As the largest refined products pipeline system in the country, delivering an estimated 45% of all fuel consumed on the East Coast, the cyberattack forcing operators to shut down the Alpharetta, Georgia-based Colonial Pipeline has the potential to have extensive repercussions across the nation’s transportation network. How much of an impact the action has on the nations supply depends on the length of the disruption.
The attack was acknowledged Friday May 7. In a statement, the company said, “At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”
Such an attack also spotlights the importance of continually upgrading the nation’s core infrastructure. Unfortunately, the cyberattack against Colonial Pipeline is only a teaser of the future of cyberattacks, explains Grant Geyer, chief product officer at industrial cybersecurity company Claroty.
“As cyber criminals and foreign adversaries seek opportunities for financial gain and power projection, our national critical infrastructure is an easy target. Industrial environments are operating with infrastructure that commonly maintains obsolete technology that can’t be patched, and staff that frequently are not as cyber savvy as they need to be to keep attackers at bay,” says Geyer. “This leads to a situation where cyber security risk levels are below acceptable tolerances, and in some cases organizations are blind to the risk.”
Brad Brooks, CEO of San Francisco-based OneLogin adds, “This attack represents how quickly the stakes are escalating on cybersecurity, with controlling and knowing who has access to your IT systems a board level priority for every company. We are moving from an invisible Cold War that was focused on stealing data to a highly visible hot war that has real implications for physical property and people’s lives.”
Continues Geyer, “One additional risk factor of pipelines is that they are highly distributed environments, and the tools that are used to enable asset operators’ remote connectivity are optimized for easy access and not for security. This provides attackers opportunities to sneak through cyber defenses as we saw in the water utility attack in Oldsmar, Florida earlier this year.”
Among critical infrastructure sectors, energy is especially at risk, adds Geyer. “Our researchers have found that the energy sector is one of the most highly impacted by industrial control system (ICS) vulnerabilities, and it experienced a 74% increase in ICS vulnerabilities disclosed during the second half of 2020 compared to 2018. Improving the nation’s critical infrastructure is going to require a public-private sector partnership given the current gaps and potential risk to the US supply chain and national security."
If reports are accurate, the Colonial Pipeline incident has all of the markings of a possible ransomware attack that began in the IT environment and, out of precaution, forced the operator to shut down operations.Ransomware has been a favored attack vector of cybercriminals because of its effectiveness and return-on-investment, explains Marty Edwards, vice president of OT security at Tenable and longest-serving director of ICS-CERT.
"That’s precisely why bad actors have recently set their sights on critical infrastructure. Shutting down operational technology (OT) environments can cost hundreds of millions of dollars which forces providers to outweigh the costs.We should not underestimate these groups," says Edwards. "Many of them now have help desks, technical support, payroll processing and subcontractors. They are essentially full-fledged criminal corporations operating in the digital world. While it's unknown how this attack played out, it's yet another reminder of the increasing threats to critical infrastructure we all rely on."
The encouraging news? The initial information available from Colonial Pipeline and the press coverage seems to indicate that they had the processes in place to detect and contain this type of attacks – before it had an opportunity to be exploited further and cause more damage, explains Edgard Capdevielle, CEO of Nozomi Networks. "I’m sure there will be a financial impact for having to take systems offline in this containment, but imagine an attack where they didn’t have the systems and processes in place and they lost control of their business for an extended period of time. It would make the cost of proactively taking things offline look like a rounding error," he says.
According to Capdevielle, the industry is anxiously awaiting guidance and support/reinforcement from the federal government on how to protect critical infrastructure. "Over the years, there has been a lot of talk about how actions aren’t catching up with the attackers. It’s going to be imperative that there are some very prescriptive steps providers have to take before it’s too late," he says. "There needs to be a level emphasis put on cybersecurity that we haven’t seen to date, or attacks like we saw on Colonial Pipeline and the Oldsmar Water Plant will be just the beginning. Funding, support and clear guidance will all play an important role in making sure our critical infrastructure is resilient and safe.”
We will continue to update this article as more information surfaces.