Now that operations have returned to normal, the DarkSide ransomware assault on Colonial Pipeline has moved into its after-action review stage, as legislators grill the company and third parties seek to extract lessons. BankInfoSecurity says that two bills influenced by the incident, the Pipeline Security Act and the CISA Cyber Exercise Act, are under consideration in the US House of Representatives. The former would sort out responsibility for pipeline security between the Cybersecurity and Infrastructure Security Agency (CISA) and the Transportation Security Administration (TSA); the latter would require that CISA establish a national program in which Government and industry could test their infrastructure's resilience against a range of cyberthreats.
Colonial Pipeline yesterday participated in staff briefings with the US House Committee on Oversight and Reform and Committee on Homeland Security. The Committee chairs issued a brief statement communicating their concern and displeasure:
“Following today’s briefing from Colonial Pipeline, we remain extremely concerned about the rise in ransomware attacks and the threat to our nation and its critical infrastructure. It is deeply troubling that cyber criminals were able to use a ransomware attack to disrupt gas supply on the East Coast and reportedly extort millions of dollars. We’re disappointed that the company refused to share any specific information regarding the reported payment of ransom during today’s briefing. In order for Congress to legislate effectively on ransomware, we need this information.
"This attack not only highlights glaring vulnerabilities in our critical infrastructure, it also exposes a marketplace in which it may be easier for a company to pay off a criminal than put resources towards preventing and defending against attacks. We look forward to working with the Biden Administration and our colleagues on both sides of the aisle to strengthen our nation’s cyber defenses and secure our critical infrastructure.”
POLITICO offers a rundown of post-Colonial opinion on where the experts tell them ransomware is likely to strike next. It's the usual suspects: education, healthcare, and local government, all of whom have recently received more than their fair share of attention from the ransomware gangs.
Jalopnik's rather sour take on the incident is the observation that the ransomware didn't actually interfere with pipeline operations, just Colonial's ability to bill customers for deliveries, which is why the company shut its systems down. Their piece also quotes some of the communications from DarkSide recounted by Zero Day, like this one: “Before an attack, we carefully analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support will answer them.” Jalopnik's comment is apt enough: "I can’t get over this exchange where the hackers are blasé about the billing breach, and refer Colonial to their customer service as if this were some broadband outage from a [sh**ty] ISP." Tell it, brother.