In this month’s edition of the Pipeline Technology Podcast sponsored by Pipeline & Gas Journal, Niyo “Little Thunder” Pearson of ONE Gas discusses his timely article on why the recent Colonial Pipeline cyberattack should raise alarms for midstream companies.
In this episode, you will learn about what caused the Colonial Pipeline cybersecurity attack, the lessons learned from the attack, what every pipeline operator and midstream company needs to look at concerning their cybersecurity program, how to achieve top-down buy-in to achieve cybersecurity improvements, the advanced military-style strategy and tactics utilized by bad actors and state-sponsored attackers, what’s next for cybersecurity affecting pipeliners, and more topics.
Colonial Pipeline Cyberattack: Show Notes, Links, and Insider Terms
- Niyo “Little Thunder” Pearson is the Supervisor, Cybersecurity and OT Cybersecurity for ONE Gas.
- ONE Gas (NYSE: OGS) is a stand-alone, 100% regulated, publicly-traded natural gas utility and is one of the largest natural gas utilities in the United States.
- Pipeline & Gas Journal is the essential resource for technology, industry information, and analytical trends in the midstream oil and gas industry. For more information on how to become a subscriber, visit pgjonline.com/subscribe.
- Read Niyo’s article in the June 2021 edition of Pipeline & Gas Journal, “Colonial Pipeline Cyberattack Raises Alarm for Midstream Companies.”
- Colonial Pipeline Cybersecurity Incident: In May 2021, a cyber attack was launched against Colonial Pipeline that eventually resulted in the payment of $4.4 million to resolve the attack. The attackers gained access to Colonial’s systems and data through an unmonitored VPN by stealing a single password.
- Florida Water Treatment Plant Attack: In February 2021, a cyber attack was launched against a water treatment plant in Oldsmar, Florida. The attacker gained access to the TeamViewer remote access software of a Florida water treatment facility. The TeamViewer access allowed the bad actor to interact with an operation station, which in turn allowed the attacker to manipulate the setpoint for a chemical dosing control of the Industrial Control System.
- SolarWinds Attack: In December 2020, it was discovered that state-sponsored hackers were able to implement a sophisticated virus that extracted client information for major U.S. organizations and government entities.
- MFA (Multifactor Authentication) is a security method to require multiple methods of authentication to ensure that the proper person is obtaining proper access. For example, a username / password and a text message or other form of identification.
- VPN (Virtual Private Network) extends a private network across a public network and enables users to send and receive data across shared or public networks.
- Pulse Secure VPN ensures that the mobile workforce is authenticated, authorized, and secure when accessing applications and resources.
- Citrix NetScaler provides balancing to deliver better performance for apps and services. NetScaler offloads offloading SSL (secure traffic) from application servers to free up resources.
- SSL Decryption is the process of decrypting traffic and routing it to various inspection tools that identify threats that are inbound to applications and outbound from users.
- SCADA (Supervisory Control and Data Acquisition) is a system of software and technology that allows pipeliners to control processes locally or at remote location. SCADA breaks down into two key functions: supervisory control and data acquisition. Included is managing the field, communication, and control room technology components that send and receive valuable data, allowing users to respond to the data.
- Edge Communications is a method of building out the architecture for structured communication from edge devices in the field to a host server using connectivity to transmit the data. When evaluating the capabilities of your SCADA systems for transporting data, it’s best to consider which method of communication fits your operation.
- Edge Computing differs from traditional SCADA only in the relevance of the dynamic lift that can be moved from the cloud to the edge, for optimizing bandwidth, and functional efficiencies.
- Edge Devices are pieces of hardware that provide an entry point into a connected network. The devices serve as a gateway between networks to move data between networks.
- Listen to Pipeline Technology Podcast Episode #9 — “Edge Computing Optimizes Pipeline Management” with Corrie Allemand.
- Endpoint Protection Platform (EPP) is a software solution deployed on endpoint devices. There are dozens of EPP solutions on the market. They are designed to prevent file-based malware attacks, detect malicious activity, and provide investigation capabilities that are needed to respond to security incidents and alerts.
- Endpoint Detection Response (EDR) is a set of tools that are focused on detecting and investigating suspicious activity occurring around endpoints. Endpoint detection and response addressed the need for continuous monitoring and response to support an organization’s ability to respond appropriately to complex, sophisticated, and advanced threats.
