Qwick Takes: The Colonial Pipeline attack and its wider security implications
This week, Talking Biz News Deputy Editor Erica Thompson reached out to Qwoted’s community of experts to inquire about the security implications of the Colonial Pipeline outage following a ransomware attack last week.
Check out some of the top commentary:
Recent high-profile hacks, such as Colonial Pipeline and SolarWinds, illustrate the fragile dependencies that businesses have today with supply chain and other third-party partners. Unfortunately, most cyber security efforts are placed at protecting enterprise IT assets, with little devoted to third party risk management. Until we recognize that enterprise cyber security is only as strong as the weakest link of the entire risk chain, adversaries will continue to exploit third party vulnerabilities, putting businesses at substantial risk.
These networks that actually run, and monitor the pipelines, are generally Supervisory Control and Data Acquisition or SCADA and Industrial Control Systems or ICS networks. Traditionally these networks have been “air-gapped” or physically separated from any other networks, including the internet. This led to extreme lags in updates and patching, as the logic was if they’re not ever connected to anything, there’s no rush to patch or update. Not to mention some of the equipment and protocols in use are often so old that they don’t support, anti-virus, updates, or any other security controls.
Driven by tech innovation, decisions were made to “join” these traditionally air-gapped networks to the technologically advanced corporate networks which came with great benefits, easier management and the chance to not depend out-dated and unsupported software and protocols so much. The SCADA vendors followed suit by updating their hardware to support modern technologies and take advantage of the internet. And updated IoT devices to the mix and you got a perfect storm of great innovation and wide-open attack vectors.
Regardless of the motive behind the cyberattack on Colonial Pipeline over the weekend, the incident highlights just how vulnerable critical infrastructure systems remain in the United States. And it’s not just that. The incident also serves as a warning that cyberattacks are only getting more and more sophisticated and prevalent. Until effective preventative cyber defense measures are taken to properly protect critical infrastructure systems in the US, malicious foreign actors – like the groups behind this attack and other recent attacks – will continue to target those vulnerable systems and continue to disrupt the fundamental processes that affect Americans’ day-to-day lives.
When you have Russian criminal organizations who don’t care if their tactics kill and who moonlight for their government it’s plainly clear that this is a national security issue. How we respond is critical. On the government side 1. We need a government coordinated effort to take down these criminals like we took down ISIS. The most effective thing we did? We cut off their money supply. 2. An effort by the government should be made to take out ransomware infrastructure as well as even patching compromised enterprise components as we saw them do with the MS Exchange attack.
On the critical infrastructure side 3. We need to begin to proactively use offensive security techniques to test our security controls on all our critical infrastructure including our energy sector, its processes and people in advanced of a real attack. The first time we defend ourselves from a real attack should be the thousandth time we have practiced simulating it. There are solutions out there that make this easily incorporated into day to day activity that allow you to do this safely and effectively.
Ruston Miles, Founder and Advisor, Bluefin:
Unfortunately, a ransomware attack of this magnitude has been anticipated, with hackers turning their sights more toward government and utilities, targeting industrial control systems and critical infrastructure. When it comes to attacking these types of organizations, the goals can vary.
On the first level, and the most basic, hackers want a payout. They will employ a double-extortion scheme, including first encrypting files which they can leverage for payout if an organization does not have backups of their files and can easily re-establish them. If the organization can re-establish their backups, then the hackers can move on to leveraging the files that they originally stole to still demand a payout if those files contain clear-text payment or sensitive consumer data. They can threaten to expose that clear-text data on hacker websites, or even resell this data in order to monetize it.
When it comes to compromising the oil and gas industry, though, it becomes more nefarious because a further goal of these attacks can be to disrupt operations in the energy sector, making this type of attack a national security threat.
Matthew Rogers, Global CISO at Syntax:
This news has reinforced to me that compliance does not equal security. No doubt this pipeline company has passed numerous compliance audits, yet this attack still occurred. The attack has been identified in the media as “ransomware”, a commodity-based attack by entrepreneurial criminals seeking payment via bitcoin for breaking into systems. If a ransomware agent breaks into an environment like this, it indicates this environment is missing basic EDR protections and proactive system monitoring. A person with nefarious intent could do far worse with this level of access, which is much scarier than this shutdown from this ransomware.
This event will be recovered from in 3-7 days, but it’s important to make the foundational change to the posture so this cannot happen again. This pipeline is the greatest example of a supply chain security attack in the real world, versus the recent SolarWinds attack which was virtual, and non-visible. This is a physically demonstrative impact from ransomware to the non-technical world. This will likely change the political climate for core infrastructure for the coming year.
The Colonial Pipeline data breach, and service disruptions, may only be the beginning of Americans seeing U.S. energy infrastructure problems in the news. The U.S.’s current fossil fuel infrastructure itself is a patchwork of old and new systems, and upgrades are needed, particularly in our increasingly digitized and cybercrime-susceptible world. U.S. energy infrastructure, however, is at a crossroad of sorts. Investors and capital investments have been moving toward renewable energies, and away from traditional fossil fuels. As these trends accelerate over the coming decade, as we suspect that they will, older fossil fuel-based infrastructure may be more susceptible to decay and cybercrime.
The switch from fossil fuels to renewables is a particularly important secular transition as the U.S. economy is currently built on the backs of fossil fuels. A majority, 87% of the total energy consumed in the U.S. today still comes from fossil fuels. The U.S. moves on fossil fuels. While renewables are the future, Americans cannot ignore the fact that fossil fuels are their present. If investors continue to ignore investments in fossil fuel-related infrastructure, as they have over the last few years, we can expect to see more future stories of cybercrime and decay around U.S. energy infrastructure.