How PAM can help to prevent major security disasters like Colonial Pipeline
When a cyber attack on the United States Colonial Pipeline erupted in May this year, the fallout across the eastern region of the United States was almost unthinkable.
Not only did the attack result in the shutdown of 5,5000 miles of pipeline—causing higher fuel prices and long lines at the pump — but more than 100 gigabytes of data were also stolen. Five days into the shutdown, Colonial Pipeline finally relented to the attackers’ demands and paid a ransom of US$4.4 million, but much more work remains to be done to scrub systems and fix vulnerabilities.
From an analysis of Colonial Pipeline’s systems, the breach was found to originate from a dormant virtual private network profile that should have been removed long ago. The attackers hijacked the privileged account using stolen credentials, and then used this initial access point as a springboard to spread across the network and deploy the ransomware. When an account has privileged access — especially when that access is not properly controlled — it enables a threat actor to fast-track their attack.
Colonial Pipeline wasn’t the first organisation in the industrial sector to face cyber-attacks, and it certainly won’t be the last. The NotPetya attack in 2017 brought Ukraine to its knees and even shut down computers at the Chernobyl Nuclear Power Plant. And, in the last year, we’ve seen such brazen attacks increasing.
Cybersecurity for critical infrastructure and operational technology (OT) needs to address many different environments, such as on-premise, in the cloud, and the internet of things. The attack surface is expanding as digital transformation presses forward and more things are being connected to each other and potentially exposed to the Internet. This new attack surface is also driving the proliferation of privileged accounts — for both human and machine identities.
This access needs to brought under IT control and robustly managed and monitored. However, absent the right tools, privilege management can be difficult when privileged accounts are being created left, right, and centre. Often, as in the cloud, these accounts are also ephemeral.
Take remote access, for example. The OT landscape is vastly different from the days when industrial systems needed cumbersome proprietary software and protocols with no flexibility. Now, analytics, automation, and integrations are blending to create modernised systems that cater to the needs of vendors, employees, suppliers, and contractors.
Traditionally, OT maintenance and repairs are conducted through SCADA systems, and this often takes place on-site or through remote support. Connections typically offer no monitoring or auditing, no granular control, and are not routed through a secure system. However, all remote support should be treated as a form of privileged access.
According to privileged access management (PAM) specialist BeyondTrust, organisations operating OT infrastructure can help enable a secure foundation by embracing the universal privilege management approach to managed every privileged user, asset, and session — whether it involves a human, machine, employee, or vendor. This approach encompasses the domains of privileged password management, secure remote access, and endpoint privilege management.
BeyondTrust provides a complete privileged access management (PAM) platform. In the case of the Colonial Pipeline breach, BeyondTrust’s Secure Remote Access solution could have prevented multiple phases of the attack, including stopping it from gaining an initial foothold.
BeyondTrust’s solution provides locked-down access without the use of a VPN to connect remote plant operators to critical and sensitive systems. The solution provides visibility into every session, requires approvals and sign-in for vendors, and provides features such as granular control over session parameters, automatic reporting, and meets compliance mandates.
Furthermore, BeyondTrust Secure Remote Access enables organisations to manage access without sacrificing user experience, productivity, or security.
Additionally, BeyondTrust’s Endpoint Privilege Management solution would have also stopped the malware deployed in the Colonial Pipeline attack by the Darkside group at multiple stages by applying least privilege and application control.
BeyondTrust Secure Remote Access, which includes a Remote Support product, also delivers benefits around routine maintenance and troubleshooting. For example, BeyondTrust provides granular controls that enable operators and service desks to set session parameters to define maintenance session length, network access, approval, and log-in processes.
By securing remote access pathways, enforcing least-privilege across all access, and enforcing credential security best practices — even for vendors and non-human accounts — BeyondTrust helps to significantly harden the attack surfaces for OT and other environments.
See how using PAM can help you defend against ransomware attacks such as Darkside. Watch the video now.