The ransomware attack against Colonial Pipeline represents a relatively new and destructive type of threat against critical infrastructure. Beyond the financial and operational hit to the company itself, such an attack threatens to impact millions of people dependent on the safe and quick delivery of gas and oil.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
But the incident also is the latest chapter in a story that’s become all too familiar.
A major organization is targeted in a cyberattack that’s pulled off through a vulnerability, an unpatched system or social engineering. The victimized organization calls in the government troops to investigate the incident and a security firm to help it recover. It promises to shore up its resources to make sure this never happens again. And then we wait until the next major organization is attacked in the same way.
A cyberattack that affects a large company and its customers or users is distressing enough. But an attack that directly impacts a nation and its citizens at large could be truly devastating. Although Colonial Pipeline is working to get all its affected operations up and running again, the incident could lead to key setbacks.
“Beyond the potential for rising fuel prices in the area, this could impact the entire supply chain,” said Damon Small, oil and gas cybersecurity expert and security consultant at NCC Group. “With no way to move refined products from the refineries in Houston and nowhere to store them, it’s possible refineries will have to slow down production. Since refineries will need time to return to normal operation once pipeline service is restored, fuel supplies could remain at sub-optimal levels even after Colonial recovers from this incident.”
SEE: Security incident response policy (TechRepublic Premium)
Colonial Pipeline is responsible for delivering gas, heating oil and other forms of petroleum to homes and organizations, accounting for 45% of the East Coast’s fuel. How was such a major supplier vulnerable to a severe cyberattack?
The security problem with utility systems and other critical infrastructure is multifaceted, according to Neal Bridges, cybersecurity expert and chief content officer with training firm INE.
First, though public utilities are considered “critical infrastructure” by the government, most are still privately held and driven primarily by profits, Bridges said. Cybersecurity is treated as a cost center that affects the bottom line with no clear return on investment, so spending in this area may get short shrift.
Second, most critical infrastructure was established years ago in a “set it and forget it” mentality with security low on the list of important factors. Certain manufacturers even force organizations to take a “hands off” approach to their systems, threatening that any hardening would cut off support or void the warranty, Bridges added.
Third, the government does have certain guidelines for critical infrastructure, such as National Institute of Standards and Technology, but they’re not enforceable in the same way as regulations such as General Data Protection Regulation or California Consumer Privacy Act. So, there’s not much the government can do to “punish” these companies for their lack of cybersecurity controls, Bridges said.
The FBI and others have attributed the attack to the DarkSide ransomware gang, an affiliation of cybercriminals who target large and profitable organizations. How DarkSide actually penetrated Colonial Pipeline’s defenses is unknown or at least hasn’t been publicly revealed. But experts have offered their own theories.
“It’s likely that DarkSide found a vulnerable and Internet-facing device and used it to gain a foothold within Colonial’s IT business network,” Small said. “It remains unclear whether the malware spread from IT to Operational Technology, or whether Colonial shut down operations proactively. Either way, the network architecture and technical controls will come under scrutiny.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
The move toward remote working among so many organizations may have also played a role in the attack.
“Many believe that this attack was a result of more engineers remotely accessing control systems for the pipeline from home using a remote desktop software such as TeamViewer and Microsoft Remote Desktop,” said Troy Gill, manager of security research at security provider Zix. “The pandemic forces more employees to work from home, and unfortunately, many organizations are still trying to secure their devices, remote access points and overall networks.”
The attack against Colonial Pipeline is hardly the first one against critical infrastructure. In February, a hacker was able to remotely access systems at a water treatment plant in Florida and add a dangerous amount of chemicals to the town’s water supply. In 2020, a series of cyberattacks targeted water management facilities in Israel. Other types of critical infrastructure systems are equally vulnerable, according to Bridges.
“If you think about water treatment plants, power grids, rail systems, power plants—they all utilize the technologies that we see in Colonial Pipeline, meaning there could be latent cyberattacks waiting on other infrastructure that supports other parts of the U.S.,” Bridges said.
“Chlorine levels over four parts per million begin to be harmful to humans,” Bridges added. “Imagine a threat actor that wanted to damage, for instance, an entire military installation. If they were to find the water treatment plant that services a special operations base, or an intelligence squadron, or a nuclear missile group, they could hack into it and change the chlorine levels to poison an entire community, forcing the base to shut down operations.”
Faced with the threat of cyberattack against critical systems and infrastructure, government and the private sector both need to step up their game. How? The first step is by prioritizing security.
“We need to have open and candid conversations with oil and gas companies about what measures they’re taking to protect the nation’s critical infrastructure,” Small said. “In many ways, oil and gas is self-regulated. The pandemic caused budgets to be slashed, and often IT and infosecurity are seen as ‘non-essential’ by the business units that fund them. Considering that oil and gas companies—including pipeline companies—are not nearly as regulated as other critical infrastructure, it wouldn’t be surprising if the federal government takes a closer look at this part of our energy industry.”
The next step is to implement a technology like zero trust, which limits access to key systems.
“Every major infrastructure provider—from energy to transportation to water systems and healthcare and more—should be equipped or retrofitted with the zero trust security controls that both empower employees and contractors to do their jobs more securely, and that provide much greater protection of critical infrastructure,” according to Zentry Security COO Bert Rankin. “Zero trust network access solutions are a good start, as they restrict access to only those applications that an employee or contractor needs to do their job.”
Zix’s Troy Gill said he believes that the FBI and other government agencies stepping in to help with the Colonial Pipeline attack is a critical measure, similar to the way the FBI stepped in to remove Microsoft Exchange web shells to protect organizations. Gill also advised organizations to require multi-factor authentication, run regular security audits to look for vulnerabilities and make sure that critical data is being backed up regularly.
Ultimately, unless the proper focus is placed on security across the board, critical infrastructure will continue to be at risk.
“All the people behind these ransomware attacks need is someone running a laptop in an unauthorized fashion on a non-secure network, such as a home Wi-Fi system,” IAITAM president and CEO Barbara Rembiesa said. “Until the operators of public water systems, energy pipelines, nuclear power plants, bridges, tunnels, airports and other key infrastructure elements get serious about thorough and tough-minded IT asset management, we are going to see more and more ransomware attacks like the one on Colonial Pipeline.”
- Password-stealing spyware targets Android users in the UK (TechRepublic)
- Working at a safe distance, safely: Remote work at industrial sites brings extra cyber risk (TechRepublic)
- Cybersecurity: Don’t blame employees—make them feel like part of the solution (TechRepublic)
- Top 5 things to know about web shells (TechRepublic)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)