A Colonial Pipeline incident Q&A with MxD’s Jon Powvens
Before next month's INSIGHT series webinar on using cybersecurity to save your business money, read Jon's lessons from the recent hack here:
MxD labels itself as a facility that equips US manufacturers with the digital manufacturing tools and expertise they need to stay competitive. And since MxD is funded by the US Department of Defense, we figured we should get their perspective on the Colonial Pipeline hack.
Here see our Q&A with Jon Powvens, MxD’s director of cybersecurity.
Smart Industry: Why did this happen?
Jon: We do not have direct knowledge of the event, or the attackers. Based on reporting from other sources, this attack appears to be tied to a group called DarkSide. A statement released by DarkSide stated that the goal of the attack was financial gain. DarkSide appears to operate as a “hack as a service” model. This means that they target companies that they are paid to target. Why Colonial Pipeline was targeted is not entirely clear at this moment.
Smart Industry: What does this mean for manufacturing?
Jon: For manufacturers, this attack highlights the importance of cybersecurity for your entire organization. Like most organizations, Colonial Pipeline has ties between the enterprise or IT environment and the OT pipeline-management systems. As data is needed to make business decisions, connections from traditionally air-gapped or non-networked equipment are needed. These additional connections and the collection of data empower organizations to make improvements to safety and operations using data analytics. However, the security implications were not well understood as these connections were made. Reporting has stated that only the IT system of Colonial Pipeline was attacked, but the OT systems were considered at risk after the loss of the IT systems.
Smart Industry: What can we learn from this?
Jon: As the world’s attention is now focused on DarkSide, it is possible that the attackers might lay low for some time or shift their targets. As manufacturing often lacks security controls, it is only a matter of time until the sector becomes an even larger and more popular target. Given this increasing risk, cybersecurity should become as important as environmental health and safety for factories.
Choosing to not take action and protect your environment may save money today, but it opens the door to increased risk tomorrow. Cybersecurity cannot be an afterthought; it must be baked into the factory operations. Every manufacturer should be looking at the connections between their IT and OT environment and ensuring that only required traffic is allowed. Every organization should have a detailed plan for how systems will be restored, and this plan should be tested. We do not know what the next attack will be or how it will work, but we can take reasonable precautions.
Smart Industry: What are our next steps?
Jon: Organizations should look to the National Institute of Standards and Technologies (NIST) cybersecurity framework: Identify, Protect, Detect, Respond and Recover. For each piece of equipment or system in the factory, your organization should be able to answer each of the below points. As most small and medium organizations will be focused on returning to normal operations as quickly as possible, Recover may require focus even earlier in the process.
Step 1: Identify—The make, model, version, software version, IP address and network location of every system involved in your manufacturing lines.
Step 2: Recover—Detail the recovery steps for each identified system, how long it takes to recover, and what it is dependent on for recovery.
Step 3: Protect—Determine what protects each system: a firewall, antivirus, log retention, or other protection scheme.
Step 4: Detect—Ensure that alerts generated from the Protect step are reviewed and understood.
Step 5: Respond—Ensure that suspicious behavior of systems is investigated.
There is a specific next step that organizations can take regarding this attack and similar ones. This malware, like many other strains of crypto-locking malware, will not execute against a system with a Russian or Cyrillic keyboard installed. In Windows, multiple languages can be installed, and certain strains of malware will not install on Russian-language systems. These additional language keyboards can be installed while maintaining the English keyboard as the primary keyboard and language.
While the best defense against cyber-attacks is a comprehensive plan that covers the steps above, this simple, free installation may protect you from a future attack.