On May 8, the Colonial Pipeline Company announced that they had discovered they had fallen victim to a ransomware attack. The targeted pipeline is the largest gas transporter on the East Coast, supporting the daily needs of millions of consumers from Texas to New York, according to the company website.

The cyberattack that forced the shutdown of the East Coast’s largest gasoline pipeline has prompted fresh questions about the vulnerability of the country’s critical infrastructure to cyberattacks and serves as a high-profile reminder that many of the companies operating the nation’s most basic infrastructure, from dams to power plants, remain unprepared to deal with threats posed by malicious ones and zeroes.

A quick timeline of the events

On Friday, Colonial Pipeline said it learned that hackers had infected its computer networks with ransomware, malicious code used to seize control of computers and extract payments from victims. The breach affected Colonial’s business networks, which it uses for tasks such as managing payrolls and reporting data to regulators.

Colonial deactivated those systems, but it also shut off the much more sensitive technology that runs its pipeline operations — a precaution aimed at preventing the hackers from reaching it if they hadn’t already. These systems monitor the flow of gas for impurities and leaks, control power levels and perform other automated tasks to keep the pipeline running smoothly.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” Colonial Pipeline said in a statement.

Colonial shut down its entire primary pipeline system, which runs more than 5,500 miles from Houston, Texas, to Linden, N.J. This pipeline transports 45 percent of the gasoline, jet fuel and diesel for the East Coast of the United States, according to the company.

Colonial Pipeline also shared some details about their incident response: “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.”

On Monday 10, Colonial Pipeline has begun reactivating segments of the pipeline and anticipates “substantially restoring operational service by the end of the week.” However, it did not explain what it meant by “substantially” and has provided few other details about its investigation of the hack. The goal is to restore “operational service by the end of the week,” reported ZDNet.

Who’s behind the attack?

The FBI confirmed that the DarkSide ransomware gang was responsible for the attack. DarkSide is a relatively new ransomware strain associated with a new threat actor that security firm Cybereason has been tracking since August 2020.

“The group has a phone number and even a help desk to facilitate negotiations with victims,” says Cybereason, “and they are making a great effort at collecting information about their victims — not just technical information about their environment, but more general information about the company itself, like the organization’s size and estimated revenue.”

DarkSide is based in Russia, but so far, the U.S. has said it does not believe that the hackers acted on behalf of Russian President Vladimir Putin’s government.

“So far, there is no evidence … from our intelligence people that Russia is involved,” President Biden said. Still, he added, “There’s evidence that the actor’s ransomware is in Russia. They have some responsibility to deal with this.”

“This gang appears to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations and government agencies. No doubt that code of conduct is an effort to establish a level of trust and confidence in victims to enhance the likelihood that they’ll pay,” wrote David Bisson for Cybereason.

In a surprising twist of the events and following the aftermath of the Colonial ransomware attack. DarkSide released a statement saying that “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives. Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

What needs to be done?

“As everything is becoming more computerized, the controls for our critical infrastructure are also more computerized and steps need to be taken to ensure that they are protected from cyber attacks,” says Leslie Gordon, acting director for homeland security and justice at the watchdog Government Accountability Office (GAO). According to Gordon, what happened to Colonial Pipeline is “an example of a failure to protect critical infrastructure.”

The key factor why these attacks are so successful is that industries and organizations are failing to practice the basics of good security hygiene, leaving critical infrastructure vulnerable and open to cyber-attacks. Securing the oil & gas pipelines as well as all critical infrastructures and their supply chains requires a proactive approach and includes controls like multi-factor authentication, having response plans ready, and keeping backup systems in place.

The convergence of business IT with critical ICS systems requires extra precautions, such as implementing an effective network segmentation. With Colonial Pipeline, failing to keep its network segmented to prevent criminals from moving from one piece to the other was a big problem that demonstrates the need to improve network security architecture.

As a response to the increasing threats to the U.S. critical systems, President Joe Biden is expected to announce an executive order that could require contractors the federal government works with to adhere to certain cybersecurity measures. In addition, last month, the administration launched a 100-day plan to tackle “increasing cyber threats” to the US electric system. It includes working with utilities to build up their capacity to stop, detect, and respond to attacks. Finally, the Department of Energy also launched new research programs in March to make the energy sector more resilient to hazards, both physical and cyber.

ITEGRITI approaches Critical Infrastructure cybersecurity through our “Reliability Through Cybersecurity ResilienceTM” model.  To operate, organizations require the reliability of their information technology systems and IT/OT managed assets. Well-designed cybersecurity programs defend against and withstand most attacks but these programs should also address demands for business continuity, information protection, and crisis communications. Oil & Gas companies should inventory their technology assets, apply additional protections to their business-critical systems and sensitive information, reduce their attack surface, assess and improve their cyber hygiene, and ensure they have both preventative and detective controls in place that are part of an ongoing internal assessment program as untested controls will atrophy. ITEGRITI designs and implements programs that can help oil & gas companies avoid hacks, detect breaches when they occur, minimize business disruption during a cybersecurity event, and reduce incident recovery time.

The Electric sector has similar technology and risks, and began implementing mandatory NERC CIP cybersecurity controls in 2008.  Oil & Gas companies can borrow valuable lessons learned by the electric sector, where ITEGRITI has 13+ years of experience helping businesses implement and assess the effectiveness of NERC CIP cybersecurity controls. We work with organizations to align cybersecurity programs with specific enterprise risks and first consider existing security hardware, software, and security/compliance controls.  ITEGRITI helps companies establish and evaluate specific control objectives and internal controls, measure operational effectiveness, and establish an improvement plan that includes actionable remediation activities.

Through our strategic partnership with HCL Technologies, we implement the items selected by our clients for remediation in terms of policy and procedure, hardware and software implementation or configuration, and internal control and audit program to measure, manage and report ongoing control effectiveness.

To learn how we can help you, contact our experts.