It is now well known that Colonial Pipeline operations were proactively halted on May 7th as the result of a ransomware incident. A tremendous amount has already been published about this incident in many forms, across a variety of media. Until those closely connected to the incident, including the perpetrators of the attack, Colonial Pipeline, and their incident response team, release more information, there is nothing new to add to the narrative.
There are many relevant aspects of this incident that are of interest to many of the stakeholders within our customer’s organizations including:
- The growing prevalence and risk from ransomware-as-a-service (RaaS)
- Real-world impacts of ransomware and other cyber attacks
- The challenges of protecting against ransomware attacks
- Cybersecurity challenges for industrial control system environments
- The interdependencies between business systems and industrial control systems
- The general susceptibility of all businesses to similar attacks
Most of the available information is either highly focused on a single facet of the incident or is very generic in nature. Rather than speculate further about what occurred in an attempt to say something new and noteworthy, this blog discusses some of the most frequently asked questions about this incident, along with brief answers inline and links to resources with more detailed information than we could hope to provide here. We hope that in answering the questions below, we can summarize what we believe are the most important characteristics of this incident along with some key takeaways.
What Happened to Colonial Pipeline?
The Colonial Pipeline, operated by a company of the same name, is the largest pipeline for refined oil products in the United States at 8,850 km in length. On May 7th, Colonial determined that it had been the victim of a ransomware attack and issued a press release stating that they “proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems”.
Pipeline operations were halted on May 7th and did not resume until the afternoon of May 12th. Since fuel moves through the pipeline at the relatively slow rate of five to eight kilometers per hour, it will take several days for operations to fully resume.
How Big a Deal is This?
Robert M. Lee, CEO of Dragos Inc, told CNN that this was the “largest cyberattack on the energy infrastructure of the United States” to date.
The Cybersecurity & Infrastructure Security Agency (CISA) and FBI are both involved in the investigation, and the US has issued an Executive Order on Improving the Nation’s Cybersecurity. The executive order has been anticipated for quite some time and is not directly related to this incident but illustrates the importance the US Government places on the security of its critical infrastructure.
Were OT Systems Impacted?
Operational Technology (OT) Systems are differentiated from traditional IT systems in that they often involve specialized hardware and software, are managed by different personnel, have significant requirements for availability and reliability, and are often separated from the IT network by additional layers of security.
Colonial’s initial statement was that the incident “affected some our IT systems” with the implication being that OT systems were not impacted. CNN is now confirming this, reporting that the FBI and CISA state that “there are no indications that the threat actor moved laterally to the company’s operational networks”
Why Was the Pipeline Shutdown?
There are several reasons that Colonial might choose to shut down the pipeline:
- Ransomware has disrupted the functionality of OT systems.
- The attacker has control over OT systems.
- There is reasonable belief that the attacker or ransomware will or already has spread from the IT network to OT network
- The ransomware has impacted the business operations of the company
Although it was not initially clear, CNN has now confirmed that “The company halted operations because its billing system was compromised”.
While OT systems are often segregated from IT systems, both IT and OT systems play important parts in the business activities of industrial organizations such as Colonial Pipeline. The SANS Emergency Webcast about this attack provides a great overview of the connection points between IT and OT systems.
It is unsurprising therefore that, lacking the ability to track product and determine how to bill its customers, Colonial would halt operations on the pipeline until it regained that visibility and capability.
Who Were the Attackers?
The FBI has confirmed that a ransomware group known as DarkSide is responsible for the attack on Colonial Pipeline. DarkSide is a relatively new group that was first seen in August of 2020. FireEye, who are also assisting Colonial in recovering from this attack, published a detailed blog about DarkSide, its ransomware as a service (RaaS) approach to making money, the affiliates or partners that help spread its ransomware, and the various indicators of compromise that can help detect similar attacks.
DarkSide’s involvement is interesting for two reasons. First, the DarkSide group does not directly attack its victims. Instead, it provides vetted affiliates with access to custom ransomware, technical support, and the DarkSide blog. Affiliates select targets and deploy the ransomware in exchange for a percentage of the payment received. The DarkSide group markets itself to its affiliates as a high–quality service that has a track record of successfully collecting ransom payments.
