Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/10/2021
05:57 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Colonial Pipeline Cyberattack: What Security Pros Need to Know

As the massive US pipeline operator works to restore operations after a DarkSide ransomware attack late last week, experts say it's a cautionary tale for critical infrastructure providers.

Major US pipeline operator Colonial Pipeline is investigating and responding to a ransomware attack on its IT network that ultimately disrupted its pipeline operations late last week, putting a spotlight on how the industrial sector remains vulnerable to growing cyberattacks that could have far-reaching consequences.

The company's pipeline system runs 5,500 miles between Houston, Texas, and northern New Jersey, transporting millions of gallons of fuel each day. On May 7, Colonial Pipeline learned it was the victim of a cyberattack later determined to be ransomware. The FBI has since confirmed the Darkside ransomware group is responsible, though the investigation is ongoing.

Learning of the attack prompted Colonial to take certain systems offline, temporarily halting all pipeline operations and affecting some of its IT systems. By May 9, its mainlines were still offline but some smaller lateral lines between terminals and delivery points were operational. A new update published to Colonial's website today says its operations team has launched a plan involving an "incremental process" that will enable the company to fully restore its service.

The attack, which reportedly involved the theft of nearly 100GB of Colonial's data, prompted the US government to issue an emergency waiver that allows for greater flexibility and faster transportation of oil and fuel to the states where fuel supply may be disrupted by the attack.

Ransomware is an increasingly common threat with potential to cause widespread damage as it hits industrial environments – and this is the prime example. While ransomware was confined to Colonial's IT network, its industrial operations were forced to shut down as a direct result.

"Almost every industrial organization relies on IT systems for a huge range of operational requirements, from billing to pricing to supply chain management," says John Livingston, CEO of Verve Industrial. "The line of demarcation isn't at some physical point … when we think of protecting 'operations' we need to consider the systems that if compromised, would impact operations."

This is a situation in which the disruption to the industrial environments was a byproduct of the attack – not a direct target of the attack itself, adds Sergio Caltagirone, vice president of threat intelligence at Dragos. Even so, he adds, the impact of this ransomware attack is "dramatic [and] underscores the fundamental vulnerability we all have in industrial operations."

Industrial Sector Targets

The industrial sector is an appealing target for many reasons, chief of which is the pressure to stay operational, says Sean Nikkel, senior cyber threat intelligence analyst at Digital Shadows.

"There's potentially an incredible return on investment from enterprises in the industrial sectors, specifically those involved with energy and petroleum, who need the availability and would likely be more apt to pay to not lose services or regain access quickly," Nikkel says. Further, secondary effects of an attack may cause physical damage companies want to avoid.

Within the industrial space, however, are some areas that are more vulnerable. Pipeline security is "far behind" the security of other energy sectors, such as upstream and downstream oil and gas, and electric utilities. A common gap in the pipeline industry is lack of segmentation of the pipeline supervisory control and data acquisition (SCADA) networks, which connect the pipeline control center to terminals, pumping stations, remote isolation valves, and tank farms along the pipeline, explains John Cusimano, vice president of aeCyberSolutions.

"These are very large networks covering extensive distances, but they are typically 'flat' from a network segmentation standpoint," he explains. "This means that once someone gains access to the SCADA network, they have access to every device on the network." While pipeline SCADA networks are usually separated from IT networks by firewalls, those pass some data between networks. These one-way pathways through the firewall could be handy to attackers, he adds.

There are, of course, several challenges to securing pipelines. Geography is a big factor: Along the thousands of miles of pipeline are networks that must connect to every pump station and valve. The many assets involved in building these networks makes them hard to secure, he says.

And then there is the regulatory gap. While refineries and companies receiving refined products are highly regulated, pipelines don't receive the same. They are regulated; however, not to the same extent. The Department of Transportation regulates integrity of the pipelines themselves, and the Transportation Security Administration also provides regulation. However, these are more like guidelines, Cusimano says, and pipelines are not subject to mandatory regulation.

