What the cyber-attack on the Colonial Pipeline means for Intelligent Industry
The news that the largest hydrocarbon pipeline in the US, the Colonial Pipeline, has been shut down following a cyberattack marks the latest in a series of attacks on critical infrastructure. Security concerns relate to both state-on-state actors and cybercrime groups seeking to steal data to sell or ransom.
The reaction is telling. Fearful of disrupted fuel supplies, the White House has responded by loosening restrictions on the road haulage of liquid fuels - a transportation method known to be higher risk than pipelines or rail.
Predictably, as news emerged about the attack and its consequences, some have suggested that the open door for such digital assaults is connectivity, specifically ‘the internet’ and that all pipeline systems should be on a closed-loop unconnected system. But such systems remain vulnerable to physical attack. The successful introduction of the STUXnet virus into the Iranian uranium enrichment programme was achieved via a USB stick, for instance.
Pete Woodward, co-founder and CTO at cyber security specialists Securious, explains that the process to identify vulnerabilities for potential attack is much more complex than simply reducing breaches to connectivity: “From a Cyber Security perspective, we have to understand how the operational services are being delivered, and what levels of user access along with all of the relative controls around how these systems are accessed and managed is addressed. For example if engineers are accessing these systems remotely, due to the coronavirus restrictions, what controls are in place and what additional risks have been highlighted and addressed to allow a similar level of security as when they are ‘on-site’ to manage these? Did this open up a threat vector that was not addressed and has now allowed a malicious actor onto the critical network via a remote vulnerability?
“To defend against these cyber-attacks, and many others, you need to have a risk strategy that not only looks at the physical and operational risk, but also the cyber related risks.”
The same debate raged as soon as banking started to harness the power of computers, with a clarion call for a return to the equivalent of the quill pen to frustrate those who would seek to compromise digital systems. Such retrograde approaches are not only ill-informed but may also be irresponsible. A knee-jerk reaction to cyber-attacks which belies a much wider (and urgent) need for the digitisation of pipelines.
The US, for instance, has over 2.5m kilometres of pipeline infrastructure which is in excess of 50 years old, whilst the incidents which are reported to PHMSA (the US regulator) remain stubbornly level for lack of a game-changing factor in pipeline infrastructure management.
Nowadays connectivity in the world of finance is taken as read, and our financial markets only operate at the speed and volume that they do due to the immense power of technology underpinning every aspect of this market. At Dashboard, we believe that all control systems should harness the advantages of connectivity and exist grounded in cyber security.
Industrial digitisation is as inevitable as the replacement of oil lamps by electricity. The question is how to harness industrial data to achieve sustainability and efficiency without compromising security. Unlike traditional SCADA systems, the revolution in data-led solutions originated in finance, logistics, and consumer driven marketing; all of which operate in highly regulated markets and are continuously under attack. Consequently, such industries have evolved to strengthen their security and embrace the benefits of mass connectivity.
The solution to securing critical infrastructure isn’t unplugging or closed-loop systems (which invariably have vulnerabilities), it is the deployment of end-to-end infrastructure management solutions built to comply with the most rigorous electronic security standards. Most cyber-attacks seek to exploit vulnerabilities in legacy systems or intercept communications at critical interfaces within the system. Such opportunities for penetration typically arise thanks to multi-vendor systems rather than integrated solutions which have been independently tested for their resilience.
Dashboard’s security credentials
Dashboard industrial systems architecture exploits the full potential of high-resolution monitoring. This is done through converging all available data sources to enable predictive analysis. We consider cyber security at every stage, ensuring our systems meet the highest standards. To contort operational management of infrastructure to sidestep an external security threat runs the risk of failing to understand the (statistically) greater threats posed by operational risk.
Dashboard partners with some of the leading data security specialists in the market, uniquely qualified to assess the risk for each and every attack vector and with whom we develop hardened systems.
Already Cyber Essentials accredited, Dashboard is currently working towards full ISO27001 certification, with the support of our security partners Securious and strives to be at the forefront of innovation in ultra-secure infrastructure monitoring and analysis. Our participation as a partner in a £7.8m R&D project on quantum encryption illustrates our intention to provide market-leading resilience and security for our industrial solutions, as do our technical partnerships with collaborative specialists in the field.
Contact us now to discuss how Dashboard could support your business security.
By Piers Corfield, Dashboard CEO