The Colonial Pipeline ransomware attack: security industry reactions.

Colonial Pipeline disclosed on May 8th that it has been the victim of a ransomware attack. The company's statement said that "On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring."

Recorded Future tells Bloomberg that the ransomware strain involved appears to be DarkSide. Dragos tweeted that they've seen DarkSide in OT networks before, so in this respect at least the incident has precedents. DarkSide is a Russian gang, and while Russian criminal groups are regarded as closely connected to Moscow's intelligence and security services, NBC reports that for now most are treating the incident as financially motivated crime, not state-directed sabotage. Some, like CrowdStrike co-founder and Silverado Policy Accelerator executive chairman Dmitri Alperovitch, regard this as a distinction without a difference: "Whether they work for the state or not is increasingly irrelevant, given Russia's obvious policy of harboring and tolerating cybercrime," NBC quotes him as saying.

Attackers began by stealing almost a hundred gigabytes of data last Thursday and then, Bloomberg reports, locked Colonial Pipeline computers and issued their ransom demand, at which point Colonial began taking systems offline in a precautionary attempt to contain the effects of the attack. The affected systems appear to have been business systems, not control systems.

Colonial Pipeline describes itself as "the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor." Its deliveries include gasoline, diesel, and jet fuel. The incident represents a major disruption of the US energy sector, WIRED notes, although it's not the first cyberattack the sector has sustained. Infrastructure targets are increasingly attractive to ransomware operators. An evergreen interview with Dragos from 2020 offers some relevant perspective on ransomware attacks against industrial targets.

How well prepared was Colonial Pipeline for the DarkSide attack it sustained?

Forbes notes with some appearance of disapproval that Colonial Pipeline was "silent for more than a day" about the ransomware attack. Forbes also distills some lessons in incident response from the attack:

• "Tell people what happened."
• "Call In The Experts." (Colonial Pipeline is said to have retained the services of FireEye.)
• "Establish priorities."
• "Don't speculate."
• "Take control."
• "Send the right message."
• "Isolate the problem."

Such animadversions as those published by Forbes aside, preliminary reaction from industry suggests that Colonial Pipeline may not have done too badly. Several experts believe that the company appears to have been relatively well prepared to respond to the incident. Dragos CEO Rob Lee tweeted some reassuring perspective Mondaytoday in all this incident isn’t anything to be fearful over. But it is a public example of what many are concerned about and it could have been much worse. Colonial Pipeline is doing a great job so far as we can tell. Others may not. If we approach this thoughtfully we can win."

Comments from Edgard Capdevielle, CEO of Nozomi Networks, are also representative:

“The initial information available from Colonial Pipeline and the press coverage seems to indicate that they had the processes in place to detect and contain this type of attacks – before it had an opportunity to be exploited further and cause more damage. I’m sure there will be a financial impact for having to take systems offline in this containment, but imagine an attack where they didn’t have the systems and processes in place and they lost control of their business for an extended period of time. It would make the cost of proactively taking things offline look like a rounding error.

"The industry is anxiously awaiting guidance and support/reinforcement from the federal government on how to protect critical infrastructure. Over the years, there has been a lot of talk about how actions aren’t catching up with the attackers. It’s going to be imperative that there are some very prescriptive steps providers have to take before it’s too late. There needs to be a level emphasis put on cybersecurity that we haven’t seen to date, or attacks like we saw on Colonial Pipeline and the Oldsmar Water Plant will be just the beginning. Funding, support and clear guidance will all play an important role in making sure our critical infrastructure is resilient and safe.”

The Colonial Pipeline attack is bad enough, but it might have been worse.

A ransomware attack, assuming it's a genuine case of ransomware as this one appears to be, and not an exercise in misdirection, is financially motivated. But infrastructure could also be targeted for disruption in a state-directed cyber sabotage operation. Dawn Cappelli, VP and CISO at Rockwell Automation, observed:

“Cyber-attacks that target industrial control systems have been rapidly rising throughout 2020 and 2021. Most of them are ransomware attacks by financially motivated groups that spread from a company’s main network into the industrial control system operational network. However, we have also seen a dramatic increase in sophisticated nation state attackers, some of which have proven their willingness to cripple critical infrastructure via cyber-attacks. All of these attacks are evidence that cannot be ignored, and it is imperative that companies running industrial control systems take steps to secure their converged IT / OT infrastructure immediately. It is a complex undertaking which cannot be accomplished overnight, but the expertise is available to assist, and waiting is not an option.”