- Pen test (penetration testing) is the process of performing a simulated cyber attack against an organization’s system to identify vulnerabilities. This enables organizations to determine the appropriate course of action to close gaps and secure their systems.
- Hacker Dogfight refers to an ongoing battle between a cybersecurity response team and an adversary as both sides seek to complete their objectives as the defender and the disruptor.
Colonial Pipeline Cyberattack: Full Episode Transcript
Announcer: The Pipeline Technology Podcast, brought to you by Pipeline and Gas Journal, the decision-making resource for pipeline and midstream professionals. Now your host, Russel Treat.
Russel Treat: Welcome to the Pipeline Technology Podcast, episode 11. On this episode, our guest is Niyo “Little Thunder” Pearson, supervisor of Operational Technology Cybersecurity with ONE Gas.
We’re going to talk to Niyo about his article in the June 2021 Pipeline and Gas Journal entitled “Colonial Pipeline Cyberattack Raises Alarm for Midstream Companies.” We’re also going to refer to some other things that Niyo has either published or been quoted in. Niyo, welcome to the pipeline technology podcast.
Niyo Pearson: Thank you. Glad to be here. It’s been an honor to be invited to be a part of this discussion today.
Russel: If you would, Niyo, tell us a little bit about your background. What do you do, and how you got into it?
Niyo: Absolutely. Been in this industry of cybersecurity as a whole for 17-plus years. Some of the highlights. I worked for American Express — I was a senior incident responder, and I helped develop actually one of the first security orchestration automation platforms that ever came out back in 2011.
Then I shifted to coming back home — I’m a Tulsan, I grew up in Tulsa, Oklahoma — and I went back to work for ONEOK, which then separated out into the two entities, ONE Gas and ONEOK. Since then, I’ve been running a program that is basically built around defending against advanced cyber defense threats.
In that regard, I have continued to push industry to be better. I am a subject matter expert for SCADA and OT, which stands for operational technology within the United States, and maybe I’ve been a part of some really awesome exercises where we tested that in the field.
Russel: Awesome. I do want to ask you about your name. Your full name’s Niyo “Little Thunder” Pearson. Where does the Little Thunder come from?
Niyo: That comes out from my dad’s side. My dad’s a Southern Cheyenne artist. He paints artwork, one of the actual original grandfather’s to the miniature, which is like a 1” by 1”, but I also have Creek and then Irish. I’m a good mix of everything. Very Oklahoman.
Russel: When I first saw that, I’m like is that your cybersecurity code name. [laughs]
Niyo: No. I actually do have one of those. My code name or my electronic handle is called The Hulk. [laughs]
Russel: That makes your full name Niyo “Little Thunder The Hulk” Pearson.
Niyo: That’s right.
Russel: That is an awesome name for a guy who’s a cybersecurity expert.
Russel: That’s good. Listen, thanks for coming on. I know you’ve had several things published. I want to start by talking about Colonial. Cybersecurity’s been getting talked about in pipelining for a while, but with the Colonial incident and the national press, the issue was raised right to the forefront.
I did a special episode on Colonial [on the Pipeliners Podcast], but it might be helpful for the listeners just to talk about what was the incident, what occurred, and where are we now that we’re post-mitigation.
Niyo: Giving the layman’s view of why this happened is that in early May, Colonial Pipeline on a Friday ended up being aware that they had been ransomwared. They essentially got a notice that said that their systems had been encrypted and that there was information that was actually extracted from their systems.
This has to do with the fact that some elements really common in the theme today of these activities are now handled like a business, but they still follow criminal ideology. It was what’s called a two-form fraud.
Essentially, they encrypted the systems as one form of fraud, requiring payment, but they extracted information that they’re telling Colonial is damaging to them as a secondary fraud measure to ensure payment.
Then they have turned around and basically said that they needed to pay $5 million dollars in order to restore not only the encrypted systems but to ensure that the data was not released out to the public.
From there, Colonial ends up reaching out to the government. You see all of the government race in. You see shortly after that that they actually take down portions of their SCADA in order to, as they stated, ensure that it stays safe and protected. All the while they’re talking about that it never infiltrated the SCADA environment itself.
Post this incident, they said it was just the billing systems that had been impacted. As we’ve learned, the CEO ended up authorizing, along with having the government there, a form of payment for ransomware that ended up being close to $5 million, about $4.4 million.
