attempt to keep attacks outside the attackers home countries. Are these reports accurate, and if so, has there been any movement to mitigate possible attacks by pre-installing these keyboards on critical machines?
There are a number of defender approaches that can be leveraged to defend against specific elements of the adversary tactics, however this is a dynamic environment and specific defenses will be learned and adversary approaches will be adjusted.
12. Do we have any information related to external venders or partners in the Colonial environment, and whether or not this played a role in the event?
With an ongoing investigation underway, I would imagine there is still much to be learned, however based on the information shared by Colonial Pipeline thus far, I would anticipate that if an expanded risk to other targets was discovered, it would have been shared to the appropriate parties.
13. One thing I am curious about is this. Did they pay? Or restore\rebuild? That detail has me curious from cost of ransom verses cost impact of being down reputation, feat, panic etc.. I noticed the news has not eluded if they did pay or not?
The most recent reporting available on this topic is from Bloomberg, we are not confirming this report in any way just pointing to it as the most recent reporting on the topic: https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
14. Can you say anything about the dangers of "leaking information" and the impact on trust relationships when that happens?
Matt D. Assuming we are discussing human information leaks, impacts would be significant. Trust is an extremely important element in any relationship and certainly amongst the critical infrastructure ICS community. We lean on each other from sector to sector and from peer to peer entities and throughout the entire stakeholder ecosystem, violations of trusted information sharing would have broad impacts.
15. How can we get PDFs of the slides?
You can find the PDF slide presentation here - Ransoming Critical Infrastructure
Ransomware Resources
Learn more about ransomware from this SANS Ransomware Resource page
.jpg "ICS - Blog - ICS OT Cybersecurity & AI Considerations for now & the future - Part 1_340 x 340(1).jpg")
