After a weekend of hundreds of posts about the Colonial Pipeline ransomware event, we thought some “Monday morning quarterbacking” was in order. As with all cyberattacks, one must be cautious when reacting to news headlines and not depend too heavily on public reports in the first 48 hours of an ongoing incident.
Even Monday, almost 72 hours later, the view of what happened at Colonial remains cloudy. The fog is lifting just enough, however, to offer a glimpse of some practical recommendations related to the attack and its developing aftermath. Here’s what we know so far:
Over the weekend, Colonial Pipeline, owner of 5,500 miles of pipeline carrying natural gas, gasoline, and diesel from Texas to New Jersey, shut down its operations in response to what it said was a ransomware attack targeting its IT network. In a media statement, Colonial officials indicated the damage was limited to their IT systems, but that the company “proactively took certain systems offline to contain the threat.”
That response, which included disabling select OT/ICS systems, “temporarily halted all pipeline operations … which we are actively in the process of restoring.” The company added that its operational technology (OT) systems were fine, and the shutdown was a measured response to enable quick recovery. Without such an abundance of caution, the IT malware might have proven much more disruptive thanks to the interconnectedness of pipeline infrastructure and participants upstream/downstream (e.g., custody transfers, shared remote metering, available storage/capacity, etc.).
As of Sunday, the company’s four main lines, which supply 45% of the East Coast’s supply of gas, diesel, and jet fuel, were still shut down, though some smaller lateral lines between terminals were back online, company officials said. Colonial Pipeline officials declined to say when all systems might be brought back online, though experts say it could be several more days before the company’s systems return to normal.
Colonial Pipeline operates the largest refined products pipeline in the U.S., moving some 2.5 million barrels per day through its combined infrastructure, according to its website. The shuttered portion of the pipeline, which connects 29 refineries and 267 distribution terminals, accounts for some 12% to 15% of daily oil capacity in the U.S.
According to published reports, part of Colonial’s immediate reaction to the attack late Friday was to enlist the services of incident response specialist FireEye. Those investigators have since attributed the attack to a prolific Russian criminal ransomware group known as DarkSide, a crew credited with around 40 similar attacks with ransom demands ranging from $200,000 to more than $2 million.
DarkSide has claimed its attacks feature a professional “experience,” focusing on providing “quality products” to its consumers. The hacker crew claims it will only attack those who have the means to pay, or who are known to have cybersecurity insurance. The group also has been known to employ a double extortion methodology – getting victims to pay for unencrypting their data or, failing that, blackmailing them with the threat of public release of data exfiltrated as part of the crime.
By Monday, the DarkSide attackers expressed contrition for the Colonial Pipeline attack. Perhaps in response to the international publicity and the focused governmental and law enforcement efforts spun up in the wake of the incident, the hackers took to their dark website to say they hadn’t meant to disrupt public utilities.
“We are apolitical,” the hackers wrote. “We do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society.”
The DarkSide hackers promised to do better in the future, steering clear of targets like Colonial. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” they added.
Lessons learned from the Colonial Pipeline attack
While Colonial has been mostly transparent, it is still unclear how effective their incident response has been to date. It may have been highly effective, with early detection providing enough warning to allow defenders to quickly disconnect IT and OT and prevent the spread of the ransomware into critical OT systems. Or they may have just been lucky that the malware did not bridge into OT. It’s too early to know for sure.
Still, there are a few noteworthy takeaways for industrial organizations from the early days of the Colonial Pipeline crisis:
Industrial organizations are the new frontline of the cyber battle
Although personal information remains a significant target among threat actors, the returns from ransomware, particularly among industrial companies have shifted the focus to the “A” in the Confidentiality-Integrity-Availability (CIA) triad. Financial services and retail, which hold vast amounts of customer data, have been living under cyber threats for years, but the rise of ransomware changes the game, putting industrials on notice. The financial impact of a shutdown can be significant. Cyber now needs to be a primary component of all disaster recovery planning and must become a larger area of management focus, even for organizations that don’t see themselves as a natural target.
Industrial cyber security is not an “IT” vs. “OT” thing
Operations can be affected by attacks on both sides of the system. Critically, organizations need to work on bringing these two organizations together to protect the entire system. Billing and pricing systems and the data needed to operate them are critical processes – just as critical as the SCADA network operating the pumps and valves. Visibility and protection across the IT-OT landscape is key to protecting operations.
Properly managed security is key to industrial protection
In our 25-plus years of work on industrial systems, the largest gaps we see are in the management and maintenance of security. Firewalls may exist, but personnel have adjusted rule settings to allow remote access and created servers that route around critical protection layers. Patching policies may exist, but the manual tasks that are often standard do not get completed given the urgencies of operations. There is no central visibility of these gaps. Standard secure configurations may exist, but exceptions are made, users adjust them, new software is allowed, and ports are opened, leaving gaps in that secure structure. Availability of robust and timely backups can significantly reduce downtime in case of a ransomware attack. But are these backups up to date? Do they restore quickly? Without management, the backups you thought you had may not be ready “in case of emergency.”
The ability to consolidate the security status across all systems into a common database to track and ensure protections are maintained is critical to strong protections. Owners must patch, segment, harden configurations, ensure appropriate backups, and limit access to least privilege. These core, fundamental elements of security can be the difference between being a victim or not.
Rapid response and recovery are critical
It may be the case that Colonial Pipeline reacted very quickly to reduce the spread of the ransomware. Obviously, detection is key. But the real advantage the defender can have is the immediate ability to take actions across endpoints within the fleet – IT or OT – to stop the spread of malware. This integration of detection and response actions allows industrial organizations to significantly reduce the spread, and the cost, of ransomware attacks.
Conscious shutdowns to avoid a real OT incident while balancing loss is an acceptable alternative to a major incident
Incidents like the Colonial crisis have become the new norm within the critical infrastructure cyber security community. As such, organizations should be adequately trained and prepared to handle incidents like this via a well-defined procedure.
Legislation and compliance may help to raise the security bar for non-energy-related private industry
Regulatory compliance isn’t glamorous, but it has improved some basic areas of cyber security in the energy industry, for example. Given that energy generation generally requires traditional fuel sources, contributing infrastructure might eventually be subject to security governance that goes beyond simple guidance or recommendations.
As the situation continues to develop in real time, we are bound to learn much more about the Colonial Pipeline attack in the coming weeks and months. But for operators, there are things that can be done today to reduce the chances of falling victim to a similar attack.