In what is being described as the largest and most egregious cyberattack against United States critical infrastructure in our history, Colonial Pipeline, which operates the nation’s largest fuel pipeline, was forced to shut down all operations for nearly a week because of a devastating ransomware attack. The result was dried up gas distribution throughout the East Coast as the company worked to resume operations and restore service.
The FBI confirmed that the culprit is a strain of ransomware called DarkSide, believed to be operated by a Russian cybercrime gang, which confirmed its intention was not political but simply old-fashioned extortion.
“Our goal is to make money, and not creating problems for society,” the DarkSide website message read. Later reports confirmed that Colonial Pipeline paid roughly 75 Bitcoin – or nearly $5 million – to recover its stolen data.
“The Colonial pipeline ransomware attack demonstrates yet again that these new higher-end, professionalized ransomware attacks are harder to defend against,” warns Pascal Geenens, who is the Director for Threat Intelligence at Radware. “There is a growing underground economy where ransomware operators have access to verified credential lists, attack tools, and malware platforms. This is a game-changer.”
Later in May, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a new security directive that will enable the Department to better identify, protect against and respond to threats to critical companies in the pipeline sector.
“The cybersecurity landscape is constantly evolving, and we must adapt to address new and emerging threats,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement. “The cybersecurity of pipeline systems is critical to homeland security.”
The security directive will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) and to designate a Cybersecurity Coordinator, to be available 24 hours a day, seven days a week. It will also require pipeline owners and operators to review current practices to identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
TSA is also considering follow-on mandatory measures that will further support the pipeline industry in enhancing its cybersecurity and that strengthen the public-private partnership so critical to cybersecurity.
Are We Being Tested?
Former CISO of Seattle and current CISO of government cybersecurity firm CI Security Mike Hamilton says that what sets the DarkSide group apart is the research they conducted before compromising the pipeline. They apparently knew the reporting structure, as well as who made major decisions and handled finances within the organization.
“It is unlikely that this event is a ‘spray and pray type of attack and was highly targeted,” Hamilton explains. “Assuming that, it is also unlikely that this occurred without the knowledge, and perhaps support of government entities within the country of origin.
“The perception created is that we are being tested,” Hamilton adds. “Will the U.S. government treat this as just another criminal act, clean up and move on, or will this generate the urgency necessary to finally connect the acts of hostile governments and their criminal communities?”
Chilling Vulnerabilities
The ransomware attack on Colonial Pipeline underscores just how vulnerable critical U.S. infrastructure is to cybercriminals in a way no previous attack has done. The successful breach of Colonial Pipeline’s IT system forced the company to shut down 5,500 miles of pipelines to ensure hackers could not gain access to its operations.
“Unfortunately, a ransomware attack of this magnitude has been anticipated, with hackers (focusing) more on government and utilities, targeting industrial control systems and critical infrastructure,” says Ruston Miles, Founder and Advisor at Bluefin.
Miles adds that when it comes to compromising the oil and gas industry, it becomes more nefarious because a goal of these attacks can be to disrupt operations in the energy sector, making this type of attack a national security threat.
The Colonial Pipeline attack comes amid rising concerns over the cybersecurity vulnerabilities in America’s critical infrastructure. Miles says all companies – including those in oil and gas – should be following best practices to minimize the potential for an attack:
- Educate employees. Help them spot phishing attempts and threats.
- Stay up to date on security patches. Integrators should be sure customers keep systemd updated.
- Back up data. Frequent, automatic updates do not prevent ransomware, but they can potentially help access files in the event of an attack. Many businesses are moving data to the cloud as a resilient strategy.
- Create a defense-in-depth security strategy. Use multiple layers of protection, from employee training to encryption and more.
- Never allow clear-text sensitive data to enter a system. Make sure to encrypt or tokenize all sensitive data (PII, PHI, PCI, etc.) so it renders sensitive information useless in the event of an attack.
Editor's Note: An extended version of this article is available here.
Steve Lasky is editorial director of the Endeavor Business Media Security Group; Paul Rothman is Editor-in-Chief of Security Business magazine.
