With May 7 marking the one-year anniversary of the Colonial Pipeline ransomware attack, reflecting back on some of the lessons that have been gathered may help organizations be more prepared for attacks in the future. Several cybersecurity experts gave their opinions on both what enterprises should look out for and even what cybercriminals learned in the wake of the attack as well.
As a brief recap, hackers infiltrated the company’s IT infrastructure, disabling the pipeline operation. Attackers also stole nearly 100 gigabits of data resulting from the hack and requested a payout of 75 Bitcoin ($4.4 million at the time) to return Colonial’s access to their billing system. The ransom was paid by the company to the cybercriminals, and DarkSide was identified as the culprits behind the attack.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
What cybersecurity lessons were learned from the attack?
One of the most important revelations of the Colonial Pipeline attack was that cybersecurity in the critical operations sectors needed upgrading. One major side effect from the hack was the supply chain issues that arose, as gas stations and airports started being affected by the lack of oil from the pipeline itself.
“Organizations in this sector must take action to secure their operations if they haven’t done so already, as this is a seriously overlooked attack vector that’s vital to the United States’ national security,” said James Carder, chief security officer of LogRhythm. “Any organization leveraging technology to enable operations for critical infrastructure needs to ensure proper protection protocols are established, ranging from simple password hygiene, threat detection, preventative controls and response controls to quickly thwart and identify potential catastrophes.”
The passing of President Biden’s Strengthening American Cybersecurity Act is one route being taken to mitigate the severity of these types of attacks. Through the act, signed into law on March 15, companies will be required to report hacks within a certain timeframe or risk being subject to financial penalties.
“A big thing that was learned was that our critical infrastructure really is less secure than we think,” said Matthew Parsons, director of network and security product management at Sungard Availability Services. “I think it raised the awareness of strengthening our cybersecurity posture in the critical infrastructure field. The Strengthening Cybersecurity Act of 2022 is trying to raise the requirements around critical infrastructure.”
Businesses in the industries of chemicals, critical manufacturing, energy, food, emergency services, healthcare and IT should also be engaged with increasing defenses not only in their technology, but also in better preparing employees in best practices when it comes to avoiding these new ransomware attacks.
“One lesson learned post-hack was there was a single password that was compromised with an out of date VPN account which was the conduit to hackers to get into the network and demand payment,” said Scott Schober, co-host of the Cyber Coast to Coast podcast. “A Zero Trust network requires at least an additional authenticator in the event the user name and password are compromised. Using MFA adds a layer of security that makes it significantly harder to breach the network. With zero trust, each account has limited trust and has segmented access, which in the event a hacker breaks in, they cannot work laterally throughout the network because they are limited in their access to that particular account segment.”
On the flip side, hackers may have also realized how profitable ransomware can truly be when looking at the millions of dollars extorted from Colonial Pipeline and other critical infrastructure attacks. Parsons says that an attack of this scale and the amount of money generated behind it may have emboldened similar groups to look into large-scale malicious operations.
“I think the biggest reinforcing factor for these groups after this attack is that it does pay out,” Parsons said. “These guys are specifically targeting operations they know are large and will have an impact on them and their customers. It can create a lot of panic and disruption to the populace. I think [hackers] are realizing that if these large corporations are successfully breached with ransomware, there’s going to be a nice payout.”
While the circumstances behind the attack were unfortunate, the information gleaned from the Colonial Pipeline attack may have been necessary long-term for everyone in the cybersecurity field. By forcing a variety of organizations from a number of industries to self-evaluate, the next big attack on critical infrastructure areas may be able to evade a costly and disastrous hack in the future.