5 June 2021

THE COLONIAL PIPELINE HACK SHOWS WE NEED A BETTER FEDERAL CYBERSECURITY ECOSYSTEM

Maggie Smith and Jonathon Monken

On May 7, 2021, the company that operates the 5,500-mile-long Colonial Pipeline shut it down—for the first time ever. As a major supplier of gas to the East Coast, the shutdown sparked concern over pipeline security and critical infrastructure security in general. The operational disruption occurred after Colonial’s corporate information systems were hit by ransomware, a form of malware that encrypts data until the intended victim pays. Even as production resumed, President Joe Biden warned that bringing the pipeline back online would take time, explaining that, “this is not like flicking on a light switch.” Linked to the online ransomware outfit DarkSide, the hack held a key pipeline at risk and marks a concerning development in the era great power competition. It highlights the asymmetry of criminal activities taken in and through cyberspace and how nation-states can use proxy actors to influence, manipulate, degrade, and disrupt key infrastructure operations—all below the threshold of conflict.

While the media has focused its attention on the DarkSide group and other ransomware activities, this article maintains that the significance of the Colonial Pipeline hack is much more subtle. It did not target pipeline production or operations technology (OT), but instead locked up Colonial’s corporate business and accounting systems, or its information technology (IT) systems, preventing the company’s ability to bill customers and receive payment. Colonial’s operational shutdown was precautionary, but it highlights how IT and OT systems are converging and that US critical infrastructure OT is increasingly vulnerable to IT-like hacks. Much like the electricity industry prior to the 2015 attacks on the Ukrainian electric grid, pipeline operators have operated under the assumption that IT system compromises would not carry over to OT systems, and the system could maintain operations in a “manual” state without the back end of business IT systems. Therefore, because the critical infrastructure attack surface is expanding and evolving, a new approach to steady-state cybersecurity for critical systems is required.

The IT-OT Convergence Challenge

As IT and OT systems converge, a company’s IT systems—those that govern the business and enterprise systems that store, process, and deliver information—may increasingly impact the company’s OT systems—the control and safety computing systems that manage and monitor industrial process assets. An event like the Colonial Pipeline hack increases visibility into the growing dependency of IT and OT systems on common software applications and data sets to perform their independent, segmented tasks. Pipeline systems, much like the electrical grid, have increasingly complex systems of demand forecasting, locational marginal pricing (LMP), and hourly transaction clearing to increase the cost efficiency of delivery over massive operating territories with thousands of customers. Accomplishing all of this requires near-real-time access to OT system sensor data to accurately account for billing transactions. The point of data convergence speaks to the effectiveness of a tool like ransomware to exploit the comparatively vulnerable, networked IT infrastructure to hit a company (and its customers) where it really hurts—product delivery. What company would choose to continue operations without the assurance of accurate payment, running the risk of severe economic harm by doing so?

Historically, many critical OT systems (e.g., weapons systems and platforms) were disconnected standalone systems and relatively secure, but today’s heavy reliance on control software that requires updating, refreshing, and patching creates multiple vulnerable access points for adversaries to exploit. Ultimately, as OT systems adopt more IT-like open protocols and operational practices, OT becomes more vulnerable to well-known IT threats (e.g., removable media, remote users, and email spear fishing). A common practice to mitigate risks to OT systems currently emphasizes a practice of network segmentation to prevent the circumstance where malware can “jump” from one facility—such as a pipeline compression station—to the next, relying on physical protections. However, physical plant security risks are also increasing for similar reasons: as the adoption of IP-enabled devices to control and monitor physical security becomes more common, the number of IT-like vulnerabilities in security systems grows. And, because the current threat landscape is dynamic, static defenses relying on a uniform, lowest-common-denominator approach to security are increasingly ineffective.

The Biden administration’s Executive Order on Improving the Nation’s Cybersecurity and the Colonial Pipeline hack have reinvigorated the debate over government’s role in cybersecurity and which agencies are (and should be) responsible for managing the cybersecurity posture of US critical systems. To improve efforts to identify, deter, protect against, and detect cybersecurity threats, the executive order mandates establishing cybersecurity standards and requirements for all federal information systems (FIS; including both IT and OT). Additionally, lawmakers recently asked DoD to assess the possibility of a threat-hunting program on vendors’ networks to detect malicious traffic and how to improve programs to share cybersecurity information with the defense industrial base. However, discussions about standards and requirements for FIS are a hollow gesture if the United States does not simultaneously establish a robust hunt, penetration, and vulnerability testing ecosystem to continuously stress-test US FIS.