This is the bigger takeaway. What they got back under the decryption system was not fast enough for the kind of downtime they were looking at. They ultimately had to go and restore these systems still by their own processes and by their own hand in order to get them up fast enough to be able to restore all the transmission that they were doing to the United States.
This is critical because they’re such a huge entity. If they were down longer than a week, we would have had huge, huge national impacts. You already saw a lot of people panic. You saw pumps go dry because of this panic when still there was still plenty of supply. That kind of response to it definitely created a lot of hype that, again, had they gone longer, it would have been a more significant event.
Russel: It wakes people up as to how critical fuels are to our economy and how reliant we are on the infrastructure to get those fuels. That’s certainly one aspect of the event from my perspective.
What’s really interesting to me as I watched this incident, I’m aware of other incidents with fairly significant infrastructure where things were brought down, but that stuff never made it to the news. This went to the news and you know that the government had to be involved with that decision to take it to the news.
Historically, they keep these incidents quiet because they don’t want to encourage the criminals, and they don’t want to give away information that would be useful to the criminals, right?
Niyo: Absolutely. The understanding of warfare has changed, especially espionage. It has changed from being these government entities — like for us, it’s the CIA and other entities, and for other governments, it’s their counterparts to that. To now, the forefront of where these things are landing are at the doorstep of critical infrastructure — whether that is oil, natural gas, electric, whether that’s water, wastewater management.
Just not too long ago, the Florida scenario where they remotely logged in to a Florida water plant and were changing the levels. They caught it in time, but that everybody saw that you could remotely access one of these water areas. The forefront is really at our doorstep now for critical infrastructure.
Russel: You’re absolutely right. If you think about how these criminal actors are working, they’re looking for the easy targets. The financial systems, the banking systems, people have gotten aware those systems have been hardened. Those hacks have gotten much more challenging, so they’re looking for other ways to fund their enterprises.
Niyo: Absolutely. Again, like any business model, you have to have capital. You have to have an ability to not only maintain your operations but continue to expand and grow, give more services to the people that want it.
The reason why we have to cement that idea deep in our minds is because if we keep thinking about this like the teenager or the Hollywood version of what we’ve been fed around how these guys operate, we will truly not understand the fact that, again, they’ve matured this model in such a way that they are targeting everybody. They know how to get a payoff.
They’re running their money through Bitcoin because, of course, it’s still an unregulated area, and so they have a lot of flexibility to be able to get those payments, maneuver them to various nations that they can be able to receive payment.
Russel: The other thing I wanted to talk about — because there’s some new information that came out since I did the original podcast on Colonial — is the original mechanism for how they got access to the system. To me, that’s interesting. Maybe you could tell us about how the actors actually got access in the first place.
Niyo: What was found out is that they had ended up taking credentials that were stolen from prior activities for a VPN credential. They ended up using it for a VPN credential to make their way into the environment. This is very much following the motive that we’ve seen in the past year.
You’ve seen a lot of these big disclosures about Pulse Secure VPN. You’ve seen things on some of the big NetScalers, the load balancers like F5 or NetScaler. A lot of these foreign actors, these geopolitical adversaries we have, are essentially going after some of these Internet-facing environments using credentials that have been pulled, whether it was a phishing email or some other hack that had taken place where they got those credentials, utilizing that to get into that edge infrastructure where they can hide out.
You don’t have all these very advanced, sophisticated, endpoint technology systems there, and then they make their way into the environment. It really showed that there was a huge gap in the fact that it didn’t have MFA on it, so there’s a gap in the process of what the company says you’re supposed to do.
You’re supposed to have a complex password. You’re supposed to have multifactor appended to that account. Ultimately, that one thing, just one thing, cost them that roughly $5 million engagement.
Russel: About a week’s worth of downtime, $5 million in ransom, and no telling what they had to spend in terms of mitigation and response.
Russel: I want to unpack this a little bit for listeners that might not be as in tune with some of the buzz words that we use in this domain. My understanding is they had an employee who was no longer with the company but whose credentials had not been taken out of the VPN.
Niyo: That is correct.
Russel: That employee had used a username / password combination that he had used elsewhere, and where he had used it elsewhere, he also used it on the VPN. It wasn’t actually his credentials that got taken off the VPN. They got hacked someplace else.
One of the things that you always get asked is why do I have to change my password, and why do I have to have a unique password for every login, and right there is your answer.
