Recent attacks on the third-party data system of several U.S. pipeline companies highlight the persistent need for better ways to secure industrial control systems (ICSs), particularly when third-party software is in use, security experts said.
Over the past several days, four U.S. pipeline companies reported a blackout of their data systems—electronic data interchange (EDI) systems provided by Energy Services Group’s Latitude Technologies Unit—which they use to communicate with customers. The companies–Energy Transfer Partners, Boardwalk Pipeline Partners, Chesapeake Utilities’ Eastern Shore Natural Gas and Eastern Shore—all said they suffered data-system breakdowns.
While the attacks at this point do not appear to have been aimed at damaging or disabling the U.S. pipeline, they do highlight the inherent insecurity of critical infrastructure systems and the constant possibility of imminent attack, researchers said.
“It does not look like from what we’ve seen that these impacted the SCADA network,” Patrick McBride, chief marketing officer at Claroty, an ICS security company, told Security Ledger. “As far as we know it didn’t attack the SCADA system, it attacked the Latitude system, stopping the documents and transactions that are integral to running the business, but not stopping the oil and gas [from flowing].”
[You might also want to listen to this recent podcast: Episode 85: Supply Chain Attacks and Hacking Diversity with Leon Johnson]
At this point, experts believe the attack was more financially motivated than aimed at taking critical infrastructure offline or otherwise attacking the pipeline itself, he said. Hackers may have been seeking a ransom for removing the system blackout, or been seeking transactional data for other financial gain, McBride said.
Even though the attacks do not appear to have affected any data on the networks, it doesn’t mean critical infrastructure stakeholders should be any less vigilant about protecting their networks, he said.
“This should not give oil and gas pipeline companies specifically or critical infrastructure players any false sense of security,” McBride said. “These systems are very vulnerable. These systems remain very exposed and there are folks actively targeting those system.”
“State actors are not turning off the gas pipelines or shutting down the electricity yet, but they are probing these networks, trying to gain a level of persistence so they can do what they want at a later point,” McBride said.
Unique security challenges
Pipeline companies in particular face significant security challenges due to the sheer geographical expanse of the pipelines themselves, said Bryan Singer, director of security services at security consulting services provider IOActive.
A major attack on a pipeline is something about which the firm has been concerned for years, he said.
“With a several thousand mile pipeline, pipeline companies must be able to access components at any time–keeping oil and gas flowing, maintaining service and preventing dangerous failures such as explosions and fires,” Singer said. “There are very serious health and human safety issues that must be prioritized when it comes to protecting these systems from potential hacks that threaten availability. Sustained attacks could deplete vital reserve stores and threaten these services.”
He called the latest series of attacks “yet another wake-up call that often fails to do the waking up.”
“It shows that utilities and operators really need a better understanding of who is connecting to what in their architecture,” Singer told Security Ledger. “We are seeing a rapid rise in attacks across all sectors, yet it seems that many operating companies are OK to remain blissfully unaware until they are not given a chance to remain so.”
While a direct threat to ICS networks is a frightening-enough proposition, the recent attacks demonstrated the possibility of entering critical-infrastructure network through third-party providers they may be using.
The potential for intrusion this way highlights the need for ICS operators to take proactive control not only of their only network security, but to ensure third-party software on the system also doesn’t provide an easy way in for bad actors, experts said.
With companies using third parties for system maintenance and support—and some of these workers accessing the system remotely—there is a lot of room for hackers to move to access the system indirectly, McBride said.
“The clear and present danger is that I break into one of your support vendors and get into the end targets,” he said.
Focus on third-party security
There are a number of ways critical-infrastructure providers can prevent this from happening, McBride said.
“You have to audit your providers,” he said, something he has seen firsthand at offshore exploration companies that are Claroty customers. The major oil company working with the third party “put it in contract language” that the drill ships had to have the same level of security as the oil company itself, McBride said.
“If they are going to have some sort of direct connect to the network, or they are going to have access to the network, there are additional controls you need to put into place like multifactor authentication and monitoring those connections [using] process, policy and technology,” McBride said.
Singer also had specific advice for critical infrastructure providers contracting with third parties to provide software and services.
“Include clauses all the way from RFI/RFP to engineering design to contract negotiations and re-negotiations that third parties must assure sufficient cyber security of their operations–including vetting of people, notification of hire and fire, and third-party audit of their products, systems, and connections,” he said.
Singer suggested companies look at the ISA/IEC 62443-4-2 Vendor Practices standard, which outlines responsibilities for integrators, EPC’s (engineering, procurement and construction firms, vendors and operating companies about minimum-acceptable security standards.
Even if third parties aren’t doing the due diligence to protect their systems, there are still ways to protect ICS networks when a partner service or software is in use on it, he added.
“Turn the communications off and enable them only on demand,” Singer advised. “Assign laptops and resources from your own inventory and require the third party to use your assets and only approved VPN connections into your environment.”
Singer also suggested that utilities and other critical-infrastructure providers mandate that third-party partners provide evidence of their own cybersecurity practices before they permit them to renew long-term support agreements.