Pipeline Cybersecurity Initiative best practices

There is no question that ransomware attacks are on the rise.  They present what is arguably the most dangerous risk to businesses today when looking at the cybersecurity threat landscape. Recently, a ransomware attack impacted the Colonial Pipeline, one of the largest fuel pipelines in the United States. The devastating fall-out from the attack affected millions. 

This eye-opening attack on Colonial Pipeline sheds light on how critical service industries must protect themselves against the ominous threat of ransomware and other cybersecurity breaches. In 2018, the United States created the Pipeline Cybersecurity Initiative (PCI) to address cybersecurity risks to the country’s pipeline infrastructure. So, what is the Pipeline Cybersecurity Initiative? What cybersecurity best practices outlined by PCI do IT administrators need to implement to protect critical infrastructure from modern threats such as ransomware? 

Colonial Pipeline Hack – a brief overview 

In early May 2021, Colonial Pipeline, one of the largest pipelines in the United States, was forced to shut down operations due to a large-scale ransomware attack on its digital infrastructure. The 5,500-mile pipeline carries over 45 percent of the total fuel consumption of the Eastern Seaboard. As a result, Colonial Pipeline operations were down for numerous days while the company turned its attention to getting the pipeline back in operation. Due to the shutdown, Americans in the Eastern United States saw fuel shortages and a spike in fuel prices. 

The recent attack highlighted the ever-growing danger to critical infrastructures such as oil and natural gas, electric grids, water plants, and other vital services from ransomware and other cyberattacks. Aside from the recent Colonial Pipeline hack, attackers have penetrated the critical systems of various key infrastructure industries.

Note the following: 

• In 2014, an attacker planted malware in energy sector companies that provided espionage and persistent malicious access. 
• In 2014, an attacker infiltrated third-party websites, which allowed malicious software to be downloaded by ICS operators.  Among other things, it provided attackers VPN access to PLC devices. 
• In 2016, an attacker used a phishing campaign to steal credentials to infiltrate a Ukrainian electric company.  It allowed the attacker to shut down a section of the electrical grid, causing blackouts in Kiev. 
• In 2017, an attacker installed malware on safety instrumented systems (SIS) in a petrochemical facility and attempted to cause damage and injuries. 

Pipeline Cybersecurity Initiative 

 In October 2018, the United States Department of Homeland Security (DHS) drafted what is known as the Pipeline Cybersecurity Initiative (PCI). With the formation of the Pipeline Cybersecurity Initiative, the Cybersecurity and Infrastructure Security Agency, working under the purview of DHS, is spearheading the effort to analyze and address risks to the United States pipeline infrastructure. 

The Pipeline Cybersecurity Initiative (PCI) carries out three main functions: 

1. Analyzing the cybersecurity posture and preparedness of the country’s pipeline companies to help pinpoint significant vulnerabilities increasing risk to critical systems 
2. Develop risk mitigation strategies in response to ongoing risk analyses that help companies address current and emerging vulnerabilities and threats  
3. Sharing information between interagency organizations and key stakeholders seeking to raise awareness of critical issues, and inform pipeline cybersecurity activities    

Following the Colonial Pipeline attack, DHS, along with the Transportation Security Administration (TSA), announced on May 27, 2021, a new security directive to help protect and respond to threats against critical companies in the pipeline sector.  In part, the new cybersecurity directive will do the following: 

• Require pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS, 
• Designate a cybersecurity coordinator,  
• Require critical pipeline owners and operators to review their current cyber practices, identify gaps in cybersecurity-related remediations, and report these back to the TSA and CISA within 30 days. 

As documented by the Department of Homeland Security, there may be other TSA pipeline security guidelines: 

“TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to the cybersecurity of our homeland.” 

Cybersecurity best practice mitigations 

What best practices should IT admins follow for cyber risk mitigation in critical industries (pipeline, energy, water, etc.) and other sectors? Note the following cybersecurity best practices documented as part of the Pipeline Cybersecurity Initiative. 

1.  Boundary protection 

 This key to this best practice is network segmentation (creating sub-networks that house critical and operational Industrial control systems (ICS)).   

• Never expose ICS systems to the Internet without VPN, multifactor, proxy, or a combination of technologies 
• Separate these critical systems from the corporate network 
• Only allow specific traffic types and block the rest in firewall policies 
• Access to the ICS environment should only be permitted to essential systems/personnel 
• Only access ICS systems using hardened end-points and use separate devices for other functions 

2. Monitoring

Mitigating cyberattacks and risks involve effective monitoring. First, you should know what normal traffic to critical systems “looks” like. Then, establish a baseline to help quickly identify abnormal traffic. 

• Carry out network analysis 
• Scrutinize communications to new IP addresses or domain names 
• Disable unnecessary services or ports on operational or ICS systems 
• Monitor for abnormal end-user behaviors and logins that may signal a breach 

3.  Configuration management 

IT admins need to make sure they have the means to standardize the configurations of systems. Insecure or default configurations can provide an easy way for hackers to get into otherwise secure systems.   

• Maintain a baseline for applications, end-points, and operational systems 
• Continually evaluate the configurations of all systems on the network to ensure these meet the baselines established and have not “drifted” from sanctioned configuration settings 
• Perform frequent audits of all systems 
• Validate the authenticity of patches and other software downloaded as part of a standard configuration build of applications and business-critical systems 
• Enforce a change control process 

4.  Access Control 

 Enforce and verify that only authorized users, programs, processes, or systems have access to industrial control or other business-critical systems.   

• Restrict access to operational and industrial systems to only personnel with necessary access requirements 
• Enable strong passwords, multifactor authentication, and account lockout policies to prevent account breaches 
• Restrict unauthorized software applications 
• Use VPNs or other secure remote access technologies 
• Separate user accounts and password policies between IT and operational systems and do not use the same centralized IAM system 
• Change default passwords provided by vendors on devices, applications, and systems 

Enforce strong passwords and password policies 

Today, most organizations use Microsoft Active Directory Domain Services (ADDS) as their centralized repository of user access and permissions control.  In line with the guidance for Access Control found in the Pipeline Cybersecurity Initiative, organizations need to enforce strong passwords and have effective password policies in place.  Active Directory contains only basic password policy settings and no native breached password protection built-in. 

Specops Password Policy is a tool that allows businesses to bolster the password policies used in their organization and implement additional security for their Active Directory accounts that isn’t possible with native Active Directory functionality.   

Using Specops Password Policy, businesses can easily implement multiple password filters in Active Directory, which is not easy to do natively in ADDS. Also, Specops Password Policy provides real-time breached password protection to prevent users from selecting passwords that are part of existing compromised password databases.   

It is easy to implement password filtering in Specops Password Policy with just a few checkboxes.   

Specops Breached Password Protection found in Specops Password Policy is quick to implement and provides the ability to customize your approach to enforcing breached password protection in the environment. For example, prevent users from picking passwords that have been compromised when they reset them.  You can also force users to change their password at the next logon if these become breached. 

Concluding

The Colonial Pipeline hack shows that organizations today, especially critical infrastructure businesses, must guard against future cyberattacks. Often, these are using ransomware to lock up business-critical data and shut down services. The Pipeline Cybersecurity Initiative provides essential best practice guidance for the pipeline industry and other business sectors.    

User passwords are still the most basic form of authentication and must be protected from compromise. Out of the box password policies in Active Directory lack the features needed to protect against modern threats. Specops Password Policy adds essential elements to these password policies, such as easy password filtering and breached password protection, that provides the tools needed to meet modern and secure access control challenges.   

Learn more about Specops Password Policy.