You make a very good point. I want to underscore this because I know you said it clearly, but I really want to emphasize it, that these entities that are doing this, it’s not like a couple of guys sitting in high school in their basement with a couple of computers. These are entire enterprises with hundreds of people and very sophisticated processes. They’re doing data mining, and they’re getting on the dark web, and they’re grabbing stolen credentials.
They have a whole list of things, and they’re going through asking things like, “Will it work here? Will it work here? Will it work here?” until they find something. These are major, major efforts that are being undertaken and lots of staff that’s being thrown at doing this.
They’ll find a username / password. They’ll try to correlate that to somebody on LinkedIn. They’ll look at their profile. They say they work over here, and then they start trying to use that stuff to get in.
What I would tell anybody listening to this is one of the things we each person needs to do is you need to have complex passwords. You need to have multifactor authentication on anything that you’re using. All that means is I give my login, and then it reaches back out to me, and I have to do something else to get logged in.
Russel: You need multifactor. You need complex passwords, and you need a unique password every place you log in. That way if one of them gets hacked, you only have one login you need to change. You don’t need to change all of them.
Niyo: Correct. We are unfortunately a society of convenience now. We have so much at our fingertips through our phones that we fall into that kind of thinking that my Netflix password is sufficient enough for me to reuse it over here for my job. The reality is, again, no one carries the same security standard across every single one of these services.
When you do such a thing, there is a high likelihood that that is going to get exposed. It is going to get stolen. The term that they use, the technical term is they call it credential stuffing.
They will literally just load this program with all these passwords that have been found through all these hacks, and they will just basically slam them against these devices. They can do it very low key over a long period of time, or they could do it very aggressively.
They just try to go through, and they pin those passwords and user names based on the fact that they can find almost any employee on LinkedIn. They can determine what your job role is there. They can find you on social media and know that you’re tagged to the company.
There’s so much presence out in the world right now. It’s easy to be able to associate with you what you do, who you work for, what’s your title, what’s your expertise, and then be able to just hone that list, and like I said, go through those technologies and try to gain access.
Russel: Absolutely. I think it’d be good to transition the conversation here a little bit. You’ve written about the nature of the threat and these nation-state actors and what’s necessary to defend against this. Let’s talk about how that’s different given what’s going on right now versus what was even going on a couple years ago.
Niyo: We are definitely at a tipping point right now where we have to fundamentally change the responses that we have done to these type of events. I have a concept in a program. It’s called the adversarial cyber defense program, and the whole point of it is that it’s engineered to defend against nation-state, state-sponsored attacks.
It’s taking a very deliberate approach that the thing that’s going to come to your doorstep is the worst of the worst. Why is this important? Because as companies, if we’re just thinking about we need to make sure we defend against that malware that comes out, or we may have this very low-level ransomware that comes for us, we are not actually examining the scope or the plausibility of the things that can be there.
If you are protecting against the most advanced, most sophisticated attacks in the world, then that automatically handles everything that’s below that, but it absolutely guarantees that you have a position for your company, whether it’s in a PR stance of being able to say we were trained and ready for this kind of thing.
There’s also another element of this that’s really near and dear to my heart. Cybersecurity for critical infrastructure should never be seen as another cost center. This is an essential purpose of running a business for this sector, all 16.
It should be viewed as one that should not be scrutinized and compressed, that you have plenty of staff, you have plenty of funding. If you don’t do those things, you definitely get yourself in scenarios where you have an ex-employee who should have already had that credential removed, having a reused password and username that ultimately didn’t have multifactor, so the process is not being followed.
That ultimately leads to the entryway that, again, goes to something that is far more expensive than $5.5 million. In the long run, if you looked at the financials, you save yourself so much money by being able to just classify it as an essential part of the business versus another cost center that is going through the regular rigors.
Russel: I think the allegory would be in retail. You know you’re going to have losses. You know you’re going to have robberies. You know you’re going to have employee theft. You put in place processes and controls to address it and minimize it.
Niyo: That’s correct.
Russel: The reality nowadays with cybersecurity is you’re going to be hacked. It’s when and how bad, and how long before I find it, and how quickly can I react, and how appropriately can I react?
I read the articles that you had sent me, and there was an article you had in Bloomberg, where you talked about being in a hacker dogfight. Can you talk a little bit about being in a hacker dogfight? What does that mean, and how is that different than the threat even a couple years ago?