Cybersecurity and Critical Systems

Protecting US critical systems is complicated for several reasons. First, cyberspace lacks the physical borders traditionally relied upon to determine jurisdictional authority and responsibility. Coordinated defenses are therefore tricky because multiple entities and sectors are often stakeholders in network systems that cross physical jurisdictions, but not logical ones. Second, government and private sector IT and OT may be intertwined with national security systems (NSS) to the extent that a compromise in the .gov or .com spaces could impact NSS. The National Institute of Standards and Technology (NIST) is responsible for establishing the guidelines for developing security plans for FIS. However, NIST is not responsible for NSS guidelines, which are the information systems that collect, generate, process, store, display, transmit, or receive national security information—that is the responsibility of the secretary of defense and the director of the National Security Agency. Third, FIS and critical systems security responsibility are not located in one agency. The Transportation Security Agency, for example, “is the lead federal agency for transportation security, including hazardous material and pipeline security.” The dispersed responsibility structure makes protecting key infrastructure—like pipelines—difficult because for most critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) is the lead.

Just before the Colonial Pipeline hack, Representative John Katko introduced bipartisan legislation to bolster CISA’s role in US critical infrastructure and would “require the agency to maintain capabilities to detect and mitigate threats and vulnerabilities to industrial control systems.” Because CISA is the domestic US lead for infrastructure security and cybersecurity, the proposed legislation would better enable CISA to adopt additional cybersecurity measures to mitigate the IT-OT convergence risks and to lessen the likelihood and impact of future Colonial Pipeline–like hacks on critical systems IT. Currently, for incident response, CISA maintains ten regional centers located in close proximity to existing Federal Emergency Management Agency offices. The colocation is critical for swift emergency response and allows CISA to offer a range of cyber and physical services that support the cyber and physical security resiliency of critical infrastructure. Through the regional offices, CISA’s Integrated Operations Division delivers additional services to protect FIS, to include cyber and vulnerability assessments and incident response support.

An important part of CISA’s cybersecurity efforts, and one that is similar to the military concept of defending forward, is threat hunting, or proactively seeking out adversaries in friendly networks. As a concept for authorizing the use of offensive cyber weapons to deter foreign adversaries, the DoD 2018 Cyber Strategy incorporated defending forward as a means to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The strategy allows US Cyber Command (USCYBERCOM) to undertake defensive activity in the context of “day-to-day great power competition” rather than in crisis by “confronting threats before they reach US networks.” But what happens if the adversary is already in US public (e.g., .gov) and private sector (e.g., .com) networks? CISA “leads efforts to protect the federal ‘.gov’ domain of civilian government networks and to collaborate with the private sector—the ‘.com’ domain—to increase the security of critical networks.” However, the agency’s finite operational and technical resources are not adequate to support its existing mandate for critical infrastructure protection—much less the expanded role it would play within the scope of the new executive order and proposed legislation.

A Model Already Exists

To build a robust cybersecurity ecosystem within the federal government, CISA should adopt a USCYBERCOM-model, team-oriented approach to defend the nation from within US critical infrastructure and FIS. As it currently stands, CISA utilizes a structure of Hunt and Incident Response Teams (HIRT), which were assembled from their predecessor Industrial Control System – Computer Emergency Response Teams (ICS-CERT). However, the limited number of these teams prevents engagement with the number of companies needed to provide adequate value. As a model, the Cyber Mission Force (CMF), USCYBERCOM’s action arm, provides a structure for approaching national security threats in cyberspace. CMF teams work to defend the nation’s interests in cyberspace by directing, synchronizing, and coordinating cyberspace operations against known threats.

More specifically, the Cyber National Mission Force (CNMF) executes full-spectrum cyberspace operations to deter, disrupt, and, if necessary, defeat adversarial cyber actors by identifying adversary activity, blocking attacks, and maneuvering to defeat them. Even though USCYBERCOM, as a DoD combatant command, has always been tasked with defending the nation against attacks while operating outside the United States, recent events like SolarWinds have exposed weaknesses in the federal government and private sector cybersecurity apparatus that necessitate a reexamination of how we defend US critical IT and OT systems from within. Accomplishing this will also require increasing the technical capability of CNMF teams with regard to OT systems, something they do not possess in the quantity or depth needed to address the scale of this vulnerability and to respond to any Defense Support to Civil Authorities requests from CISA. Establishing a compatible organizational structure and model of operational practice will allow for a more seamless alignment of capabilities that is tailored for the threat environment and leverages the unique jurisdictional authorities of both departments.

Opportunities to Change the Federal Cybersecurity Paradigm

An understanding of adversary behavior in cyberspace is necessary to build a robust and responsive defensive posture. Since the authorities for hunting adversaries in foreign networks (Title 10 US Code) and foreign intelligence collection (Title 50 US Code) reside with USCYBERCOM and NSA, respectively, they are best postured to inform CISA of adversary activities and threats to the homeland. While communications pathways between CISA, NSA, and USCYBERCOM are open, classification issues and other information-sharing hurdles remain in place that prevent the development of a cybersecurity ecosystem—a system in which offensive operations directly inform defensive operations and vice versa.