The security gaps in the industrial sector are "wide and deep," Livingston says. For years, cyberattacks have targeted information and confidentiality; now, attackers are pivoting to focus on availability and reliability. This changes the type of targets they prefer to go after. Early last year, the DHS' Cybersecurity and Infrastructure Security Agency (CISA) warned of ransomware targeting pipeline operations and offered mitigations against future attacks.

"On the critical infrastructure side, it's really important that we put more emphasis on making the industrial side more resilient to cyberattacks," says Caltagirone. "Right now, it really isn't."

The Lowdown on DarkSide

DarkSide, the ransomware-as-a-service operation believed to be behind Colonial Pipeline attack, first emerged on the ransomware scene last summer. Researchers noted the group shared some of the same methods as DoppelPaymer, Sodinokibi, Maze, NetWalker, and other well-known ransomware groups; for example, it operates as an affiliate model, so other groups can buy from, and work with, DarkSide to use and develop their malware. They also use the increasingly common "double extortion" method of stealing data and threatening to leak it.

Its attackers have a "highly targeted approach" to choosing victims, Digital Shadows researchers note in a report on the threat. While they claim to avoid critical and vulnerable entities such as schools, hospitals, non-profits, or governments, Nikkel notes that an attack on a company like Colonial Pipeline is not out of character: industrial sector targets have previously been the most attacked by DarkSide, telemetry shows.

DarkSide attackers do their research. They often choose targets and determine a ransom based on the company's revenue, and customize the ransomware executable to each company.

The group attempts to establish trust between their victims, and other attackers involved, with professional communication methods – for example, they post press releases to communicate their latest operations or threaten victims. One such press release, published today, offers an interesting follow-on to the attack on Colonial Pipeline.

"We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives," the group wrote on its website. "Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.

Some experts speculate this attack was a mistake by DarkSide or one of its partners that could lead to repercussions for the cybercrime group. "This is going to be a really interesting balance-of-risk exercise for them," says Caltagirone, noting this action could put the group on government lists and potentially affect its partnerships with other criminal groups. "If you draw too much heat, all of your support network is going to pull away from you," he adds.

Protecting OT

The first thing organizations should do is identify and assess what their assets are, as all as the risks so they can compile a profile and plan for how to address them, Cusimano says. Putting together a roadmap can help security teams determine which assets should be addressed first.

"What are the vulnerabilities and the gaps that are creating the greatest risk for them?" he notes.

One crucial gap to address is the one between operations and IT teams, Cusimano adds. The responsibility for cybersecurity can be vague, especially in organizations like Colonial Pipeline, where operations are so critical. IT often has the capabilities but no jurisdiction in operations.

Caltagirone strongly advises companies to assess the vulnerability of their industrial operations as they pertain to other networks. They need to "immediately recognize" if they would ever have to shut down or protect industrial operations because of an attack on another network or asset they rely on, he explains. When things are done in silos, industrial operators don't realize the implications of attacks on other networks.

The most common attacks from these groups often involve phishing or exploits of vulnerable server infrastructure, says Nikkel, noting that awareness training and strong security practices can go a long way in defense. Keeping servers and Internet-facing network infrastructure patched and updated can help mitigate the risk from DarkSide and similar attack groups.

Companies' biggest security gaps often lie in the foundational elements, Livingston says. This includes patching, quality backups, configuration hardening, and managed segmentation – "not just on paper, but closely monitored so that you know what the rules and architecture actually [are] today," he adds.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
kdunne916
50%
50%
kdunne916,
User Rank: Author
5/14/2021 | 6:39:40 PM
Network vs. Application Security to Prevent Colonial Pipeline attack
I enjoyed reading this article.  I am curious, I have heard a lot of people suggesting that Zero Trust Network Access or other perimeter based approaches are a silver bullet approach to stopping these types of attacks.  But given it was the billing systems that went offline, isn't there a need to focus on application security to prevent these types of attacks from happening in the future?
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35477
PUBLISHED: 2021-08-02
In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled valu...
CVE-2017-18113
PUBLISHED: 2021-08-02
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for v...
CVE-2021-32066
PUBLISHED: 2021-08-01
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the c...
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).