Colonial Pipeline, which carries roughly 45% of fuel consumed on the East Coast (per the WSJ), was shutdown on May 7th due to a cyber-attack. At time of writing, Colonial’s systems remain shutdown and Colonial is working to restore operations as researchers assess the damage. This is the biggest ransomware attack to date against United States critical infrastructure.
From a consumer perspective, you might care about this specific incident because of the immediate impact this can have on the availability, distribution, and price of gasoline and diesel fuels. But there are multiple other takeaways from this that we should care about regarding the impact that a crippling cyber-security breach can have on the US.
- The importance and current state of Federal cyber legislations
- The fact that the attacking group is using Russian-based commoditized malware
- The vulnerability of US critical infrastructure
1. The importance and current state of Federal cyber legislations
We’ve seen a huge uptick in commoditized ransomware over the last few years, and over the last year in particular. Ever since Sandworm, federal officials, US congress, and industry leaders have been concerned about something like this impacting our critical infrastructure.
Recently, officials have been circulating ideas and drafts of a road map intended to bolster the nation’s cyber defenses. An attack like this brings to mind questions and conversations about how far federal regulations should reach.
The Cybersecurity Maturity Model Certification (CMMC) is one such effort recently released by the DoD. The CMMC is a framework intended to assess and enhance the cybersecurity posture of the more than 300,000 companies that contribute towards the research, engineering, development, acquisition, production, delivery, sustainment and operation of DoD systems, networks, installations, capabilities and services.
2. The fact that the attacking group is using Russian-based commoditized malware
The FBI confirmed that the ransomware group responsible- DarkSide – is believed to be operated by a relatively new Russian cybercrime gang. Interestingly, Varonis reverse engineering found that Darkside’s malware will check device language settings to ensure they don’t attack Russia-based organizations.
Darkside uses a new tactic of ‘Ransomware-as-a-Service’ (RaaS) and double extortion, in which they encrypt and then exfiltrate data and threaten to make it public. In this specific attack, Darkside sought to shift blame for the attack to one of it’s users, stating on their dark web site that they are only interested in making money, and not motivated by political or social upheaval.
3. The vulnerability of US critical infrastructure
From an in-depth security perspective, this highlights the importance of securing both traditional computing and OT (operational technology). This was not something like a Windows virus, but it’s a directed attack against the “other stuff” connected to networks – things like security cameras, vibrational monitors, pumping controls, Smart TVs, etc. Basically, it shows us that there are other vulnerable access points that are often ignored in baseline security programs.
A 2018 report highlighted vulnerabilities in industrial environments. “Most industrial environments, including oil pipelines, are no longer air-gapped, which means they’re exposed to the outside world,” Marty Edwards, vice president of OT security at Tenable and former director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said via email. “This creates an expanded attack surface and provides cybercriminals with an opportunity to move laterally from IT to OT, or vice versa.”
These are just 3 quick takeaways why the Colonial Pipeline hack matters. At time of writing, the story is continuing to evolve, but it certainly highlights the importance to securing any infrastructure – public, private, or otherwise- that is critical to operations.