The National Security Agency is calling for all critical infrastructure in the U.S. to undergo risk-based security reviews of their operational technologies, also known as OT. This includes all defense OT.
As new guidance that the NSA released says:
“A significant shift in how [OT] are viewed, evaluated and secured within the U.S. is needed to prevent malicious cyber actors from executing successful, and potentially damaging, cyber effects.”
This guidance comes as a cyberattack shut down Colonial Pipeline, the top fuel pipeline operator in the United States. The entire network went down as a result of the attack. That accounts for almost half of the entire fuel supply for the East Coast of America.
It was one of the most disruptive digital ransom operations that has ever been reported. It also opened a lot of people’s eyes to just how vulnerable infrastructure like this is in not just the energy sector in the U.S., but in other sectors as well.
Gasoline prices at the pump could spike considerably if the shutdown is prolonged, especially since the shutdown happened so close to the start of summer.
As Amy Myers Jaffe, the managing director at the Climate Policy Lab, told Reuters:
“This is as close as you can get to the jugular of infrastructure in the United States. It’s not a major pipeline. It’s the pipeline.”
This is what makes OT reviews so vital, as the NSA says.
Included in OT are software and hardware that enables the physical components of infrastructure to function properly. Today, everything from motors to valves to circuit breakers are all connected to hardware and software programs that could be vulnerable to attack.
OT systems are now prevalent throughout various critical infrastructure environments. Everything from the aforementioned energy pipelines to telecommunication networks, to transportation systems, to manufacturing plants, to power grids run on OT.
The cyberattacks directed at critical infrastructure systems will most often target the industrial control systems, or ICS. These monitor, automate and regulate OT systems.
If the OT/ICS are compromised, attackers can cause widespread outages and even cause physical damage to certain systems.
In the Colonial case, the company transports roughly 2.5 million barrels of gasoline each day through its pipeline. Other fuels also travel along the 5,500 totals miles of pipeline that link refineries on the Gulf Coast to the southern and eastern U.S.
The pipeline also serves some of the largest airports in the country, including the Hartsfield Jackson Airport in Atlanta — the busiest airport by passenger traffic in the U.S.
On Friday, the company announced it shut down operations after it learned of the cyberattack that was using ransomware. As company officials said:
“Colonial Pipeline is taking steps to understand and resolve the issue. At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation.”
The NSA, meanwhile, is providing guidance on a step-by-step basis for how to use a risk-based framework to evaluate various OT environments. It also will help operators make changes to both detect and inhibit any malicious cyber activities.
As the agency said:
“Without direction action to harden OT networks and control systems against vulnerabilities … OT system owners and operators will remain at indefensible levels of risk.”