What SCADA Breaches Have Taught Us About Enhancing Security

The Colonial Pipeline breach marked a tipping point in the world of SCADA security and the impact recognition, plunging what had been a niche corner of the technology world into the public spotlight. Long lines at the gas pump and the national security implications of an energy shortage forced energy industry executives, government regulators and the media to critically examine their own security controls to try to avoid future breaches. Let’s take a look at a few takeaways from this news for the energy industry.

Many critical infrastructure organizations operate two entirely separate technology environments: one supporting normal corporate computing and another supporting SCADA/Internet of Things systems. That’s certainly a good security practice, isolating sensitive SCADA systems from less secure corporate productivity systems, but it may lead to a false sense of security, especially as these systems are becoming increasingly connected to the outside world

Organizations must take steps to ensure that they haven’t focused on securing SCADA systems at the expense of their corporate computing environment, or visa-versa. In the Colonial Pipeline breach, corporate systems were missing some critical security controls that allowed attackers to compromise the firm’s operations. SCADA systems weren’t impacted by the breach, but the company shut them down proactively out of an abundance of caution. It is not known if this was a part of the company’s playbook for incident response or not, but it does show extreme measures were taken due to the uncertainty of its security posture.

As a result of the Colonial breach and seeing the impact in real time, the Biden administration recently released an executive order placing a new emphasis on securing the nation’s critical infrastructure from cybersecurity threats. The current text doesn’t provide specific requirements for infrastructure firms and lacks consequences for failure to take cybersecurity seriously, but it’s likely that those regulations will follow as federal agencies move to carry out the intent of the order. Critical infrastructure firms should conduct assessments of their technology environments now, as they should do regularly, and carefully monitor emerging regulations for new requirements.

In the Colonial Pipeline breach, the attackers only compromised systems on the organization’s corporate network. There’s no indication that they were able to gain access to systems that actually control pipeline operations, but the firm chose to shut down the pipeline to be safe. We don’t know the inner discussions or events as they transpired in real time, but shutting down the pipeline operations due to events in the corporate environment should not be part of normal incident response actions.

The important takeaway here is that organizations should develop incident response playbooks that detail the steps that they will take in response to specific types of security incidents. Such a playbook might have specified that the pipeline could continue operations during a breach affecting the corporate network, as long as network administrators disconnected the pipeline network from other corporate systems and/or other measures were taken prior to the breach and as a part of the incident response plan.

The pipeline breach occurred when a single user clicked a malicious link in an email message. This underscores the importance of ensuring that all employees understand their roles in protecting against cybersecurity incidents and are trained to recognize malicious content.

That said, organizations should not depend on awareness training alone. Even the most well-trained user will occasionally make a mistake, and a cohesive technology backstop must be in place to protect against those errors and contain the damage when a breach occurs.

With the Colonial Pipeline breach in our rearview mirror, now is the time to survey security controls across the infrastructure sector and shore up defenses to prevent a future breach from disrupting critical operations.