The series of severe cybersecurity attacks in 2021 is not stopping. Just a few months after a severe attack on U.S. water supplies, critical infrastructure has been hit again, this time the Colonial Pipeline has been attacked and is currently out of service. Details of the attack are not known yet, and they typically will not be published until the situation is resolved.
Hackers were able to infiltrate Colonial’s network and found a way to steal and encrypt data. As a precautionary measure, Colonial decided to shut down the pipeline proactively. Based on currently available information, pipeline control systems have not been affected directly. Most likely the administrative part of the business has been hit. If operational technology is not properly separated from IT systems, there is a certain risk of those systems, which are usually vulnerable, become affected as well as a result of insufficient network separation.
According to international news agencies, the group behind the attack has been identified as DarkSide or one of its affiliates. The way DarkSide operates clearly shows it is a professional criminal organization, although they are trying to sell themselves as cybersecurity Robin Hoods on their website. In the meantime, DarkSide declared “they didn’t mean to create problems,” which seems like an unsatisfactory response.
There are a variety of possible attack vectors for such an attack. An email-based attack is most likely because this is still the most common attack vector and very efficient for targeting IT systems, but some sort of social engineering could be possible as well. On OT systems, insecure remote accesses are typically a problem, but based on the publicly available information this is currently unlikely, although other recent attacks such as the Oldsmar water supply demonstrate how effective such an attack can be.
Economic impact of the attack
When critical infrastructure is hit and millions of barrels oil have to be carried on trucks, that really hurts. With the pipeline shutdown extending to its sixth day, fuel shortages are getting worse in many Southeastern states. In contrast to the smaller security incidents we have seen recently, taking the biggest pipeline of the U.S. down has a significant and long-lasting impact on the economy. 13,000 mid-sized fuel tankers a day would be necessary to compensate for the blocked pipeline, and the result will be fuel prices increasing and economic growth slowing down.
Regarding the impact, the incident can be compared to the blockade of Suez Canal. Most cyber-attacks usually do not have an impact on public life, and if they do, they only affect a small geographic region. This time people will recognize the implications, which demonstrates the escalating priority of cybersecurity in OT environments. Not many attacks on traditional IT systems would have such an impact on the economy.
Cleaning up after a ransomware attack
While Colonial Pipeline has engaged security experts and law enforcement to assist with the remediation, DarkSide has threatened to publish the stolen data, so they might have to pay anyway. Cleaning up internal systems after a ransomware attack is very important to avoid remaining backdoors that could be used again. A working backup is the last line of defense in that case, and that is why we recommend two separate the backup system from the production systems. But recently, more and more organizations behind ransomware attacks threatened to publish victims’ data on the internet, so they are not just encrypting anymore. Now organizations’ responses depend on how delicate that data is.
Segmentation between IT and OT systems and micro-segmentation within the OT network is a key principle to contain an attack once a piece of malicious software has found a way in. And there are many ways for attacks to start: remote access, email, infected devices of service technicians, and many other possibilities. Bear in mind social engineering targeted on humans can become a problem as well.
Organizations should also implement a layered defense strategy, with multiple technical hurdles that keep attackers and malicious software out. Security is always a combination of multiple technical and organizational measures. For organizations in critical infrastructure and industries where even short outages can cause significant damage, cybersecurity is an insurance that comes at a much lower cost.