Niyo: Very much the term comes from the military — the focus on the airplanes and the warships, essentially your fighter jets, as they are basically going toe-to-toe with one individual. Two opposing parties, and one is trying to better the other. That is essentially the same scenario when you talk about that from a hacker context.
The difference is you do have two scenarios or divergence here. You have one is code. Other is hands-on keyboard. Any more, it is really code bases that you are battling against when this is occurring versus the hands-on, the keyboard. In this scenario that I had discussed in this article, it was a code-based that we were actively going against.
What I mean by that is that, again, going back to the program development that you’re training for are state-sponsored, nation-state type attacks. The essence of that is you have to understand what that code is doing. What is it there for? It is a campaign. It has a purpose. It has directives and deliverables that it’s supposed to do.
There was a good portion of us understanding what its purpose and its directives were. Then it got into now it’s trying to go in and interact and extract information out of the environment, and we are trying to now shut that down.
We are taking away what’s called an attack surface, which is essentially an exploitable path somewhere within the network. It could be on a computer system. It could be on a network device. It could be just on that computer itself. We’re slowly getting to the point where we’re actually kicking them out.
It is a very controlled exercise, and ultimately we were successful because we were able to not only disrupt their campaign, they did not reappear again, so we gave them pause, but we were able to go further and determine that this was a piece of code that was unique.
We had never seen anything like this in the world. We went to the government to pull their archives. We ended up naming it Laertes Odysseus, which is the father of all Trojans, because it was so unique in the way that it was engineered. It had a SCADA focus that we essentially realized we were being field-tested probably for the next major cyberweapon.
It was absolutely an intense number of days. It lasted about three days for us, going through this process, especially at the tail end, getting them to the point where we finally kicked them out. Then we’re getting this deeper understanding of what it is.
Russel: What’s interesting to me about that, Niyo, is in my experience, and I’m close to cybersecurity, but I don’t live in it. Cybersecurity’s a very quickly moving space. To be current in it, you got to work at it every day to be current in it. My information’s always a little dated. What I would say is not very long ago if you found somebody in your network, and they figured out that you found them, they would run away.
Niyo: That has changed.
Russel: What you’re describing is you found them, and they’re like “Okay, I’m going to persist and get around you even though you found me.” They were not only testing can I get in; they were also testing can I get around the response. That ought to be unnerving to anybody running critical infrastructure.
Niyo: Yes. They are absolutely targeting and going after cyber defenders. They are no longer waiving the white flag and saying we are done when they get caught. They are acting more aggressively, more timely, to try to maneuver around the cyber defender to kick them out and continue to maintain their presence until they finish, again, their directives and their deliverables. This is huge.
This is happening behind the scenes in espionage and now at the forefront of, again, critical infrastructure in some of these private companies. This was not something that you saw play out that way. Because of SolarWinds, and Exchange, and Colonial, you’re seeing “No, that is not the case.” They will continue to maintain their presence. They will go after your cyber defenders, and that should spark a whole lot of pause in very many people.
Russel: What does that mean, they’ll go after your cyber defenders?
Niyo: It means that they are actually taking them as a target. It’s more than just saying what is their access in the environment, what’s their role, and what are they doing. They’re also getting a better understanding of who they are in the community, how connected they are, who’s connected to them, those kind of things. It’s studying the enemy.
They are actually taking the defenders as an obstacle that they need to understand the complete depth around in order to be able to be the most successful. If they can see you’re…
Russel: This would…I’m sorry to interrupt you, but this would be equivalent to all of the World War II movies I watch where the German generals have backgrounds on all the Allied generals, and the Allied generals have backgrounds on all the German generals, and they can understand where they’ve been, what do they study, their philosophies, their tactics.
Like the great line in the movie, Patton, it’s “Rommel, I read your book.” They’re actually identifying who’s the person and what do I need to do to defeat this person.
Niyo: Yes, they are.
Niyo: Again, taking concepts that have been used outside of this area and reapplying it through this area.
Russel: This is really the militarization of cyber hacking.
Russel: It’s really even beyond big actors, big, organized actors with real infrastructure to conduct their operations. It’s also taking and using military-style strategy and tactics to understand who they are and how to exploit them.
Niyo: That’s absolutely right. I have a saying that we play chess, not checkers. It’s encompassing the fact that our purpose as cyber defenders is not to match the one thing they put on the field. It’s to understand the next seven maneuvers we have to take in order to be successful.
