The Colonial Pipeline Incident — How Vulnerable Is Critical Infrastructure to Cybercriminals?
On May 7, 2021, Colonial Pipeline, a major U.S. fuel pipeline operator, halted operations as a precautionary measure after a cyberattack involving ransomware was discovered. The attackers appear to have accessed business systems from which they stole nearly 100 gigabytes of data before they locked Colonial Pipeline’s computers and demanded ransom.
Responsible for nearly half of the U.S. East Coast’s fuel supply, Colonial Pipeline supplies fuels from Gulf Coast refining centers to cities, including Washington, D.C., Baltimore and Atlanta, transporting 2.5 million barrels per day of gasoline, diesel and jet fuel through 5,500 miles (8,850 km) of pipelines.
The attack represents a major disruption of the U.S. energy sector and is the latest in a string of unsettling cyberattacks by foreign actors that have drawn attention to the need for private companies and government agencies to harden their digital assets.
The Dark Side
According to an FBI statement, the strain of malware involved appears to be the work of a Russian ransomware gang called “DarkSide.” DarkSide operates under a Ransomware-as-a-Service (RaaS) model, and once a system is compromised, cybercriminals using these services can demand anywhere between $200,000 and $2 million. DarkSide is one of several increasingly professionalized groups of digital extortionists, with a mailing list, a press center and a victim hotline.
Chris Krebs, the former director of Homeland Security’s Cybersecurity and Infrastructure Security Agency, told CBS News the tactics of the Colonial attack are indicative of “veteran” cybercriminals.
DarkSide users display comprehensive capabilities across multiple software systems and platforms, collecting information from a variety of private organizations, including financial institutions, medical facilities, energy firms and tech giants.
These types of hackers aren’t worried about avoiding detection; rather these actors employ tactics that aim to leverage a company’s desire to keep the breach quiet to pressure them into paying up. A popular such tactic is called “double extortion,” a technique in which criminals demand that victims pay to decrypt the stolen data and prevent the hackers from leaking sensitive data. This technique allows hackers to increase both the number of ransoms they receive and the value of those demands.
Industry observers regard the Colonial Pipeline cybersecurity incident as financially motivated, as opposed to state-directed sabotage compared to what was observed in the SolarWinds or Microsoft Exchange hacks earlier this year.
The Energy Sector Is Exposed
The energy industry is still maneuvering the widespread digital transformation of operational and support structure that has gained momentum in recent years. These are exciting developments in operational and information technology for oil and gas applications — many oil and gas companies are prioritizing investments in this area. Two examples of such developments include the internet of things, which facilitates data collection, and Supervisory Control & Data Acquisition systems, which use data to monitor and control facilities located throughout the energy supply chain.
However, these technologies inherently increase an organization’s attack surface, requiring authentication and authorization management between them.
Experts predict that the number of connected devices worldwide will reach a whopping 46 billion by 2021 — all equipped with sensors that communicate back to networks, databases and communications systems. These connected devices span a wide range, from smart toasters to centrifuges enriching uranium. Even a fish-tank thermometer can expose firms to trouble from hackers.
As mentioned in a recent NSA advisory for stopping malicious activity against connected operational technology (OT), it doesn’t help that many of the “OT assets and control systems installed and used throughout the energy sector are past end-of-life and operated without sufficient resources.” Put simply, these systems are dinosaurs. This means updates and vulnerability patches aren’t being developed, stifling IT teams tasked with defending these legacy systems and opening firms up to a considerable amount of risk.
The critical infrastructure that’s the foundation of the end-to-end energy supply chain makes it particularly vulnerable and more attractive to these hacker groups. This is compounded by the fact that energy remains a major concern for the nation-states who are often enabling these bad actors. The energy sector drives so much policy across the world that it affects how countries conduct themselves and interact. Therefore, nation-states are willing to attempt these sophisticated and disruptive campaigns to gain any advantage they can.
Unless cybersecurity measures are embedded in a technology’s development phase, we are likely to see these kinds of disruptive attacks on industrial systems like oil and gas pipelines more frequently. Colonial has said it hopes to “substantially restore operational service by the end of the week,” but that it will be a stepwise process.
It May Take a While to Get Back to Normal
Colonial has managed to restart its pipeline operations but has warned that it will take several days for supply to get back to normal. In the meantime, adjacent avenues are operating to deliver existing inventories to markets along the Colonial pipeline. Aside from the Colonial pipeline, East Coast fuel markets are supplied by the Plantation pipeline jointly owned by Kinder Morgan and Exxon; East Coast refineries; and fuel shipments from Eastern Canada and Europe. There have already been some signs of panic-buying by motorists along the East Coast.
As for other parts of the energy sector, a shutdown on any of the major crude pipelines would have some impact, though in the case of crude it would be more muted to the consumer because it’s further up the supply chain. A disruption to a major natural gas pipeline could have a ripple effect to power generation facilities, depending on the line, duration and time of year.
Based on our experience, the industry is taking the threat very seriously, but these complex business and operational IT systems are ultimately operated by humans, and that will always include some element of risk.