Not long ago we saw pictures on the internet of people queuing at gas stations, and the news reported that airports could run out of jet fuel soon. While large parts of the population previously perceived cyber-attacks as something abstract without any real impact, this time a cyber-attack has become a real attack and a real problem for society.
Colonial Pipeline was, of course, not the first successful attack on critical infrastructure, but an impact of this dimension, in such a large geographic region — the entire East Coast of the U.S. — in the home nation of big tech, that is new and concerning. Compared to the direct costs and impact on economic performance, the $5 million ransom that was paid is a minor one.
Targeting the low-hanging fruit
The exact details of the attack method are still not known in that particular example, but it has become clear that it was not a highly sophisticated technical attack that was long planned on a military level. Both the hacker organization Darkside and its ransomware or ransomware-as-a-service (RaaS) offering have been known since mid-2020.
According to media reports, the pipeline or its control systems were not attacked directly. Rather, the attack is likely to have originated in office IT systems and infected the billing system there, which is essential for the unfettered operation of a pipeline.
It is not known whether there were incentives or indications from foreign government organizations for this attack, but it is certain that computers with a Russian or Eastern European system language will not be attacked by Darkside.
When worldwide news media are looking at a critical infrastructure operator and waiting for them to decide whether to pay the ransom or to deal with significant restrictions in public life for a period of time that is difficult to estimate, the decision is obvious. The double extortion approach, in which data is not only encrypted, but the victim is threatened with publication, also increases the pressure. The question remains whether it was really a targeted attack or just an open vulnerability uncovered.
Traditional attack vectors
The most popular attack method is still email. The chances of success are good and — even if it fails — there is no risk of any consequences for the attacker.
Of course, email-based attacks work better when cybercriminals are prepared. Widespread phishing mails with generic content have a lower chance of success than targeted and well-prepared attacks. Last year COVID-19 turned out to be perfectly suited as a hook for phishing emails. Above all, it is important that the recipient feels like they are being addressed personally, whether out of curiosity or financial promises, etc. When someone clicks on a malicious link, a piece of software is usually downloaded, and things take their unpleasant course.
In Operational Technology (OT) networks, for example in industry, production, or infrastructure, remote maintenance accesses are often a problem. A large number of employees and external service technicians have to access devices for a wide variety of reasons, for which very often different methods are used. Just recently there was a critical incident at a water utility in Florida in which remote maintenance access could be abused to manipulate safety-relevant settings.
The attack methods are diverse, and there are many different ways of penetrating a foreign network. The problem with OT networks is they are flat and open, and the devices are vulnerable. This means that attackers or malware that have found their way into the network can spread unhindered.
In order to successfully protect industrial networks, structured security measures are necessary. The example of Colonial Pipeline also shows that IT and OT systems are now closely connected and that there are dependencies here that require both sides to be protected accordingly. If an attack on a billing system or traditional ERP system causes a large-scale outage, it demonstrates a high degree of system interaction, as would probably be found in many similar companies. The air gap between IT and OT no longer exists, and both sides need to be protected accordingly.
Protective measures include technical and organizational measures as well as employee training and user awareness. A comprehensive email security suite should definitely be part of a solution, as this is the most common attack vector. But even with the best technical solution, it must always be assumed that something could still slip through. For this reason, employees must also be trained in such a way that they are able to recognize an attempted attack.
Email is not the only way into a company. Remote maintenance access is a major risk, especially in industrial networks. Instead of a proliferation of different remote access solutions from different vendors, a standardized method that is easy to use and extensively secured should be provided. Multifactor authentication is mandatory, and remote maintenance access should also be timed. And if a piece of malware or an attacker still manages to get into the network, segmentation is the key to protecting against the attack spreading to the company's resources.
Physical attack vectors such as social engineering or USB sticks and malware on mobile devices must also be considered. Therefore, organizations should always assume that security measures at the perimeter can be overcome or bypassed somehow.
Segmentation separates the office IT network from operating technology, and within the OT network the control level is separated from the process level. Legitimate connections are allowed but restricted as much as possible and checked for malicious content with next-generation security, such as antivirus, IPS, and advanced threat protection. In order to prevent horizontal spread — for example from one machine to another — individual or small groups of assets are isolated from one another using micro-segmentation. With the additional use of anomaly detection, suspicious activities in the network traffic can be detected and automatically blocked on the firewalls. This way, in the event of a breach, at least containment can be achieved.
Protective measures must therefore always be diverse or multilayered, and each individual measure must claim to be insurmountable. If this is taken seriously, your own network is no longer an easy target for attackers.
The recent events of the Colonial Pipeline ransomware attack have likely captured a lot more attention than the hackers wanted. That can be seen as a wake-up call. The fact that the U.S. government has now responded and President Joe Biden has promised extensive financial resources to improve the security of the infrastructure will certainly prompt many companies to carefully review their own security measures.
Barracuda offers a dedicated CloudGen Firewall product line for securing Industrial IoT and Operational Technology networks. Remote maintenance access is designed securely with traditional VPN clients or the ZTNA solution CloudGen Access. In combination with enterprise security solutions such as Total Email Protection, Barracuda Web Application Firewall, and Barracuda Backup, as well as various product integrations with technology partners, a comprehensive package of measures is available to successfully defend against modern attacks.