This week’s Pipeliners Podcast episode features host Russel Treat walking through how each individual pipeliner should think about pipeline cyber security as it relates to supporting their operation. The episode centers on three key areas of threats, understanding, and mitigation.
Russel goes into deep detail about cybersecurity threats, the importance of understanding what the nature of the environment is, and how to have healthy cyber hygiene. In this episode, you will learn the language of cybersecurity professionals, as well as how to reduce your chances of being cyber attacked by controlling your personal risk and personal mitigations by identifying phishing, using VPNs, and having proper password management.
Pipeline Cyber Security: Show Notes, Links, and Insider Terms
- Listen to other Pipeliners Podcasts episodes that discuss cybersecurity.
- ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world. ISA created the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes.
- The ISA99 standards development committee brings together industrial cyber security experts from across the globe to develop ISA standards on industrial automation and control systems security. This original and ongoing ISA99 work is being utilized by the International Electrotechnical Commission in producing the multi-standard IEC 62443 series.
- NERC (North American Electric Reliability Corporation) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid.
- CIP (Critical Infrastructure Protection) plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management, and disaster recovery planning.
- NIST (National Institute of Standards and Technology) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
- Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
- DOT (Department of Transportation) is a cabinet-level agency of the federal government responsible for helping maintain and develop the nation’s transportation systems and infrastructure.
- FBI (Federal Bureau of Investigation) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency
- PHMSA (Pipeline and Hazardous Materials Safety Administration) is responsible for providing pipeline safety oversight through regulatory rule-making, NTSB recommendations, and other important functions to protect people and the environment through the safe transportation of energy and other hazardous materials.
- FERC (Federal Energy Regulatory Commission) regulates, monitors, and investigates electricity, natural gas, hydropower, oil matters, natural gas pipelines, LNG terminals, hydroelectric dams, electric transmission, energy markets, and pricing.
- EPA (Environmental Protection Agency) is an independent organization within the federal U.S. government designed to take measures to protect people and the environment.
- DHS (Department of Homeland Security) is the U.S. federal executive department responsible for public security.
- Cyber Hygiene is actively keeping your cyberspace clean and clear of anything attempting to gain access to your credentials by using protection tools and tactics.
- Incident or Exposure is any unauthorized event that could lead to a deviation from normal operation or unauthorized access
- Risk is the likelihood that an attack, incident, or exposure that could occur, and the severity of that impact related to your systems or your organization. Risk is the combination of likelihood and consequence.
- Threat is the thing that can take advantage of, use, or cause a vulnerability, either intentional or unintentional.
- Vulnerability is a set of conditions that create a weakness that the threat can use and take advantage of.
- Exploit is the means by which a vulnerability is taken advantage of.
- Attack is the result of that exploit or the consequence of a successful exploit.
- Attack Vector is the means or the environment in which it takes place. That could be physical, operational, cyber, etc.
- Social Engineering are the things you do in order to facilitate or create a vector.
- Zero day attack is an attack between the time a new software vulnerability is discovered and “released into the wild” and the time a software developer releases a patch to fix the problem.
- Cylance develops antivirus programs and computer software that are designed to prevent viruses and malware.
- Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.
- VPN (Virtual Private Network) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
- Stuxnet is a type of virus known as a computer worm that targets SCADA systems. It is commonly referred to as the first cyber weapon.
- Colonial Pipeline Cybersecurity Incident: In May 2021, a cyber attack was launched against Colonial Pipeline that eventually resulted in the payment of $4.4 million to resolve the attack. The attackers gained access to Colonial’s systems and data through an unmonitored VPN by stealing a single password.
Pipeline Cyber Security: Full Episode Transcript
Russel Treat: Welcome to the Pipeliners Podcast, episode 237, sponsored by the American Petroleum Institute, driving safety, environmental protection, and sustainability across the natural gas and oil industry through world-class standards and safety programs. Since its formation as a standards-setting organization in 1919, API has developed more than 800 standards to enhance industry operations worldwide. Find out more about API at API.org.
Announcer: The Pipeliners Podcast, where professionals, Bubba geeks, and industry insiders share their knowledge and experience about technology, projects, and pipeline operations. Now your host, Russel Treat.
Russel: Thanks for listening to the Pipeliners Podcast. I appreciate you taking the time. To show our appreciation, we give away a customized YETI tumbler to one listener every episode. This week, our winner is Ronda Louderman with Black Bear Transmission. Congratulations, Ronda. Your YETI is on its way. To learn how you can win this signature prize, stick around till the end of the episode.