Second, DarkSide claims to be a “principled” organization in that they will not attack certain targets such as health care organizations, non-profits and governments. They also claim that they “only attack companies that can pay the requested amount, we do not want to kill your business”
Brian Krebs takes a closer look at DarkSide’s inner workings in his KrebsOnSecurity blog on the subject.
Was a Ransom Paid?
It was initially unclear whether Colonial Pipeline paid a ransom to the attackers. Bloomberg was the first to report that Colonial had paid a $5 million ransom to DarkSide shortly after the attack was discovered. Many other media outlets repeated this claim, citing the Bloomberg report, but there was no other confirmation. CNN initially reported that ransom had not been paid, but later updated their story, to state that that they had independent confirmation that a payment was made.
Was Paying the Right Choice?
When asked, Anne Neuberger, the US Deputy National Security Advisor for Cyber and Emerging Technologies acknowledged that there is no perfect answer to the question of whether payment should be made, “So, first, we recognize that victims of cyberattacks often face a very difficult situation. And they have to just balance off, in the cost-benefit, when they have no choice with regard to paying a ransom.”
In their The State of Ransomware 2021 report, Sophos says that 32% of organizations surveyed paid a ransom after being attacked. Ironically, the same percentage of organizations say that they have cybersecurity insurance against ransomware. Finally, Sophos also says that respondents only recovered 65% of their data on average, and this included data restored from backup. Only 8% recovered all their data.
In the Colonial Pipeline case, Bloomberg reports that while Colonial paid the ransom, the decryption process was so slow that the company ultimately recovered the data from backup instead. We commonly hear similar stories. The true cost of recovery is not the ransom itself, but the time and effort required to either decrypt or restore data. The Sophos survey also indicates that the average cost of recovery has more than doubled in the past year.
Since they are only required to pay their insurance deductible, many organizations see ransom payment as one relatively low-cost step they can take to help ensure their recovery even if decryption keys are never used. Unfortunately, many experts feel that this is driving a significant increase in ransomware attacks with attackers using public filings to target companies with cyber insurance. Attackers may even attempt to locate insurance policies after gaining access to target environments so that they can tailor their ransom request to the victim’s ability to pay. ProPublica explores this in much more detail in their article, The Extortion Economy.
Finally, SANS has just published a leadership perspective on ransomware with input from many cybersecurity leaders who offer their individual opinions on the subject.
Should We Blame the Victim?
We should take care before we blame the victims of ransomware attacks. A Google search for “cybersecurity spending” indicates annual worldwide expenditures for cybersecurity in the $60 to $150 billion range depending on whether operational costs are included. Colonial Pipeline says that it has increased its overall IT spending by more than 50% and tens of millions of dollars in the past four years. Despite these expenditures, high profile breaches are occurring daily to businesses of all sorts.
A robust debate could certainly be had about whether these dollars are being spent wisely, what to prioritize, and how to go about implementing strong cybersecurity. Robert M. Lee of Dragos puts it well when he says that “No matter what you do in security someone will think you should do something different”. He goes on to point out that blaming victims “will exclude you from future conversations”, essentially creating an environment where less information is shared in all respects. He concludes by reminding us that there are no simple answers given the “complexity involved in security and running businesses”.
Like many others, we believe that it is our role as trusted security advisors to help our customers navigate this complexity because few businesses can be expected to achieve cybersecurity excellence on their own.
What Can Similar Organizations Do to Protect Themselves?
Dragos, one of the leading companies helping to protect the world’s critical infrastructure has published guidance on architecting to prevent, detect, and respond to attacks like the one suffered by Colonial Pipeline. The SANS Institute also provides guidance both in the Emergency Webcast discussing this attack and its many other ICS resources and classes.
There is no single solution to the problem of ransomware, nor to industrial control system security challenges, however there are many steps that organizations can take to reduce their risk and increase their ability to withstand similar attacks. Contact us to learn more.