With the regularity of cyberattacks, it comes as a surprise the attention the hack of the Colonial Pipeline has received. It’s not because the attackers had a nefarious plan to disable critical infrastructure like we’ve seen in the past with PLC attacks like Stuxnet and DDoS attacks like WannaCry – they didn’t. Rather, I’m surprised because the attack is a larger example of something that happens every day without media attention. The only reason the media took notice is that prolonged outage on the pipeline could lead to major disruptions and a spike in petrol pump prices across the U.S. East Coast.
Colonial Pipeline is the largest U.S. refined products pipeline system. 5,500 miles of pipeline run from Texas to New York. The company carries 45% of the east coast’s fuel supplies and services seven airports. On Friday, the Colonial Pipeline Company temporarily shut down all of its pipeline operations in response to a hack involving ransomware. However, the company asserts that the shut down was precautionary rather than directly in response to a ransomware threat.
Industrial IoT: “a perfect storm of great innovation and wide-open attack vectors”.
In the last few years we’ve seen traditional industries like Oil and Gas (O&G), manufacturing, and shipping in the process of digital transformation, converting legacy brownfield systems to greenfield, with the aim to accelerate the advantages of IoT and data collected through the use of edge and cloud computing: real-time and remote monitoring, predictive analytics, reduced equipment failure, and new insights which drive ideas for new business models. However, as companies have had to contend with reconciling the IT/OT divide, they’ve also had to grapple with no longer enjoying “security by obscurity”, Worse, most industrial companies are home to a mismatch of machines that lack an even playing field when it comes to security – if the ability to secure them exists in the first place.
According to Keatron Evans, Principal Security Researcher at Infosec:
“These networks that actually run, and monitor the pipelines, are generally Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS networks). Traditionally these networks have been air-gapped or physically separated from any other networks, including the internet. This led to extreme lags in updates and patching, as the logic was if they’re not ever connected to anything, there’s no rush to patch or update. Not to mention some of the equipment and protocols in use are often so old that they don’t support anti-virus, updates, or any other security controls.
Decisions were made to join traditionally air-gapped networks to the technologically advanced corporate networks which came with great benefits, easier management, and the chance to not depend on outdated and unsupported software and protocols so much. The SCADA vendors followed suit by updating their hardware to support modern technologies and take advantage of the internet. And updated IoT devices to the mix and you got a perfect storm of great innovation and wide-open attack vectors.”
Gimme some of that Colonial Pipeline money
A statement was published on the dark web site of the criminal hacking group suspected of being behind the ransomware attack on the Colonial Pipeline, which appears to refer to the attack:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other motives. Our goal is to make money, and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.“
It’s a rather bland statement that is perhaps disappointing to all of the journalists and security analysts who’ve long been predicting an end of days cyberwar where hackers cause havoc according to an underlying political intention. Even their methods of attack are nothing special. As Nathan Einwechter, Director of Security Research at Vectra.ai explained that DarkSide are well known for their level of sophistication and the intentional, slow progression they make through a network to capture and control as many resources and data as possible prior to going destructive, sometimes taking days or weeks.
“Despite this, nothing within their tooling or tactics is particularly new or novel – these are the same tools, techniques, and methods we’ve seen for years even if they take specific care to avoid more modern security controls, like Endpoint Detection and Response (EDR). Given we have the tools and knowledge within industry today to identify these attacks while they’re still developing within our networks, enabling us to mitigate the sort of catastrophic impact we’re observing now, we need to ask ourselves: Why do we keep seeing these attacks play out successfully?”
Indicative of a bigger pain point
While the outcomes of this attack are yet to be clear, the digitalization of critical infrastructure sectors such as oil and gas, city energy grids, and associated industrial systems, increases the potential attack surface for cyber risks. In largely privatized sectors, the impact of an attack can be significant to not only the company but its customers.
In February we saw a software hack on a Florida water treatment plant . An intruder boosted the level of sodium hydroxide in the water supply to 100 times higher than normal. Fortunately, staff thwarted the attack. What’s more important is that attackers were able to create a remote desktop session using TeamViewer. The company used obsolete operating systems, no firewall, and a direct internet connection and had poor credential (user/password) management. It’s not the first time. In 2016 in Saudi Arabia, hackers infiltrated a water utility control system. They were able to change the levels of chemicals being used to treat tap water.
What can other companies learn from the Colonial Pipeline attack?
The Colonial Pipeline attack is not an isolated incident. No one except those in industry and the appropriate officials would have known without a potential customer flow-on effect. According to Dirk Schrader, Global Vice President, Security Research at New Net Technologies,
“Based on known facts and insights, it rather seems that Colonial missed on the essentials. Some of the web servers in their infrastructure show old vulnerabilities dated back to 2010 according to a Shodan search. In addition, there is quite an amount of knowledge about the DarkSide ransomware family. The group is known to spend at least two weeks inside the infrastructure before starting to encrypt a device. This is confirmed by the fact that the attacker extracted about 100G of data from Colonial. So, at least the detection capabilities need some improvement”
Jeff Horne, is CSO at Ordr and former Senior Director of Information Security for SpaceX. He asserts that from a mitigation perspective, protecting your organization from these opportunistic attacks are “normal block and tackling security”:
- Discover and identify your weak points
- Identify devices running legacy versions of unsupported operating
- Identify devices with known vulnerabilities as attackers will try to exploit them.
- Identify high-risk and vulnerable devices that cannot be patched, and isolate these systems from all unnecessary communications.
- Monitor for Ransomware Indicators
- Identify anomalous communication like the discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
- Monitor for common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
- Monitor for common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites.
- Track user logon/logoff activities. This allows you to ensure the right users have access to vulnerable machines. You can also identify any anomalous user accounts created within the net.
What will be the consequences of the attack? Little without adequate resourcing, training, and negative outcomes for a lack of compliance. O&G security is complex and multilayered. The best practices will fail without all-in commitment and ongoing monitoring, patching, and a security-first approach.