This week, Russel Treat, CEO of EnerACT Energy Services joins us to talk about what every pipeliner should know about cybersecurity. Of course, I’m Russel Treat, and yes, this is a conversation with myself.
The purpose of this podcast episode is to share some information on pipeline cyber security. I’ve done a fair number of episodes on this topic. Mostly it’s been more about cybersecurity as it relates to pipeline operations. What I wanted to do was an episode that was really more targeted to the individual, and what should pipeliners know about cybersecurity?
I actually did this presentation for an association meeting a number of months ago, and it was very well received. There was a lot of Q&A after. Hopefully this will stir up some thinking. In terms of the framework here for this conversation, it’s just me, of course.
I’m going to be talking about threats, understanding what the nature of the environment is, and then mitigations. Cybersecurity has been around since around 2000. The first real committee formation, trying to write a standard for cybersecurity, was by the ISA in 2002, when the ISA 99 committee was formed. It was after the first kind of notable cybersecurity incident that occurred in 2001.
Then between 2002 and about the end of 2005, not a whole lot of activity. In 2007, ISA issued their first cybersecurity standard. They revised it in 2008. There were a couple of other organizations, most notably NERC CIP came out in 2010.
NERC CIP is really targeted primarily to power generators, but there are a number of gas utilities that have adopted it as their cybersecurity approach as well.
Then in 2010, there was a major cybersecurity incident with a hack called Stuxnet. Some of you may recall this. It was all over the news.
It was reported that this particular cybersecurity attack was targeting the Iranian nuclear power program. Very specifically it targeted the code in the PLCs that controlled centrifuges, and it masked the fact that it was manipulating how those centrifuges were working. It was the first kind of industrial targeted cyber hack.
Then following Stuxnet and beginning in about 2013, there began to be a large number of cybersecurity hacks. You can search for this. There’s a whole bunch of them. It was in 2015 that the first power grid hack targeted Ukraine, and shut down the Ukrainian electric power grid.
In about this time frame, NIST published its cybersecurity framework. The NIST framework is probably the framework most used particularly in industrial cybersecurity. The threat environment after Stuxnet a few years later just really began to escalate.
At this point if I were to track all this and put it on a timeline, there’s so much going on you couldn’t put it on a timeline. The environment has materially changed over the last 10 years.
Of course, more recently, everybody’s heard about the Colonial incident. I don’t know that everybody understands what occurred there.
We certainly know the impact that Colonial Pipeline was shut down for about a week, and had a major impact on the gasoline market in the northeast because Colonial Pipeline delivers about 35 percent of the refined products to the northeast market, so it was a big impact.
The actual hack was a piece of ransomware known as DarkSide. Let me do a couple of definitions for those that might not know. Ransomware is designed to do two things. It’s designed to lock you out from your data, and it’s designed to extract money to give you the keys to get back to your data.
In the Colonial Pipeline incident, Colonial actually paid a fairly significant multimillion dollar ransom, and while much of that was recovered, and we don’t really know how because that’s not been publicly released, it still was a fairly substantial ransomware hack. You can read a lot more about that.
What’s important for us to know about DarkSide and the Colonial incident is it had a major impact shutting down a major pipeline, had a major impact on the availability of gasoline and the price of gasoline in that market, and there was a multi agency response. DOT, FBI, PHMSA, FERC, EPA, DHS, they were all involved in the response to this incident.
What many people may not know is that this is not the first time that a ransomware attack has taken a piece of energy infrastructure offline. I’m aware of several, and I know that others are probably aware of more. It’s just the first time that it was significant enough to make the national media.
The other thing to understand about the threat, and what’s going on with the threat, is that it’s no longer individual hackers or one person who’s surfing the dark web, downloading tools, and executing exploits. We’re actually getting to the point where it’s nation state actors. It’s a major initiative.
Each of the large countries has cybersecurity programs. While I have nothing that I could state or point to to prove this, I would be comfortable stating that we’ve been engaged in a cybersecurity war for some time with other nations, and that some of these organizations that are doing these exploits have lots of resources to do these exploits.
The particular details on Colonial, while I don’t know all the specifics, I know some. It was related to an Internet facing device and a username password that had not been removed off the device, but where those credentials had been used by that user other places, and those credentials had been grabbed, if you will, through another hack.
One of the things to be aware of as we talk about all of this is that most of us who have credentials that we’ve used to access Internet websites, there’s a fairly good chance, high chance, that those credentials have been captured through a hack, one of the many hacks of credit card companies, and retailers, and so forth.
