What to Know and Commentary
One of the largest disruptions of U.S. critical infrastructure by cyber-attack – the Colonial Pipeline Hack – occurred on Friday and continues to develop.
Here’s what you need to know.
The Colonial Pipeline company operates a pipeline transporting gasoline, diesel, and natural gas from Texas to New Jersey, serving most of the East Coast. A for-profit hacking group, identifying itself as DarkSide, initiated a two-pronged cyber-attack against the company starting on Thursday.
First, DarkSide stole data from the company. Then it launched a ransomware attack, encrypting critical files on the IT environment (as confirmed by a statement from Colonial Pipeline). As a result of the latter, the company’s operations became crippled, and to prevent further infection the company chose to proactively take some of its own systems offline. This caused a serious disruption in the fuel flow, as it forced the pipeline to shut down. Further, it would force the company to potentially pay twice, once for the stolen data and once for the encryption key.
In fact, the pipeline may remain shut down for days as investigations into the Colonial Pipeline Hack continue. The amount of ransom demanded, and whether the company has paid any of the ransom so far, remain unknown.
The Colonial Pipeline Hack casts a pall over the future of infrastructure cybersecurity. For more perspective, we compiled commentary and best practices for cybersecurity professionals. Here’s what they had to say.
The Colonial Pipeline Hack: Expert Commentary
Matias Katz
Matias Katz is CEO of Byos.
“The convergence of IT and OT systems for increasingly connected infrastructure will continue to see these vulnerabilities. Strategies for detection, prevention, and mitigation are all needed so incidents like these can be prepared for in the future.
Understanding traffic and controlling access at the edge is imperative as these networks become more intertwined. This can be achieved through technologies that offer proper micro-segmentation, ransomware kill switches, and threat intelligence.”
Paul Martini
Paul Martini is CEO of iboss.
“Ransomware attacks have spiked over the course of the pandemic, so while it’s not shocking to hear about another high-profile attack, the rapid contrition from the attackers is peculiar. We’ve seen massive attacks against some of the largest tech giants, yet organized threat actors – previously motivated strictly by financial gain – may now see a need to differentiate themselves from other criminals and nation-state cyber-espionage groups. Despite this ‘apology’, no organization, from small independent businesses to Fortunes 500, should let their guard down. Prioritizing a strong network security posture is the only defense against constantly evolving threats.”
Troy Gill
Troy Gill is Manager of Security Research at Zix.
“The recent attack on the Colonial Pipeline highlights the risk ransomware can pose not only to businesses but to critical national industrial infrastructure. The attack also showcases that the trend of “ransomware as service” is prolific in today’s world in addition to seeing the growing trend of more joint involvement from both private companies and government agencies to help halt the impact as quickly as possible. Similar to the FBI stepping in and removing Microsoft Exchange web shells to help safeguard organizations, I believe this involvement by the FBI and other government agencies has become critical to assist and prevent further damage with the Colonial Pipeline attack.
Many believe that this attack was a result of more engineers remotely accessing control systems for the pipeline from home using remote desktop software such as TeamViewer and Microsoft Remote Desktop. The pandemic forces more employees to work from home and unfortunately, many organizations are still trying to secure their devices, remote access points, and overall networks. There is no excuse for organizations not to enforce and implement two-factor authentication (2FA) or a multi-layered authentication (MFA) protection approach. In addition to requiring 2FA or MFA, this attack is a great reminder for organizations to make sure they are following all their best practices including:
- Identify and isolate/mitigate the threat, eliminate it as appropriate and confirm elimination,
- Deploy regular security audits to identify vulnerabilities and suspicious user behavior, and
- Ensure business-critical data is being backed up accurately and regularly.
Also of note, this is an important reminder that it is never recommended to pay ransoms as you have no real guarantee that the attackers will cease attack nor is it certain they will provide you with the decryption keys. It is your company’s responsibility to have best proactive and reactive security measures in place so that when faced with a cybersecurity breach, you can reduce the recovery time and restore business quickly.”
Gary Ogasawara
Gary Ogasawara is CTO of Cloudian.
“The ransomware attack on the Colonial Pipeline is a reckoning for how impactful an assault like this can be on a country’s critical infrastructure. Even as Colonial attempts to contain the attack by taking some of its systems offline, every day that goes by without Colonial fully restoring operations increases the downstream disruption. As ransomware groups around the world observe the effect this attack has had, more may follow.
Having strong cybersecurity defenses in place has never been more important, particularly ensuring that businesses can recover quickly and easily from a ransomware attack. One of the best ways to do so is by securing data at the storage level with an immutable backup copy. This way, the data is rendered unchangeable for a certain time period, preventing encryption by malware and enabling easy recovery of an unencrypted data copy in the event of an attack.”
Purandar Das
Purandar Das, CEO and Co-Founder at Sotero.
“What many people had feared is fast becoming a reality. Broadly speaking, the vulnerability posed by underprepared and under-protected networks and systems has long been feared as potential targets for hackers. Within the last few months, it has been clear that organized groups are rapidly targeting these systems both for monetary and intellectual property gain but also to demonstrate the potential power they could hold over critical infrastructure. Attacks like these have the potential to wreak havoc on the economy as well result in the destruction of systems critical for the nation to function.
As these attacks are demonstrating, it is already late in the context of fortifying systems like these. What this also demonstrates, besides the urgency, is the need for coordinated responses both on the defense as well as the offense. All the activity that the government and Congress have initiated, are demonstrating that they too see the need for a massive, coordinated effort. That is the only way to defeat state actors with the wherewithal to coordinate such large-scale sophisticated attacks. It is time for the private sector to consider seriously the investments needed to beef up security, not just as a one-time response but as a long-term strategic initiative.”
Thanks to these experts for their time and expertise on the Colonial Pipeline Hack. For more information, check out the Endpoint Security Buyer’s Guide.
Ben Canner
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.