Russel: That’s really well said, Niyo. What do operators need to be doing in order to get appropriate capability to address the reality of this threat?
Niyo: Going back to what I said earlier, at the core of this, you need to make sure that you do have the right executive support, the funding, and the staff to be able to take up the task and to be able to rise to the challenge. It’s one thing to have a scenario where you’re trying to take on corporate and SCADA and you only have three people to do it. That’s impossible.
When you have scenarios like that, and people tell me about those scenarios, the issue is if you have an event in the corporate side and you have one in the SCADA side, you would naturally think people would go to the SCADA side. No. Actually, most times they’ll deal with the corporate.
You need to have this significant staffing to be able to handle SCADA separately, corporate separately, have the funding and support to do those things. Outside of that, it goes back to the basics. I’m really going to bring back up things. I’ve been in the fundamentals of any kind of IT security, information security, for the past 20 years.
Patch often. Patch frequently. A lot of these things are being hammered or gotten into, compromised, because they hadn’t been patched. They sit on the Internet, and people are worried about it going down for an hour or a couple hours.
I promise you having to sit there with the federal government and then go explain to Congress why something occurred is the thing you don’t want versus two hours of down time. Let’s level set again the impact when we think about it in these bigger, broader terms.
The other thing is ensuring that you have the right kind of protections in your environment. I did mention malware, but let’s be clear. Antivirus and anti-malware are dead. You should not be using those platforms anymore. What you should be using is something called endpoint protection platform, it’s short for EPP, and an endpoint detection and response platform, and it’s short for EDR.
Those things in itself are some of the core and fundamental ones on top of complex passwords. Don’t reuse the same password you used for Netflix, and put multifactor on all your accounts regardless of the user, regardless of how small their job is or how big their job is. I still see a lot of organizations that struggle with putting these policies on C-Suites and board members.
Let me tell you, they are not ever, ever negated when it comes to these criminals and these actors as far as targets. They are absolutely on the radar, and they’re some of the easiest ones to find. If you can get access into there, you can do plenty of damage that way.
Russel: That’s one of the things that people should understand is as your level raises in a company and as your visibility increases, whether that’s on something like LinkedIn, or by going to AGA, or participating in public meetings, or any of that kind of stuff, all of that identifies you as a potential asset for them to exploit.
Niyo: Absolutely. I absolutely agree. It is also a responsibility to lead your company by the example, that you show that you’re very aware, stronger security. You are in support of it, and not just almost out of a talking box point of view where I always say is the checkbox. We’re just checking a box. Do it from a cultural perspective.
Russel: It’s building capability versus having compliance.
Russel: Compliance is just a way to know whether or not you have the capability if done correctly.
Niyo: That’s right.
Russel: One of the points you’re making about SCADA that’s interesting to me is I’ve got to have dedicated resources from a cybersecurity standpoint.
The other thing you didn’t say, and I’ve covered this in a lot of other podcasts, is but I got to have an inventory of all my infrastructure, and I got to know where all of the Internet-facing points are within the infrastructure, which you would call an endpoint or an end surface, and I’ve got to have a strategy for how I deal with every single one of those endpoints.
Russel: That, by itself, for a lot of operators is a bit daunting because they don’t really even know what they have at the edge.
Niyo: It’s critical that you be able to always do annual pen tests. When you do annual pen tests, you bring everybody to the table to flush out your full visibility on the Internet on top of the fact that these individuals will go find ones you may not even know about. The intent of that is that every year you’re getting an idea of what that looks like.
I took that a step further. I built in red-teaming into team structure so that we’re constantly looking for those things. There are easier ways to defend when you have stuff on the Internet, which is like SSL decryption. Almost everybody has a firewall now. This is not a day and age like in the ’90s where that was still a foreign concept.
Those firewalls can actually do decryption on the Internet side. If you do SSL decryption on the Internet traffic that hits these boxes, you can block no malicious things through the intrusion prevention system that’s on the firewall. Those kind of elements are really critical. Yes, you absolutely have to know your environment. You have to know everything about the environment.
That should be the one strength a company has. It is your environment. It is uniquely yours. Do not let the bad actor know it better than you. You should absolutely be on point. Think of it as a basketball game. It’s your home court. Know it well. You should be able to walk it blindly and not have to ask questions. Know it better than the actor.