It’s quite likely that your credentials have made it into the dark web, and that people might be using those credentials to try and access things. That’s one of the key things I think’s a takeaway from this conversation.
I want to talk a little bit more about DarkSide and ransomware in particular just so that people understand how these things work.
The whole methodology, the whole method, of these kinds of ransomware attacks is that some human being has to open up access to the secure network. There’s a lot of ways that’s done. The most common, most of us are familiar with now, it’s called phishing.
Phishing is where I send an email to you. I make that email look correct and official, and I put a link in it and ask you to click on that link. When you click on that link, what you do is you actually provide permissions to that link or that external party to do things. You may be giving somebody permissions outside of your system that you didn’t want to give them.
That’s really what phishing is all about. It’s about sending you an email that looks real, getting you to click through and do something, and then that’s used as an opportunity to create an opening in your security, and get in and do something.
The other method is exploiting remotely accessible accounts and systems. Basically, that’s using VPNs, logins to switches, logins to remote desktop. Basically, I’m going to identify an Internet facing point in your network, and then I’m going to use your credentials without your permission to gain access.
There are tools out there for hackers that enable them to automate that process and use known, good username passwords that they’ve exploited through other types of hacks, so using your credentials nefariously.
The other thing that’s possible is virtual desktop infrastructure. All this is things I do to get access to your network that are outside of proper permission. In other words, I’m going to exploit your permission. This is why people are asking you to change your passwords frequently. This is why they’re doing multi factor authentication. It’s to eliminate these kinds of hacks.
What happens is once an exploiter has gained access to the network, they put this ransomware, they inject this code into your network, and it starts to encrypt files. It can also grab and export data. It’s a double extortion tactic.
One is, “I’m going to lock your information away from you so you can’t access it.” The other is, “I’m going to grab your information, and threaten to put it in the public domain,” so a threat for loss of your data, and a threat of disclosure of your data.
If you have confidential information like credit card information, or healthcare information, or banking information that’s inside your network, the goal or one of the threats of these perpetrators is to make a threat because their goal is to collect the ransom.
It’s also interesting to note or important to note that some of these perpetrators are using remote desktop access to maintain a persistent presence on networks they’re targeting. A lot of us use remote desktops.
We make pretty extensive use of it in our companies as a mechanism to control who has access, but all that is getting into my network, and it’s getting into my network with credentials that allow me into the network.
This makes things like setting least use credentials, meaning I’m only going to give you the permissions that you need to do your work. I’m not going to give you elevated permissions. Those kinds of things are super critical.
Hopefully, this sets a little context around what is the threat landscape and what’s going on. Helps us understand why IT is bothering us, and making it harder for us to access our tools to do our work, and the primary reason they’re doing that is to make it harder for the perpetrators to access the tools and do their work. Anyways, that’s the threat landscape.
Another thing I want to do is to do a little decoding. It’s important to understand the language that cybersecurity professionals use. It helps us communicate about situations and communicate about what we’re doing to what I call my “cybersecurity hygiene,” so what I’m doing to keep myself clean and free from any hangers on that are trying to get access to my credentials or that sort of thing.
The first definition is “incident” or “exposure.” That’s any unauthorized event that could lead to a deviation from normal operation or unauthorized access. For example, if you have credentials and you know those credentials got stolen, then you’d want to report that as an incident.
Likewise, if you inadvertently clicked through something and saw behavior that didn’t look correct or you got an email that didn’t look correct, you want to report those kinds of things. Those are all incidents or exposure. They’re all something that looked weird, for lack of a better term. That’s a technical term there, weird. They look weird.
Another technical term is “risk.” Risk is the likelihood that an attack, incident, exposure could occur, and the severity of that impact related to your systems or your organization.
For those of us in pipelining, and particularly those in integrity management, it’s the same thing. It’s the likelihood of an event, a negative event, an adverse event. It’s the likelihood, number one, and number two, the consequence of that exposure or the severity of the impact. It’s the same thing. Risk is the combination of likelihood and consequence.
“Threat.” Threat’s a generic term in this domain, and it’s really saying the thing that can take advantage of, use, or cause a vulnerability, either intentional or unintentional, so it’s the threat source, threat agent. These are the same terms that can be used interchangeably, but it’s a way to say, “That’s a problem.”
The next will be “vulnerability.” Vulnerability is a set of conditions that create a weakness that the threat can use and take advantage of. Could be a technical weakness, a procedural weakness, or a human weakness.
