As the second anniversary of the massive ransomware attack on Colonial Pipeline nears, experts warn that efforts to thwart the potentially debilitating threat to US critical infrastructure have not been enough.
The cyberattack on its IT infrastructure forced Colonial Pipeline to shut down its entire operations for the first time ever, triggering a fuel shortage and price hikes that prompted four US states along the East Coast to declare a state of emergency. The incident immediately elevated ransomware to a national security level threat and galvanized concerted action from the Executive Branch down.
Since the attack — and another one shortly thereafter on JBS that threatened domestic meat shortages — the US government has said it would treat the use of ransomware on critical infrastructure as terrorism. An Executive Order signed by President Biden just days after the Colonial Pipeline attack mandated new security requirements for critical infrastructure organizations. And there have been numerous other initiatives at the federal level and by regulatory bodies to bolster resilience to attacks on US critical infrastructure.
However, two years on, the ransomware threat to critical infrastructure remains high, as a recent attack on America's largest cold-storage provider, Americold, showed. The attack — like the one on Colonial Pipeline — forced Americold, to shut down cold-storage operations while it worked to remediate the threat. Last year 870 of the 2,385 ransomware complaints that the FBI received involved critical infrastructure organizations. The FBI's data showed 14 of the 16 designated critical infrastructure sectors had at least one ransomware victim.
The trend continues unabated in 2023: BlackFog's State of Ransomware Report for April 2023 showed ransomware attacks on healthcare, government, and the health sector are continuing to grow, despite other vendor reports of a slowdown in attack volumes.
Security experts view the situation as one where for all the work done so far, there's a lot more to do.
Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House, ticks off several measures since Colonial Pipeline that she considers positive steps in the fight against ransomware. They include President Biden's Executive Order 14028 on Improving the Nation's Cybersecurity, National Security Memorandum 5 targeted specifically at critical infrastructure control systems, and efforts to establish zero-trust cybersecurity models in federal agencies under M-22-09. Also notable are measures such as the Cyber Incident Reporting for Critical Infrastructure Act and the cybersecurity provisions in the Bipartisan Infrastructure bill.
The FBI's systematic dismantling of the highly destructive Hive ransomware group is another indication of progress, Payton says.
What's needed now, she explains, are more specific directives for critical infrastructure organizations. "We must evolve the minimum cybersecurity requirements for critical sectors [and enhance] standards for authentication and identity proofing to prevent ransomware incidents from occurring," she says.
"Critical infrastructure organizations like Colonial Pipeline should adopt zero-trust principles to prevent ransomware attacks, especially as social engineering becomes more realistic, sophisticated, persistent, and complex," Payton says.
Mike Hamilton, former CISO of Seattle and current CISO of cybersecurity firm Critical Insight, says Colonial Pipeline's attack exposed a lack of good procedures among US infrastructure operators for recovering from a serious cyberattack.
"Once Colonial shut down the pipeline operation out of an abundance of caution, it took far too long to restart, which lengthened the existing fuel supply problem," he says. "This is a resilience issue. You need to be able to take a punch and get off the mat before that ten-count is over."
Making Ransomware Attacks Costlier
In the two years since the Colonial Pipeline incident, US government entities have worked at making ransomware attackers harder and costlier for attackers, Hamilton notes. The Treasury Department, for instance, has used its existing Office of Foreign Assets Control (OFAC) authority to ban the use of crypto exchanges for extortion payments. The US Department of Justice has also been more aggressive in proactively taking down criminal infrastructure and apprehending criminals.
Going forward, the emphasis must be on defending and taking out criminal infrastructure, he says. Identify and sanction criminals for eventual capture and incarceration and prohibit ransomware victims from making payments, Hamilton says.
The US Cybersecurity and Infrastructure Agency (CISA) too has been taking an active role in getting federal agencies to bolster defenses against ransomware and other cyber threats.
The agency's Known Exploited Vulnerabilities catalog, for instance, requires all civilian government agencies to patch vulnerabilities that are being actively exploited within a specific timeframe — usually two weeks — to minimize exposure to cyberthreats. More recently, CISA launched a Ransomware Vulnerability Warning Pilot (RVWP) program to warn organizations in critical infrastructure sectors about systems with vulnerabilities in them that a ransomware attacker could exploit. In March 2023, CISA launched a related Pre-Ransomware Notification Initiative where it has been warning organizations about ransomware actors on their networks so they can remove the threat before any data encryption happens.
The programs are part of CISA's Joint Cyber Defense Collaborative (JCDC) through which the agency receives tips and threat information from cybersecurity researchers, infrastructure players and threat intelligence firms.
"CISA has recognized the threat of ransomware to critical infrastructure," says Mariano Nunez, CEO and co-founder of Onapsis. Since the beginning of the year, they have already flagged over 60 organizations in the healthcare, utilities, and other sectors, about potential pre-ransomware threats on their networks, he says.
Ransomware Lives On
Such help is vital because ransomware attacks on critical infrastructure are growing, Nunez says.
"The attack surface will continue to grow as utilities and critical infrastructure become more connected, or interconnected, online," he notes. "Moving to the cloud can also present some issues as this shift can make it more difficult to monitor active threats and assess vulnerabilities in a timely fashion."
One factor that could complicate efforts to address the ransomware problem is a growing tendency by victims to either delay reporting an incident or covering it up entirely if possible.
According to BlackFog, its research indicates that organizations concerned about the potential damage to their brands, reputation, and customer relationships are delaying and sometimes not reporting a ransomware incident.
"We now see more than 90% of all attacks no longer encrypt the victim's devices but simply exfiltrate the data and extort everyone," says Darren Williams, CEO and founder of BlackFog. "The costs of exposure are simply too high; loss of business, remediation, regulatory fines, and class action lawsuits are just a few of the problems to deal with."