It has been less than two months since a DarkSide ransomware attack on Colonial Pipeline caused a significant disruption to key infrastructure in the United States. Here are five lessons that oil & gas – and other energy concerns – can take from the incident:
Lesson 1: The importance of system monitoring
The hackers launched their attack in the early hours of May 7, exfiltrating some 100GB of data and encrypting back office systems before issuing their ransom demands. However, the initial breach reportedly occurred on April 29, over a week before. This follows a familiar pattern used by threat actors: gain access to a system, then conduct stealth reconnaissance while laying the groundwork for a widescale assault. SIEM solutions, coupled with advanced threat intelligence, detection, and monitoring can help to recognize anomalous activities that could signal the early stages of an attack before the real trouble starts.
Lesson 2: The importance of IT governance
According to Colonial Pipeline President and CEO Joseph Blount in his testimony to the United States Senate Committee on Homeland Security and Governmental Affairs, “We believe the attacker exploited a legacy virtual private network (VPN) profile that was not intended to be in use.” Not only was the breach facilitated by this obsolete, yet still operational part of the network, but the access was reportedly granted by a single userid/password combination. No multi-factor authentication (MFA) was required to access the IT infrastructure of the largest refined oil pipeline system in the United States. After the breach, Colonial reportedly shut down the legacy VPN and implemented additional layers of protection in response.
Lesson learned – formal, standard procedures for decommissioning and shutting down access points and obsolete equipment and networks would have reduced the organization’s threat surface and risk of data breach in the first place. MFA must be considered a basic necessity for secure remote access.
Lesson 3: OT and IT network convergence creates additional risk
The energy sector has significant dependence on both operational technology (OT) and information technology (IT) networks. As interdependencies between these traditionally more diverse systems continue to grow, cyber risk grows as well. Colonial’s decision to shut down its entire pipeline system – for the first time in its history – stemmed from not knowing who was attacking, what their motives were or just how the attack could affect its OT infrastructure. Not having this full visibility into OT network operations and integrations triggered a far bigger issue than a “straightforward” breach of back office systems.
Maintaining a segregation of OT and IT networks, other than where essential and tightly controlled and monitored, can help contain risk. As integrations are contemplated, it is essential to build in security and audit into infrastructure from day one. This planning will create better visibility and understanding of the implications of an attack. A zero-trust architecture is critical – while IT disruptions cause business problems, OT attacks can put lives at risk, either from energy production, storage, or delivery perspective.
Lesson 4: Successful breaches carry a variety of costs
Famously, Colonial Pipeline paid a $4.4 million (USD) ransom to DarkSide for the decryption keys to unlock their systems. Even though DarkSide expressed regret, and 63.7 bitcoins out of 75 paid out were recovered by the FBI, the threat actors still made off with hundreds of thousands of dollars in extorted funds. But that is just the tip of the iceberg. Joseph Blount, President and CEO of Colonial Pipeline acknowledged that it will take months and cost the company “tens of millions of dollars” to fully repair the damage and restore all of its business systems. It took weeks for Colonial Pipeline to restore its billing systems just to allow them to actually get paid for oil distribution. In addition, the reputational cost to Colonial is incalculable – overnight they went from one of the biggest companies the average person had never heard of, to being the subject of constant, negative headlines.
Worse yet, additional costs are being driven by the inevitable legal issues stemming from the incident. A class action claiming millions in damages was launched in May, charging that “unlawfully deficient data security has injured millions of consumers in the form of higher gas prices, and gasoline shortages”. In late June, a customer one of Colonial Pipeline’s distributors alleged that the hack occurred “despite advance knowledge and warnings,” and that, in the lead-up to the attack, Colonial Pipeline “repeatedly ignored and rejected efforts by the applicable regulatory agency to meet with it so as to check on its cybersecurity”.
Lesson 5: A successful breach breeds other hacking efforts
The Colonial Pipeline attack has had ripple effects, as phishing attacks on other energy sector organizations spiked shortly after the incident. One campaign targeted Microsoft 365 customers with an alert purporting to come from their IT help desk with urgent instructions to download a ransomware system update to avoid the same fate as Colonial Pipeline. The download, of course, was actually intended to deploy malware on the target systems. In other examples, spearphishing attacks and robo-filled “Contact Us” forms containing fake threats pretending to come from DarkSide have become more frequent, particularly targeting several companies in the energy and food industries (the latter likely due to the JBS meat processing data breach just a month after the Colonial Pipeline incident). In these cases, the supposed threat actor claims that they have successfully hacked the target’s network, gaining access to sensitive information that will be disclosed publicly if a ransom of 100 bitcoins is not paid.
The threat to the oil & gas and broader energy sector is real, and growing. The threat actors range from sophisticated, government-sponsored attackers looking to cause social and financial chaos to smaller hacktivist interests seeking to show opposition to energy projects or developments. IBM’s X-Force Threat Intelligence Index 2021 report suggests that the energy sector has jumped from ninth place in 2019 to third place in 2020 among industries most heavily targeted for cyber attack. In the study, the energy sector also suffered the second most data theft incidents of any industry in 2020, representing over one-fifth of all attacks. The Canadian Centre for Cyber Security (CCCS) expects this trend to continue: according to their National Cyber Threat Assessment 2020, ransomware “will almost certainly continue to target large enterprises and critical infrastructure providers,” with attackers believing that the chances of paying ransom will be greater as the stakes are higher.
While the consequences of the Colonial Pipeline attack have been costly and severe, the silver lining may be in the lessons learned by other energy sector organizations. Contact ISA Cybersecurity today to learn more about how we can help.