Then there’s “exploit.” An exploit is the means by which a vulnerability is taken advantage of. Think of the exploit as the attack. You have a threat. You have a vulnerability. Those two things come together, get actioned, and that’s an exploit.
An “attack” is the result of that exploit. Another way to think of that is the attack is the consequence of a successful exploit. The attack vector is the means or the environment in which it takes place. That could be physical. It could be operational. It could be cyber. It could be a website, etc. It’s like what was the source of the exploit that caused the attack? Hopefully that’s a little helpful.
Ultimately, all of this is about risk management. I like to think of this whole cybersecurity conversation, it’s like putting locks on things. Locks don’t keep thieves out, but they definitely slow thieves down. Thieves are not dumb. They’re going to evaluate, “How hard is it to get through the locks, and how valuable is that thing I can get to if I get through the locks?”
If I’m logging onto a website, and it’s a gaming site, and it doesn’t have any of my financial information on it, or any other identifying information, just a username login combination, that’s fairly low risk. If I’m talking about a control system for a multi state pipeline, that’s fairly high risk. If I’m talking about the cash transaction part of a banking site, that’s extremely valuable.
There needs to be a correlation between the level of protection, and the level of consequence or potential loss associated with a successful exploit. Ultimately this whole conversation in cybersecurity is about risk management.
How do we mitigate this? What a lot of people probably don’t realize is 95 percent of all successful cyberattacks are caused by a human error. You can say virtually all.
When I’ve done this training, I generally ask the question…I have a friend of mine. One of the things he did in a previous career is he did red teamwork. Red teamwork is where a company hires somebody to act as a hacker, and try to gain unauthorized access to a control system.
This gentleman, he did a number of these, tens of these. I asked him one time, “How often were you successful?” His answer was, “100 percent of the time.” The question was never, “Could he get access?” The question was always, “What would it take to get access?”
He shared some of the things that they would do. I’m not going to talk about all this on the podcast. Oftentimes it involves some kind of what’s called “social engineering.” Social engineering are those things you do in order to facilitate or create a vector.
In the Stuxnet exploit, that control system around those centrifuges was completely isolated and inside multiple levels of a secure network. The way that the exploit actually got perpetrated is, the nefarious code was put on USB drives, and left at various places where workers were known to hang out.
One of those workers grabbed one of those USBs, took it inside, and used it to do some files transfers. When that occurred, that exploit found its way into the network, and then notified people outside of the network, “Hey, I’m here. Here’s the way to access me.”
That’s one example of social engineering, and there are many others. How do you address this? What are the mitigations? There are all the technical mitigation. That’s things like firewalls, firewall rules, and dual factor authentication, restricted use.
All the things that IT bothers us with when we’re trying to get credentials and access to things to do our job. All of that’s being done to make it harder for the adversaries.
Because 95 percent of the hacks are generally because of some kind of human error, the most important thing is for us as users to understand the threat, and the nature of the threat, and to likewise for us as users to make intelligent use of the systems.
In other words, work with the IT and ICS – IT, information technology; ICS, industrial control system – professionals and realize whenever we ask for more access, we’re creating more risk.
Intelligent use, understanding the threat, and for a lot of us we’re familiar with various kinds of drills. There are companies out there that’ll do spear phishing emails as tests to support education, and just see how soft we are in terms of somebody clicking on something they shouldn’t click on.
One of the other things you can do, if you’re so interested, is listen to some of the Pipeliners Podcast and “Pipeline Technology Podcast” episodes. I’ll put this into the show notes, but there’s a number of episodes on both the Pipeliners Podcast and on the Pipeline Technology podcast where we speak to the ICS pipeline operation on specific cybersecurity issues.
The other thing to be aware of is each of us as a pipeline professional, one of our fiduciary responsibilities is to operate within these systems in a responsible way. I want to talk a little bit about personal risk and personal mitigation.
Talked a lot about phishing. Spear phishing doesn’t work if the people receiving the email don’t click through it. First thing first. If you get an email, and it doesn’t look right or it’s from somebody you don’t know, don’t click on it. Don’t click through on any links. You need to be confident that anything you’re clicking through in an email is safe. If you don’t know, don’t click. That’s the first thing.
The second thing is for, the second risk, is remote work exploits. Because more of us are working from home and more of us are working remotely, we all should have VPN and dual factor authentication to get on the VPN. That includes the vendor community, the sales community.
