Americans have long feared a “Cyber Pearl Harbor:” the big, devastating kind of cyberattack that might fry a power grid during a cold winter, poison the water supply in Manhattan or blow up a chemical plant. These are the kinds of strikes that could pose an existential threat to the United States, kill hundreds of people, and, given the severity of such an attack, likely presage war against the aggressing nation. The common thread in these hypothetical catastrophes is that they’re all examples of cyberattacks against operational technology (OT)—the systems that manage the industrial processes that underpin major aspects of our daily lives.
The ransomware operation that locked up Colonial Pipeline’s  business networks last week—which resulted in the company shutting down 5,500 miles of pipeline that stretch from Houston to New York—doesn’t seem to fit this paradigm. Colonial Pipeline’s OT systems were reportedly not even the target  of the hackers. Instead, the shutdown was ordered by the company itself , out of fear that the ransomware might be able to jump  from its information technology (IT) networks into the industrial systems. As a result, a band of cyber criminals in search of easy money crashed one of the main energy arteries that powers the Eastern seaboard. This was not the sort of “Cyber Pearl Harbor” most people expected.
The fact that ransomware caused a multi-day shutdown of an energy distribution network—and generated real economic pain  in the process—offers an important lesson: While the United States has been girding itself for a nation-state to launch a massive attack against critical OT infrastructure, Colonial Pipeline has demonstrated that criminal actors targeting a company’s IT systems can also cause the type of real-world infrastructure shutdown we’ve long feared. It’s a massive security liability. And, unfortunately, it’s one that defies a quick fix.
The reason that a ransomware operation against the IT side can result in a shutdown of the OT systems is because, though separate, the two systems generally aren’t very effective if they can’t communicate. OT monitors the valves, mechanisms and pumps that mix chemicals, manufacture parts, check pH levels in water, and, yes, control the flow of gasoline down pipelines. If OT can be understood to control the industrial side of things, IT systems underpin most daily business functions for a company like Colonial Pipeline—such as its ability to track and bill customers, communicate internally and track how much gas has been distributed over thousands of miles of dispersed pipelines.
Because of its importance, IT systems are a hot target for cyber criminals, whose ransomware operations have skyrocketed  since the start of the COVID-19 pandemic. Companies that are hit are in a tight spot: they’re locked out of their systems unless they pay a ransom, but paying ransom to cyber-attackers is illegal . (Notably, however, even the White House  on Monday was unwilling to flat out tell Colonial Pipeline not to pay, which is perhaps an acknowledgment of just how difficult the company’s predicament is.)
Industrial businesses need both functioning IT and OT in order to conduct operations. Colonial Pipeline can’t make money unless it can track and bill customers for the amount of gas metered out—a process that relies on the IT systems. And without OT, there is, of course, no gas pipeline to distribute fuel in the first place. In short: the pipeline—or the water treatment plant, or the power grid—isn’t safe if the home office software isn’t secured. And vice-versa.
But securing OT isn’t easy. While one highly encouraged method is to “airgap” OT systems by running them on an independent network that never connects to the broader Internet, this set-up can be difficult or impractical and is still not a guarantee of security . Furthermore, in recent years we’ve seen the difference between IT and OT increasingly blurred, as IT systems are more closely integrated with industrial operations to facilitate information-gathering, efficiency and optimization (IT/OT convergence).
In conclusion, it’s not that “Cyber Pearl Harbor” is always the wrong way to look at the cyber problem. In terms of encouraging government and industry to think creatively about unexpected challenges, it might in fact be quite useful. But the limit of the analogy is that it encourages us to imagine that our greatest cyber threats will come with a bang—when the reality for the past decade has been the steady drip of incident after incident that chips away at our illusion of security, reveals our significant vulnerabilities and then is ultimately forgotten until the next attack.
This is why we need to worry about Colonial Pipeline—because it doesn’t take an intentional nation-state attack to turn off a key pipeline: talented criminals can accidentally achieve the same result in their quest to make a quick buck.
Image credit: oz
- “Colonial Pipeline’s”: https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html
- “reportedly not even the target”: https://twitter.com/darktracer_int/status/1391735232991092738
- “was ordered by the company itself”: https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption
- “might be able to jump”: https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/10/press-briefing-by-press-secretary-jen-psaki-homeland-security-advisor-and-deputy-national-security-advisor-dr-elizabeth-sherwood-randall-and-deputy-national-security-advisor-for-cyber-and-emerging/
- “ real economic pain”: https://www.cbsnews.com/news/colonial-pipeline-ransomware-gas-lines-shortages-price-rises/
- “skyrocketed”: https://www.infosecurity-magazine.com/news/ransomware-attacks-grow-2020/
- “illegal”: https://cisomag.eccouncil.org/paying-ransom-is-now-illegal-u-s-dept-of-treasury-warns/
- “even the White House”: https://www.whitehouse.gov/briefing-room/press-briefings/2021/05/10/press-briefing-by-press-secretary-jen-psaki-homeland-security-advisor-and-deputy-national-security-advisor-dr-elizabeth-sherwood-randall-and-deputy-national-security-advisor-for-cyber-and-emerging/
- “highly ”: https://media.defense.gov/2021/Apr/29/2002630479/-1/-1/1/CSA_STOP-MCA-AGAINST-OT_UOO13672321.PDF
- “not a guarantee of security”: https://www.f5.com/labs/articles/cisotociso/attacking-air-gap-segregated-computers