It's also worth reflecting that not all attacks against industrial targets may be as easy to detect as this one was. That's both unsurprising and troubling. Ransomware, after all, has to announce itself in some fashion if the extortionists are going to have any prospect of a payout. Tim Erlin, VP, product management and strategy at Tripwire, wrote that, “One thing to note here is that ransomware has to announce itself to be successful. In industrial environments, cyber events aren’t always this visible. Increasing visibility into industrial networks becomes more important as attackers continue to target critical infrastructure.”

Brad Brooks, CEO of OneLogin, wrote, “This attack represents how quickly the stakes are escalating on cybersecurity, with controlling and knowing who has access to your IT systems a board level priority for every company. We are moving from an invisible Cold War that was focused on stealing data to a highly visible hot war that has real implications for physical property and people’s lives.”

The US Government's response to the Colonial Pipeline ransomware attack.

POLITICO says the incident is seen as a major challenge for the US Administration. The New York Times reports a Saturday evening White House statement to the effect that President Biden had been briefed on the incident, and that the Government was working to "assess the implications of this incident, avoid disruption to supply and help the company restore pipeline operations as quickly as possible.” The statement also said the Government was working with the other organizations in the fuel sector to increase their protection against such attacks. Investigation is still in its early stages, and it's unclear how the attackers got into Colonial's systems, but the Times recounts a priori speculation that they might have exploited the now well-known (and now patched) compromises of the SolarWinds Orion platform and Microsoft Exchange Server.

Response and investigation are in their early stages, but the US Government has taken at least one step in reaction to the incident. In an effort to ameliorate the expected shortages, the Federal Motor Carrier Administration has issued an emergency waiver of certain provisions of Parts 390 through 399 of Title 49 Code of Federal Regulations, effectively permitting drivers in seventeen states and the District of Columbia to work extra or more flexible hours while they're hauling refined petroleum products that would ordinarily have been moved through Colonial's pipelines. The expectation is that road transportation will take up some, although not of course all, of the slack left by the pipeline disruption. The emergency directive is, for now, expected to remain in effect through June 9th. The affected areas are the ones the pipelines cross: Texas, Louisiana, Mississippi, Alabama, Florida, Georgia, South Carolina, Arkansas, Tennessee, Kentucky, North Carolina, Virginia, the District of Columbia, Maryland, Delaware, Pennsylvania, New Jersey, and New York. (This is, it's worth noting, neither legislation nor a declaration of a national emergency, as some outlets have mistakenly reported. It's temporary regulatory waiver issued by an agency in the US Department of Transportation.)

The ransomware attack against Colonial Pipeline comes as the US Government is considering how to implement an anti-ransomware task force. James Shank, Ransomware Task Force (RTF) committee lead for worst case scenarios and Chief Architect, Community Services for Team Cymru, wrote that the Ransomware Task Force foresaw the possibility of this kind of attack:

“One of the areas of focus during the Ransomware Task Force Worst Case Scenario thought experiment included supply chain attacks that impact critical infrastructure or critical services. We discussed this sort of possibility; this is troubling and shows the criticality of ransomware as a great threat to national security.

“Targeting pipelines and distribution channels like this attack on the Colonial Pipeline Co. makes sense - ransomware is about extortion and extortion is about pressure. Impacting fuel distribution gets peoples’ attention right away and means there is increased pressure on the responding teams to remediate the impact. Doing so during a time when the pandemic response has created other distribution and supply chain problems, many of which will require timely and efficient distribution of goods, adds to the pressure.

“This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests. We can not think of these attacks as impacting private companies only - this is an attack on our country’s infrastructure.”  

Ways in which critical infrastructure organizations can improve their security.