Russel: That sounds easy. I’ll use one specific example that’s very common in a growing midstream company. They need to add a site. The easiest way to get that site into the SCADA network is to put a cell modem on it. Every time you put a cell modem on something, that’s an endpoint to the Internet.
Niyo: That’s right.
Russel: I gotta get this up. I’ve got to get the data in because I gotta get the invoices out or whatever. I put it in. I turn it on, and I let it sit there for a week, or two, or longer before I properly get it into the network and secured. There’s a lot that can happen in 24 hours, much less 7 or 10 days.
Niyo: They are constantly scanning the environment, the Internet, to find these open doors. They are absolutely a doorway into the environment. Every time you stick one on, that is another doorway.
Most times in those scenarios that you’re talking about, your cybersecurity teams aren’t even prepared for that kind of addition. They don’t know that they just had another door added to the network because of that cellular connectivity that just got put up. It is absolutely creating blindness and creating some naïveté around how this is structured, how your environment’s structured.
Russel: You’re absolutely right. Let’s wrap this up, Niyo. What would you recommend that pipeliners take away from this conversation that we’re having. What are the critical, immediate steps that operators need to be looking at?
Niyo: I’ll try to break this down into various levels, start at the top. From the board perspective of things, I absolutely believe the board needs to be 100 percent involved in knowing the status of how the cybersecurity program is, both for the corporate and the SCADA.
Again, if you’re not getting good, clear results or good, clear picture, create one. Task someone to go in and examine the program. From the C-Suite, create a culture around cybersecurity. In critical infrastructure, there’s this whole structure and culture around safety. What’s funny is that security and cybersecurity go hand in hand with safety. It’s not a far leap to be able to incorporate that into our cultures. It’s just being very mindful about it and lead by example.
Again, if you’re going to enforce very complex passwords, you’re going to have multifactor, make sure that you’re also the one showing how you’re doing that and you’re supporting that effort, ensuring that the financials are there, the staffing is there.
When it comes to the actual front line, this is how I refer to it is all the employees that are working for critical infrastructure, be very mindful of every time you get an email. If your bank sent you an email saying something change, or you need to log in, and it’s urgent, go to your app on your phone, log in there, and see if you have a notice there. I always tell people, “Every time something tells me with urgency, I go to the source of it. I don’t use the email, and I just go to the source and then validate. Yeah, I am getting that kind of message.”
Ultimately, they’re still trying to get in through phishing. Phishing is some of the biggest things out there that they’re going after people, and they can make themselves sound like your mom, your dad, your brother, your sister…
Russel: …Retirement professional or your attorney.
Niyo: That’s right.
Russel: They’ll figure that stuff out.
Niyo: They will, but here’s the biggest one of them all. We all are responsible and accountable for helping to deflect these attacks, which means we need to take a very conscious decision to be more aware, more educated about what we can do — again, don’t use your Netflix password for your corporate password — and how we can keep the environment safe.
That’s important because there we have seen lots and lots of compromises hacks that have been deflected by the one guy in the field in his truck deciding not to click on that email link and not to enter his credentials.
Russel: That’s absolutely right. That’s all well said. I’ll summarize this and greatly, greatly oversimplify it. It’s simply this, cybersecurity is equivalent to locks on warehouse, and the level of locking, monitoring, and responding you do should be equivalent to the value of the asset you’re trying to protect.
The more valuable the asset, the more interested the criminals are in getting their hands on it. We are operating very valuable assets that are critical to our society and our ability to conduct business and just conduct life, if you will. It says right on point. We just got to do a better job of locking up the warehouse and keeping it monitored or being ready to respond.
Niyo: I agree.
Russel: Hey, Niyo, this has been great. I appreciate it, and keep up the good work.
Niyo: Thank you so much. It’s been honored to be a part of this, and you take care. Thank you.
Russel: I hope you enjoyed this month’s episode of the Pipeline Technology Podcast and our conversation with Niyo. If you would like to support this podcast, the best thing to do is to leave us a review on Apple Podcast, Google Play, or on your smart device podcast app. You could find instructions at pipelinerspodcast.com.
If there is a Pipeline & Gas Journal article where you’d like to hear from the author, please let me know either on the Contact Us page of pipelinerspodcast.com or reach out to me on LinkedIn. Thanks for listening. I’ll talk to you next month.
Transcription by CastingWords