The Colonial Pipeline Attack: Lesson Learned?
Ransomware attacks against critical infrastructure have become more prevalent than ever before. So much so that the Biden administration has declared them a national security threat. The sophistication and frequency of these security breaches have grown significantly, causing vulnerability disclosures to increase at a staggering rate: 25% year-over-year.
Critical manufacturing, energy, and water make up for many of those disclosures. As these industries become more dependent on digital technologies, this trend will only worsen – unless organizations heed the warning echoed by the Colonial Pipeline breach.
To help people better understand what to take away from the Colonial Pipeline attack, we’ve compiled a series of questions that many organizations have asked in the weeks following the initial breach.
“What happened, and who is behind the attack?”
According to reports, it appears that there was a ransomware attack on the corporate IT network that caused operators to temporarily halt production on the Operational Technology (OT) network. Due to the increased number of dependencies between business and operations networks, it has become challenging to isolate systems, even though it is considered best practices. Colonial decided the safest approach was to suspend operations and investigate the extent of the data breach to avoid encryption of critical control systems.
The attack has been attributed to a Russian cybercriminal group called Darkside. They are a relative newcomer among ransomware gangs and employ a Robin Hood-style strategy of stealing from the rich to give to the poor. On their website, they claim they will not target hospitals, hospices, schools, universities, non-profit organizations, or the government sector. In fact, Darkside sought to play down any intention that they were attempting to take down critical infrastructure.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Darkside’s activities include several “big game hunting” attacks where the targets had the financial means to pay significant ransom demands.
“How long will it take to restore pipeline operations, and what will it cost?”
Colonial took down the OT network as a precaution, which ultimately led to them restoring operations quickly compared to other recent incidents. Operations restarted on Wednesday, May 12th, but will take several days to return to normal service.
Attacks on critical infrastructure have an enormous downstream financial impact, but the total impact is yet to be determined. Many factors will need to be calculated above the recovery costs for Colonial.
The 5,500-mile pipeline transports 45-50% of the fuel consumed on the East Coast, moving 2.6 million barrels of gasoline, diesel, jet fuel, and other products each day from the Texas Gulf Coast refining hub to the New York metropolitan area. As a result of the outage, gas prices rose 8 cents to above $3 per gallon, which is the highest in almost seven years. Airlines had to add stops for refueling, crude oil prices rose, and stocks were impacted.
“Why is critical infrastructure a target for attackers?”
The answer is in the question: critical! For cybercriminals, this means the ransoms they ask for can be significantly higher since the target has critical assets that the organization needs to keep in production. Typically, recovery from backup would be the remedy, but paying the ransom may be more economical than the time spent restoring.
For energy companies and utilities, the attack surface they present is extensive compared to traditional commercial IT entities and included industrial devices and numerous proprietary protocols that offer rich targets for hackers.
And then there are nation-states. Critical infrastructure attacks by Russia, Iran, North Korea, and China are constantly being perpetrated to test for weaknesses to exploit and cause disruption today or in the future. There are numerous examples of these types of exploits, from the attack on a power plant near the military base at Fort Drum to the interruption of power and communication before Russian troops invaded Ukraine.
“How could the attack have been prevented?”
First, how energy companies operate is different from most companies (though manufacturing has some similarities). Effectively, they operate two distinct networks, an enterprise/business IT network as well as an OT network. For instance, devices that open or close the pipeline or manage the flow of energy production in a power plant operate on these networks. They are meant to be isolated from each other, and many organizations probably feel they have provided sufficient segmentation. Unfortunately, this isn’t the case. The industry is going through a digital transformation that has resulted in hyper-connectivity between OT and IT networks and includes personnel, vendors, integrators, original equipment manufacturers, and cloud resources.
The attack was initiated on the business or IT network, so standard cybersecurity best practices should be followed:
- train your staff to recognize and protect against phishing campaigns
- put attack surface reduction tools in places, such as vulnerability management and system hardening
- know what’s happening on the network by implementing detection and response capabilities
- have an incident response plan ready should an event happen
For OT networks, companies should review the segmentation they currently have to uncover any communication paths that need to be protected. Industrial Control Systems (ICS) should not be directly connected to the Internet or communicate with any open devices. Monitoring communication across boundaries and establishing rules to generate alerts for communication violations will provide visibility into malicious activity. Similar detection and response capabilities (OT networks require different tools since they are not typically Windows-based and have numerous proprietary protocols) used on an IT network should be implemented on the OT network to gain visibility into potential attacks.
“What other industries are most at risk for similar ransomware attacks?”
All of them! No one is safe since cybercriminals are simply looking for any weakness they can exploit. Keep in mind that ransomware attacks are the final result of an attack, not the first step. Hackers first must breach the perimeter, either through phishing attacks or malware campaigns, to gain entry into the network and deploy the encryption package. The risk is based on the organization’s efforts to invest in proper security controls. Organizations need not only preventative tools but also detection and response capabilities, training, staffing, etc.
The cybercrime economy is a $6 trillion business compared to the $1 trillion spent on security solutions to protect businesses. So, right now, the odds are 6 to 1 in favor of the criminals. And security spending overall has been down for the past few years, to only 5.7% of the IT budget. The energy industry especially has underinvested and deferred security enhancements that would protect them from today’s sophisticated attacks.
The lesson to be learned is this: if your cybersecurity posture doesn’t include detection and response, you’re a sitting duck.
The brazen nature of this ransomware attack and the direct impact it has had on citizens has brought cybersecurity to the forefront of public consciousness. Organizations are scrambling to get ahead of these cyber threats before they too become a victim. At the same time, consumers are worried about the implications of attacks on our critical infrastructure and how they will affect them.
We all should take the Colonial Pipeline attack as a leading example of the risks associated with inadequate security infrastructure. The good news is with the right tools in place, crimes like this are preventable. It’s just a matter of investing the time and resources into a proactive security solution.