Perhaps the most shocking thing about the recent cyberattack on Colonial Pipeline Co. was that it could have been so much worse. All told, America’s largest fuel pipeline was out of commission for less than a week, having begun the slow process of getting its physical operations back up and running as of Wednesday evening. There were gas shortages across the US Southeast but that had a lot to do with panic buying. Airlines took preventative measures such as adding refueling stops for certain long-haul flights and flying with extra jet fuel to preserve local supplies in affected markets, but the disruption was fairly minimal.
More than anything, the cyberattack was an uncomfortable reminder that software now runs through almost every corner of the world — as if we could have forgotten after a year-plus of Zoom calls and the recent high-profile shortages in the semiconductors that enable connectivity in everything from smartphones to cars and construction equipment. As my colleague Liam Denning put it, “whatever’s connected can be infected.”
Indeed, manufacturers were the most-targeted industry group for cyberattacks in 2020 after the financial sector, according to a report from International Business Machines Corp.’s X-Force cybersecurity group. The most common form of attack involved ransomware, which is what was used at Colonial Pipeline and essentially involves locking computer systems and holding them hostage until a sum is paid for their release.
Time has always been money for industrial operators. In fact, one reason companies have sought to connect machinery of all shapes and sizes to the internet in the first place is the pursuit of a technological edge that could help them predict and avoid costly, time-consuming breakdowns in key equipment. The consequences of forced downtime from a cyberattack means manufacturers may be more likely to pay the ransom than, say, a data-center operator who can draw on backups for essential files. “This is about return on investment,” Charles Henderson, global managing partner of IBM Security’s X-Force group, said in an interview. “Why do you rob banks? That's where the money is.”
Manufacturers weren’t always such a preferred target. As recently as 2019, the industry was the eighth-most attacked by cybercriminals. Sectors such as retail, media and professional services ranked higher. Interestingly, the pandemic may have played a role in moving manufacturing further up the line. Corporate hackers usually try to blend in with normal operating activity and the massive and sudden shift to work from home complicated some of their most tried and-true practices, Henderson said. The avenues of attack had to change. Some hackers chose to pivot and target previously favored industries through the less sophisticated computer systems we use when working remotely; others saw the manufacturing sector as a ripe alternative target, Henderson said.
If there’s one thing the pandemic has taught us, it’s how critical industrial supply chains and utility infrastructure are to a functioning economy and our basic livelihood. Most manufacturers were deemed so essential that they were allowed to continue operating even through the darkest days of the pandemic lockdowns. Products we gave little thought to previously took on a whole new meaning. This included the freezer trucks that previously transported things such as sushi but now are used to ferry the vaccines crucial to bringing the pandemic under control.
A hacking campaign that began last fall targeted more than 40 companies involved in the so-called cold chain, including those that support the transportation, storage and distribution of vaccines, according to files uncovered by IBM’s X-Force. The tactics used in those attacks are instructive in understanding another reason that manufacturers can be fruitful targets for cybercriminals. A cyber adversary impersonated an executive from Haier Biomedical — a legitimate provider of low-temperature technology for the life sciences and pharmaceutical industries — and sent targeted phishing emails framed as requests for quotes in connection with Gavi, the Vaccine Alliance’s Cold Chain Equipment Optimization Platform, according to IBM. In this case, the perpetrator was likely a nation state looking to gain insight into vaccine procurement and distribution information, rather than money. But you can easily see how a similarly constructed email laced with ransomware could trip up employees at manufacturing companies that regularly field requests for private and urgent information from customers and suppliers. IBM found that manufacturers experienced four times more business-email compromise attacks than any other industry.
So what can companies do to protect themselves? It starts with understanding where the potential vulnerabilities are and knowing who to call and what to do when problems arise. But this is also the kind of thing that businesses need to stay on top of: IBM found that the average new cybersecurity client has 1.5 million to 2 million vulnerabilities that it’s aware of but hasn’t gotten round to addressing yet, Henderson said. The problem is particularly acute for manufacturers; software updates take time and a piece of equipment may not be able to operate during that window. In the same way that these companies are inconvenienced by ransomware turning the lights off, they’re also inconvenienced by software testing and patches, he said.
This creates a disconnect between the managers responsible for operational technology and those who run the IT systems. Rockwell Automation Inc. has a burgeoning cybersecurity-services business that complements its sales of factory-floor equipment. In working with clients, it is sometimes the one bringing leadership from the operations and IT teams together for the first time, Angela Rapko, director of portfolio and business management for the company’s customer support and maintenance arm, said in an interview. But understanding how the systems overlap and connect is crucial.
One silver lining of the Colonial Pipeline attack is that it appears the company was able to wall off its operational technology from its infected IT systems. Not all companies would have been able to do that, and if the hackers had gained actual control of the pipeline the crisis would have been much more serious and lasted significantly longer. “We’ve seen customers with much less complicated [operating technology] environments that were down for weeks or a month,” Dawn Cappelli, vice president for global security and chief information security officer at Rockwell, said in an interview. “That bothers me when I see people criticizing them. The fact that they were able to keep the ransomware out of the [operational technology] is what we should be focusing on.”
As industrial equipment becomes increasingly connected, the next step is understanding not only how to sever the link to the IT system but how to keep the physical operations running without that connection, Rapko said. “There’s not a one-size-fits-all for any one customer, any one industry,” she said. “It’s about having a holistic cybersecurity strategy to go with what assets you have.” And that’s easier said than done, Rapko and Cappelli said. But there’s nothing like a crisis to shift companies’ thinking around the importance of investing in and thinking about cybersecurity. The Colonial Pipeline attack may be among the highest profile and the most brazen in recent memory but this wasn’t the first time hackers have targeted the industrial space and it won’t be the last.
Bloomberg
