The Colonial Pipeline ransomware attack made headlines this May when Darkside’s breach disrupted the U.S.’ oil supply.
But as bad as Colonial Pipeline was, it was far from the first oil and gas distributor to be targeted by hacks: from 2011 to 2013, state-sponsored Chinese actors targeted 23 U.S. natural gas pipeline operators in what the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigations (FBI) describe as a “spear phishing and intrusion campaign…for the purpose of holding U.S. pipeline infrastructure at risk.”
The risks are significant: Colonial Pipeline paid around $4 million in cryptocurrency to unlock its systems. The average ransomware attack costs around $761,000 (including recovery).
And in truth, these breaches can be far more costly. The CISA/FBI advisory noted that the earlier attacks were likely conducted to “help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.” Other recent breaches, like the attack on the water treatment plan in Oldsmar, Florida, underscore how vulnerable the internet of things (IOT), the industrial internet of things (IIoT) and everyone who relies on internet-connected devices and resources are to advanced cyber threats.
Best practices for identity governance and IoT
With the IOT and IIoT attack surface set to expand to almost 25 billion devices by 2025, it’s clear that security teams need to identify solutions to protect the internet of things.
To protect IoT and IIoT, security teams should use some of the fundamentals that we’ve developed in protecting human users. Specifically, security teams should treat IoT and IIoT systems as identities: a user is a user is a user, whether it’s a new employee in accounting, a current employee who has changed roles internally, a chatbot responding to customer inquiries or the controls for a water treatment plant.
Historically, IoT and IIoT systems were developed beyond security teams’ oversight. That can limits analysts’ visibility into what a given IoT system can do. Security teams can start to address that by looking to our sugestions on securing bot accounts to protect smart devices:
- Understand what IoT accounts can do, the decisions they can make, and the actions they can take
- Review dormant accounts and how long they’ve been dormant for; de-provision those that are no longer in use
- Understand what machine accounts have been issued and not used
- Time-bind machine accounts (or certain actions) to restrict what an IoT system can do off-hours
Lastly, make sure you’re also wrapping authentication into your IoT infrastructure. In San Francisco, a hacker used a former employee’s username and password, then deleted the programs “that the water plant used to treat drinking water.”
Organizations should use certain signals—like when a user is requesting access; where they’re requesting access from; the device that they’re using—to train risk-based authentication to help prevent a foreign national from gaining entry to a U.S. utility.
Finally, organizations also must ensure that they have multi-factor authentication (MFA) to verify users and ensure baseline cyber-hygiene.