If I go into a corporate location with my laptop, and I connect out to the Internet to get to my email, and I have nefarious code on my laptop, I’m a risk to that company.
One of the key things we need to make sure we do is we make sure our personal cyber hygiene is good, and one of the best ways to do that in terms of mitigating remote work exploits is make sure that you’re always using a VPN, and that you use dual factor to get connected to the VPN.
You need a dual factor. It’s “I need my username and password.” That’s one factor. The second factor is I respond to a text or something of that nature where one part of it is something I know. The other part is it’s something I have.
The other risk is compromised passwords. I talked about this at the beginning of this conversation about how most of us probably have username password credentials that have been gathered up through previous hacks. Each of us should have some kind of practice around our personal password management.
Here’s the first one, and it’s the hardest, and that is you should have a unique password for every site you access.
You do not want to reuse username passwords across multiple sites, and the reason for that is and that goes to the Colonial incident, if somebody has gained access to that username password combination, they can just take that username password combination, go out there, start hitting websites and say, “OK, where is this going to give me access?”
These nation state size or resourced actors, they have automation to just every time they get a good username password set they go see where will it give me access? When they find good access, they put that in a database for use at a future time.
If I, as an individual, make sure I have a unique username password every place I have a login, if I find out that my credentials have been hacked on a single site, all I have to do is change my credentials on that site, and those credentials are not going to provide access to anything else that I access.
For example, if I’m using the same username password on Amazon, and Hilton Hotels, and American Airlines, and my bank, if American Airlines gets hacked, somebody’s got credentials to get into my bank, and I can guarantee you those hackers are going to be trying to gain access that way. First thing about passwords is to make sure every login is unique.
Second is make sure you’re using complex passwords. There are tools out there that people can use to force passwords, meaning I’m going to try very quickly in an automated way all the password combinations.
If I’m using six letters and that’s all I’m using, that’s a fairly easy password to brute force hack. If I’m using 16 characters, and it’s a combination of numbers, and special characters, and random lower and uppercase letters, then what happens is the amount of computing time required to hack that password is so large that it’s just untenable.
There are lots of software packages out there that will allow you to securely manage a library of passwords. I would strongly recommend that you get something like that if you don’t have something like that already.
The last risk is what’s called a zero day attack. Zero day attack is a known hack that will work, but nobody else knows about it. If I find an exploit that works, it’s a weakness in Windows, or it’s a weakness in the Cisco software that’s used to manage their routers, or whatever, if I find it and nobody else knows about it, I have what’s known as a zero day attack.
What that means is all of the things that we put on our computers in the way of antivirus will be ineffective because antiviruses, the exploit first has to exist, and then a corrective action has to happen in the antivirus. There’s a lag time between when a zero day shows up, and when there’s an effective mitigation in the antivirus tools.
There are many antivirus tools out there. One of the ones that we use is a product called Cylance. What it does is it goes on your computer, and it monitors all the things that could be exploited and reports out anything that’s a change from normal behavior. It’s a way to identify and quarantine a zero day attack.
It does require some administrative oversight because any time you install a new piece of software there’s a chance that Cylance will block something in it, but it is a way to protect against the zero day.
That’s a whole lot of cybersecurity information. What are the things that I think it’s important all pipeliners know? Number one, human error is the most common reason for any kind of cyberattack. Two, the way that we protect against that is we work with the IT professionals, and we make sure we have good cyber hygiene around phishing, uses of VPNs, uses of username password combinations.
Hopefully you guys have found that helpful. As always, we’ll link all these buzzwords and such up with the show notes for the episode on pipeline cyber security. If you have questions or want to reach out, please do so. The best way to do that is to reach out to me on LinkedIn. It’s Russel, Treat, and I’m easy to find on LinkedIn.
I hope you enjoyed this week’s episode, and our conversation about what every pipeliner should know about cybersecurity. Just a reminder before you go, you should register to win our customized Pipeliners Podcast YETI tumbler. Simply visit PipelinePodcastNetwork.com/Win and enter yourself in the drawing.
If you’d like to support the podcast, the best way to do that’s to leave us a review, and the best place to do it is wherever you happen to listen. That could be Apple Podcast, Google Play, Stitcher, wherever you listen. You can find instructions at PipelinePodcastNetwork.com.
Russel: If you have ideas, questions, or topics you’d be interested in, please let me know either on the Contact Us page at PipelinePodcastNetwork.com, or reach out to me on LinkedIn. Thanks for listening. I’ll talk to you next week.
Transcription by CastingWords