Colonial Pipeline attack reminds us of our critical infrastructure's vulnerabilities

Cybersecurity expert discusses the many ways attackers could have gotten access to the Colonial Pipeline company and reminds us why the threat always looms.

Our infrastructure is more vulnerable than we realized, Colonial Pipeline attack shows

TechRepublic's Karen Roby spoke with Vyas Sekar, a professor in electrical and computer engineering at Carnegie Mellon University, about the Colonial Pipeline ransomware attack by the hacker group Darkside. The following is an edited transcript of their conversation.

Karen Roby: We're learning more about the Colonial Pipeline ransomware attack. There are a lot of layers to this, and we're bringing in Vyas Sekar. He's a professor in electrical and computer engineering at Carnegie Mellon University. I just want to just say right off the top that Vyas is in no way affiliated with Colonial Pipeline and with this particular situation. But he is, of course, an expert in cybersecurity. I want to try to break some of this down just a little bit. Vyas, this situation certainly exposed a major vulnerability in critical industry.

Vyas Sekar: As you said, there's a lot of moving pieces here. So let me try to explain this. I think the first thing is this is what we call a ransomware attack. Somebody infiltrated your system, and then they're holding you up for ransom. They've encrypted or disabled some key elements. And basically, they tell you, "Pay us some Bitcoin or cryptocurrency, and then we'll let you go." So they essentially are blackmailing you at this point, for the extortion. The second aspect of this is what we would call a cyber-physical attack, which is, they've gotten through a cyber internet- or network-connected component to cause a physical component, or a physical infrastructure, to be affected. So, this is an example of a cyber-physical attack. That's the two main things we should worry about. It's ransomware; it's cyber-physical. And as you mentioned, this is a cyber-physical attack on a critical infrastructure component, which in this case was pipelines.

Karen Roby: And Vyas, with the work you do there in the CyLab and at Carnegie Mellon, this is obviously something you guys talk about all of the time. Is it something that you could see coming?

Vyas Sekar: Yeah, I think we should be concerned about it for the following reason. I think there's been a lot of threats with the Internet of Things as more things go on the network. And we also see this convergence of what was classically IT, or information technology, and what was classically OT, operations technology, like your control systems, your power plants, your pipelines. They were typically separate. But more and more, we see the convergence of IT and OT through this internet of things. And it's a much more massively interconnected infrastructure. So, which means that we know that such critical infrastructure attacks are possible. For example, I think maybe a couple of years ago we saw the City of Atlanta being held for ransom. The traffic systems, the train systems were held for ransom. I think earlier this year or last year, there was an attack on a water treatment facility in Florida. So these are all part of the same emerging threat where critical infrastructures that are physically controlling pieces of critical infrastructures are exposed to cyber threats. We saw it coming in the sense that it's inevitable that these things are going to happen.

SEE: How to manage passwords: Best practices and security tips (free PDF) 

Karen Roby: Vyas, obviously the million dollar question is, how do we keep this from happening? I mean, we talked about just the explosion of IoT devices. So many more people working remote now. I mean, there are so many vulnerabilities. And vulnerabilities, often, in these really sophisticated systems.

Vyas Sekar: There's a couple of things here. As I said, these systems are incredibly complex. You have to do a couple of things. One is what can you do to prevent these things from happening in the first place? And in that case, I think it's just much better cyber hygiene. You don't want the critical infrastructure being exposed to the internet. You don't want a random hacker finding the power plant or the pipeline technology on the internet. In fact, there are search engines, things like Shodan, that will actually give you a list of these vulnerable components on the internet, which there shouldn't be. So, there's certainly good practices for keeping some of these components off the internet, segmenting your network so that these two different components don't talk to each other. And even, as you said, with things like remote work and other kinds of new modes of operation, the users also must be secure.

It's likely, for example, in many cases, ransomware gets in through a business email. Somebody maybe clicked on a phishing email and that's how the malware gets into these critical infrastructures. So, there is also a user component of it. In this case, I don't know how exactly the malware got in. And I'm sure we'll find out in the coming days, and somebody will do a forensic analysis of the incident to tell us how it got in. But there are many ways for the attack to come in. You could have vulnerable components that are exposed, hacked in from outside. For example, I think there was an attack in 2016. Basically, there's a whole bunch of these cameras with very poor security practices, like default passwords. So I just get in. I'm inside your network now. Those are all a bunch of good cybersecurity practices that could be adopted to reduce the risk of this event happening.

The second is, we can also do things like blocking some of these attacks proactively at the network layer or by using better security tools like antivirus as much as you can, network firewalls or network intrusion detection systems and so on. Those are all part of your defense in-depth strategy to detect and see if something has gone wrong. Finally, you also need to have like a recovery mechanism in place. You assume that things will go wrong. The question is, how quickly can you recover from it, because you can't be perfect on the defense side of things? So we can certainly be better on defense. We can certainly be better on detection, but at some point, you also need to have a recovery strategy. Do you have backups? Do you have a way of rebooting the systems? Do have a way of finding what else was compromised to take them off the network? So, you also need a recovery plan in place.

SEE: Security incident response policy (TechRepublic Premium)

Many, many possibilities how the attacker could have gotten in. One is, maybe that is a camera with a default password on your network and somebody logged into it, and now they're inside your network. Some of these attacks are also very stealthy in that, say, I brought in a USB drive from home. It happened to have malware. I plugged it in. And it just sits dormantly inside a network for a very long time before I unleash something. And there's also other kinds of cases where attacks multi-stage, where they get into one, they hack it, then they do some reconnaissance to figure out what else is on the network. And they get in the next one, next one, next one, and finally get to the pipeline. So, it may be a multi-stage attack. It may not just be the pipeline was the first order of entry.

And there could also be other kinds of things where you have like humans on their computers and laptops checking their email. And all it takes is one person to have clicked on a random attachment or brought in a phone with a compromised phone into the critical network, and then boom you're in. So again, attackers have many, many opportunities to get in. Defenders have to get it right all the time.

Karen Roby: All right, Vyas, you're working with students every day, of course, and training to be the next batch of cybersecurity experts. Are we on par with the number that we need to step up our efforts going forward? Or are we going to see a real shortage?

Vyas Sekar: I think every study I've seen says that we have a shortage of trained cybersecurity personnel. But some of these things are also about the kind of tools that we have in practice, that even if you have the personnel, it's also about giving them the right kind of tools. So, there is this side of asymmetry here. If I'm an attacker, I have amazing tools, but defenders don't quite have the right tools. It's like going to a gunfight with swords or whatever. So, the research, or the education focus, of CyLab is both on the education front, how do we train the workforce? How do we create the next generation of cybersecurity workers? And also on the research front, how do we give that workforce better tools from the research to proactively find new attack vectors? How to defend them inside the network? How to do recovery strategies? And so on. So it's both training as well as giving them better tools to fight the attackers.

Karen Roby: All right, Vyas, this particular situation, of course, is all over the news. I think really opening some eyes for people that otherwise didn't really understand how significant these type of attacks could be, and maybe finally realizing this is really scary.

Vyas Sekar: Yeah, it is scary. And there's a bunch of these wake-up calls that keep coming. I think SolarWinds was an example, last year, where a critical piece of government machinery and data gets breached because of a third-party supplier. And this is an example of the Florida hack, the Atlanta hack, now this incident, shows us how the critical infrastructures that connect things that hit our physical everyday life, right now, just the internet, are also vulnerable. It's definitely a wake-up call. And I think there are standards and best practices that people are working on to catch up. But we're still playing catch up.

Also see