Nik Whitfield, cyber and continuous controls monitoring (CCM) expert and founder of Panaseer, sees gaining visibility into one's systems as essential to securing critical infrastructure:

“The only way to prevent an attack such as ransomware from happening is to have the proper cyber controls and safeguards in place. Yet most organizations don’t have the tools to measure and understand if the protections they need are in place and functioning at any given moment in time. It’s the biggest issue in cyber security. It’s why Gartner’s Q1 2021 Emerging Risks Report highlights ‘cybersecurity control failures’ as the top emerging risk for enterprises today. This lack of visibility is particularly concerning in the industrial sector where threats to organizations such as Colonial Pipeline not only impact the bottom line but also disrupt our everyday lives.”

 John Cusimano, Vice President, aeCyberSolutions, wrote to say that in his experience, pipeline security lags other portions of the energy sector:

"In our company's extensive experience in assessing oil & gas pipelines for several of the country’s largest pipeline operators, we have found that pipeline cybersecurity is far behind that of other energy sectors (upstream and downstream O&G and electric utilities). A common gap in the pipeline industry is the lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks which are the networks that connect the pipeline control center to every terminal, pumping station, remote isolation valve, and tank farm along the pipeline. These are very large networks covering extensive distances but they are typically “flat”, from a network segmentation standpoint. This means that once someone gains access to the SCADA network they have access to every device on the network. While pipeline SCADA networks are typically separated from the company’s business (IT) networks with firewalls, by design, those firewalls pass some data between the networks. For example, network monitoring software, such as Solarwinds, may be permitted through the firewall in order to monitor the SCADA network. These permitted pathways through the firewall are one-way malicious software or hackers can move from the IT network into the SCADA network. This was one of my greatest concerns when I learned of the Solarwinds attack.  

"The other big challenge with securing pipeline SCADA networks is that they branch into every facility along hundreds of miles of pipeline. Some of those facilities are in very remote places with little to no physical security meaning that if an attacker breached the security of one of those facilities they could gain access to the network. Finally, SCADA networks rely on extensive use of wireless communications (e.g. microwave, satellite, and cellular). Breaching the wireless signals or stealing a cellular modem from a remote site could give an attacker access to the entire SCADA network."

Tom Garrubba, CISO, Shared Assessments, thinks that it should by this time be clear that critical infrastructure is under attack, and has been for some time:

“Numerous agencies including CISA have been trumpeting warnings or ‘calls to action’ to update critical infrastructure for years, and sadly, the time for initial action has long since passed. The evidence is clear: we are under attack by both rogue and state-sponsored organizations and the cyber community along with the general public have taken notice and are getting very worried.

“Any company whether primary or downstream providing support to our country’s national infrastructure needs to take a good hard look at the systems supporting those processes and ask themselves: “Can we be next? Do we need to update our systems? Do we need assistance to support and secure these systems?” and if so, petition their corporate boards and owners for the requisite financial support in upgrading and securing these systems.

“As there is so much talk in Washington D.C. regarding support for a National Infrastructure bill, the time has truly arrived for our congressional representatives to include and support this most critical infrastructure component - the identification, inclusion, and funding for upgrading the various antiquated systems supporting this nation’s critical infrastructure.”

Garret Grajek, CEO of YouAttest, notes DarkSide's record, and points out that this gang and others like it has many attack vectors they can pursue:

“The effects of this attack are serious enough: stopping 2.5 million barrels per day of refined products from the Gulf Coast to the eastern and southern United States. But is additionally alarming is how the attack group, surmised by researchers as the "Darkside" group hailing out of Russia, is now operating. (Darkside is selective in their targets and avoids ex-Soviet Union enterprises.)

“According to Cybereason, Darkside has created an affiliate program - where Darkside creates the malware and others are financially motivated via an embedded "affiliate" code to other hacking groups for a successful delivery of the malware. This means that there's not just one threat vector to close off, but dozens if not more attack entries to block.

“How to protect against such attacks? Darkside has often created malware targeted domain controllers - so traditional hardening approaches are crucial, including patching and a fanatical lockdown of admin and service accounts. We must not only be performing regular access reviews of our key admin accounts, but also have instantaneous alerts on any attempts at privilege escalation on these accounts."