Before I delve to the issue of the Colonial Pipeline debacle, I need to state that my job involves the telecommunications industry, and more specifically, the Internet, Cable TV, Cell and Telephone industries, and particularly the physical layers of those industries which means the hardware (switches, routers, servers) and all the cabling (primarily fiber optic cabling) that makes it possible to transmit increasingly huge amounts of data.
Understanding how it all connects together, how it routes the data from Point A to Point B, how the various types of data (data files, photos, videos, phone calls) are handled, is important to making sure the systems do what they’re designed to do.
With all of that in mind, let’s turn our attention to the debacle that is the Colonial Pipeline and how any of our infrastructure like pipelines (natural gas, oil, refined products like gasoline, diesel, home heating oil, propane, etc.), electrical grids and generation facilities, water and sewer systems, communications systems (phone – landline and cell, video – linear TV and streaming, e-mail, and the Web), and transportation (traffic control, trains, subways, tractor trailers, airlines, shipping), are vulnerable to cyber attacks. How is it that all of these things are so vulnerable to such attacks?
Because they are all connected to the Internet, something that is an incredibly stupid thing to do.
‘Secure’ systems aren’t as secure as many people think they are. If they are connected to the outside world via the Internet they are vulnerable. Firewalls, a combination of hardware and software, are systems that help prevent outside intrusions into public, private, and government networks. The problem is that firewalls are not perfect, are not invulnerable, and therein lies the problem.
Because of this, connecting any infrastructure such as those listed above to the Internet is madness. It leaves them vulnerable, just as we saw with Colonial Pipeline, in this case to a multi-million dollar ransomware attack. (The Russian crackers – a criminal gang also being sought by Russian authorities - managed to get malware uploaded to the system that would encrypt all data and make it unusable unless their target, in this case Colonial Pipeline, paid a ransom to the gang. If they didn’t pay the ransom, their systems would crash, or even worse, cause the destruction of their pipeline facilities.)
All such systems should be completely isolated from the Internet, should run their own command and control networks on their own equipment that has absolutely no connection to the Internet in any way, shape, or form. There should be no wireless access points on such a network (just another way to hack into the network). This is called ‘air-gapping’ and is the best firewall to prevent outside crackers from gaining access to such important networks. While not perfectly secure, such air-gapped systems are much more difficult to attack. There are other means of uploading malware into such closed systems, but it takes a lot more effort to do so and the crackers need to have an intimate knowledge of the target system.
Attacks such as this usually involve what is called social engineering, using people’s perceptions to get them to do things that will unwittingly give the ‘bad guys’ indirect access to the target system. One example – leaving a USB thumb drive on the ground just outside the entrance of the target, on a table or counter inside the lobby, or on the counter inside a restroom. Someone picks it up, and plugs it into their computer, either from curiosity or as a means of finding who it belongs to. When they do, the malware contained on the thumb drive is automatically loaded into the computer and from there infects the target network.
What’s the worse case scenario should crackers manage to take control of our infrastructure? Returning us to the 19th century with no electricity, no cars, no Internet, no air travel, no medical care, no food. It will be a war fought and lost without a single shot being fired.
If you want a sneak peek of such a nightmare vision and what it could mean, all you have to do is watch the movie Live Free Or Die Hard. (Yes, there are explosions and gun fire, but then it is a Bruce Willis movie.)