Section 5 of the recently released executive order directs the establishment of the Cyber Safety Review Board (CSRB) to review and document lessons learned from cybersecurity incidents. This is an opportunity to create a shared understanding of the threat landscape among participants. CSRB’s challenge is to overcome the information gridlock and siloing that happens before, during, and after cybersecurity incidents to enable a shared and actionable understanding of vulnerabilities and remediation efforts. DoD is identified as a board member and because all significant cybersecurity incidents will prompt CSRB activation, DoD has an opportunity to advocate for USCYBERCOM and CNMF to play a more active role in shaping the security posture of FIS and critical infrastructure with their knowledge of adversarial tactics, techniques, and procedures and experience conducting hunt-forward operations.

Specifically, CISA should adopt the identifying, detecting, and blocking tactics of CNMF to bolster federal incident response capabilities from within US FIS. Movement-to-contact and hunt operations in cyberspace should take place within US FIS and networks because our adversaries are already there and causing harm. Vulnerability assessment and response must occur within FIS space proactively to gain better insight into adversary activity within critical infrastructure and to inform intelligence and offensive cyber efforts. By enabling CISA to conduct steady-state hunt operations domestically, US offensive capabilities would expand greatly from the current practice of private industry inviting CISA in to conduct penetration testing on an ad hoc basis to a process that can become a vital cog in the threat identification and remediation cycle. Limiting hunt operations to geographically foreign locations and DoD overlooks the global characteristics of cyberspace and leaves domestic systems at a high risk of exploitation. A true ecosystem is self-feeding and domestic hunt operations will feed foreign hunt-forward operations and vice versa, creating a cycle of intelligence that paints a more complete picture of our adversaries in cyberspace. Essentially, the offense can—and should—influence how we conduct defense.

Additionally, Section 6 of the executive order calls for “Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.” Currently, cybersecurity incident and vulnerability response procedures vary across federal agencies, which hinders a centralized and coordinated response. To address this, the secretary of defense and director of NSA are asked to coordinate with other federal entities (e.g., NIST) to develop a standardized incident response playbook for federal cybersecurity incident and response activity. The new playbook should recommend blue team or hunt team activity as standard operating procedure for US systems and build on existing efforts to develop joint operational playbooks that integrate the cybersecurity incident response capabilities of critical infrastructure owners and their government partners. Blue teams proactively and iteratively look for evidence of suspicious or malicious activity in a digital environment and significantly help to reduce risk. More dynamic and responsive than a threat-hunting program or tool, blue teams provide live systems analysis to better understand ongoing events, which is critical as IT and OT systems continue to converge.

Challenges Will Persist, But We Can Improve

Yet, the rollout of mandatory standards, as advised in the executive order, is a multiyear, multi-billion-dollar proposition as the electricity industry demonstrated over its two-decade transition from voluntary to mandatory standards under the watchful eye of the Federal Energy Regulatory Commission and the North American Electricity Reliability Corporation. Even today, critical infrastructure protection standards are not considered synonymous with a totally “secure” systems; rather, they represent the minimum of what is expected and rely on the assurance that cybersecurity programs are subject to recurring checks on quality and completeness. To truly compete in the era of great power competition, the relationship between government and the private sector can no longer be limited to a “carrots and sticks” approach of rates and regulation, but a genuine partnership capable of integrating currently disparate intelligence programs, conducting joint cyber defensive operations, and collaboration on threat identification and mitigation strategy.

As the SolarWinds hack was just becoming public knowledge, Jill Lepore wrote an ominous article for the New Yorker titled, “The Next Cyber Attack is Already Underway.” While the title was likely intended to raise eyebrows, it is nonetheless true—attacks and hacks are ongoing, evolving, and continuous; and it will always be that way. As the Colonial Pipeline hack showed, IT and OT systems are converging, creating new challenges for physical security and cybersecurity. Because cyberspace remains a land of opportunity, criminals and nation-states will continue to take advantage of outdated software, unpatched systems, and static defenses. Ultimately, to be good at cybersecurity means accepting that defenses in place today may be obsolete tomorrow and assuming that your systems are already breached. Lepore also adds that “the federal government is effectively insecure.” And while security is certainly a moving target in cyberspace, the recent executive order gives the United States the opportunity to move toward creating a federal cybersecurity ecosystem that fosters information sharing, makes hunt teams standard, and enables CISA to take a more dynamic approach to defending the .gov domain while also partnering with the private sector to protect the .com domain. In the absence of a cybersecurity ecosystem rooted in multisector cooperation, customers ranging from individuals gassing up their cars to the Department of Defense—which consumed approximately eighty-eight million barrels of fuel in 2020, or roughly 3.7 billion gallons—remain exposed to a common threat.

No comments: