Everyone has heard of the Colonial pipeline attack that happened a while back. The company that provides fuel across the East coast shut down that fuel supply due to ransomware on their systems. This sparked a huge push for ICS security. It got a lot of people talking about critical infrastructure and how the world will end with a single cyber attack. I don’t disagree that these systems are at risk or that they shouldn’t be secured. This is something that we should be focusing on in general to improve these safeguards
However, this focus leaves a large group of application developers out of the equation, when in reality, they should be a bigger focus. From my understanding, the actual pipeline was not affected by the ransomware, nor was it actually attacked. The control systems were in working order. The less talked about issue is why did the pipeline get shut off if the attackers didn’t do it
My understanding is that they decided to shut the pipeline down because their billing software, or other organizational critical software was actually affected by the ransomware. Imagine if your organization cannot monitor or bill customers, would that put you in a position to shut off your services
This has really peaked my interest because I realize that in many of the critical infrastructure Attacks we have seen over the years, how many actually accessed the ICS versus them attacking some other system which indirectly causes the organization to shut something else down.
Take, for example, the hospitals that have been hit by ransomware and had to turn patients away to other hospitals. Was this attack on the actual hospital equipment that saves lives or was it an attack on the typical IT assets used for intake and billing?
Granted, there are examples where controls may have been altered. The water treatment plant that someone was able to gain remote access to the system to modify chemical levels. This can definitely happen. However, a lot of that depends on your goal, as the attacker. Are you looking to directly poison people through water? You might need to modify the actual equipment. You want to shut power off? Do you need to get into the ICS to do that or is it easier to just take down the billing software? Better yet, could you just drive a truck into a sub-station?
We can’t assume that the only attack vector to critical infrastructure is actually through the components. As developers, writing applications of every kind, we don’t really know how our application may be an indirect trigger for something farther down the road. These should be things that we consider within our threat models. Do you write billing software? What happens if that gets shut down? This may be different for different clients. Could an electric company decide they will turn off power until they can start billing again?
How do we view our application with these potential risks in mind to consider mitigation’s to help protect against this? In many of these cases it is ransomware on the system, not much we can do about that. But what if it was an attack directly against your platform to shut it down. Do you know how your application may be indirectly or directly related to other applications? How critical is your app to the business in these circumstances. se
All to often we focus on the immediate functionality of our application and don’t consider the potential downstream effects. I encourage everyone to take a moment to think about how their application may fit into their customer’s overall process and consider how a breakdown could affect their business.