Today Is The Anniversary Of The Colonial Pipeline Hack

May 7th is the first anniversary of the Colonial Pipeline hack. The company apparently got pwned by ransomware and this attack created a major shortage of fuel along the east coast of the US, which in turn caused fuel prices to spike upwards. To make this go away, the company paid the ransom. The FBI did get some of that money back though. It later emerged that the notorious group, Dark Side was behind this, and they got in via single compromised password. A lot of this is now a very detailed case study as to how an attack like this is carried out and what you can do to not get pwned.

Darren Williams, Founder and CEO of BlackFog had this comment:

“The Colonial Pipeline attack was the first ransomware attack that mainstreamed “Ransomware” around the world. It also highlighted that most organizations were totally unprepared to combat such attacks to the extent that US President made it a top priority to invest in programs to protect the nation’s infrastructure.”

“The big lessons learned from these attacks are that you can no longer ignore security and systems need to be professionally managed, updated and protected. Organizations need to embrace security procedures as an important part of the business or face the consequences. Insurance cannot protect you from the damage after it has occurred but only mitigate partial financial losses.”

“The Colonial attack also highlights the need for data exfiltration monitoring to not only prevent ransomware attacks but more importantly stop the loss of information outside the organization. This is the primary goal of any attack, steal as much information as you can and then extort the organization and / or disable the infrastructure.”

“It is crucial that the United States shows leadership in this new frontier of cyberwar from both a monetary and policy perspective. No nation has ever been in trouble by being too prepared. Since the beginning of 2022 we have seen a high volume of attacks, that continues to break new records each month. We expect this trend to continue throughout 2022.”

“While we commend the government for taking these attacks seriously, we would like to see regulations that fast-track newer technologies for adoption rather than regulations that currently prevent smaller organizations from winning key contracts. We would propose similar policies to those that were adopted during the COVID pandemic whereby the government was able to fast track solutions by backing several promising technologies which saw unparalleled advances in medicine that the world has never seen. Cyberattacks threaten to affect our water, food and power supplies, and just about anything that uses a microchip. Cyberwar is the new frontier for crime, with low barriers to entry, low risk and minimal chances of being caught.”

Artur Kane, CMO at GoodAccess had the next comment:

“Ransomware attacks are a prevalent threat to businesses today, yet many companies still neglect the necessary procedures to prevent and contain them.

Critical infrastructure, in particular, is a lucrative target. Adversaries often pick them because of the high potential impact and the slow adoption of the latest security measures by critical infrastructure operators, leaving them vulnerable to attack.

Oil, gas, power, and water suppliers tend to be conservative in their security policies, which center on reducing the attack surface by building a secure perimeter to repel outside attacks. This perimeter, built on legacy technology and outdated networking models, has to be impenetrable if it is to fulfil its function.

However, users nowadays also need to connect from outside the secure boundary, something the traditional model has trouble coping with. User devices connected from outside to the internal network may introduce malicious code, or hackers infiltrate internal systems. Once that happens, there is little to stop them doing damage because the network can never be completely disconnected when administrators need to access it.

Attacks and downtimes are inevitable. While it’s necessary to do the maximum for prevention, in terms of regular security awareness training, backups, and system redundancy, it is equally important to lower the impact of breaches and reducing response time when they do happen.

Apart from regular hardware and firmware, software patching, and network segmentation, it is also important to reduce the attack surface by enforcing strict access control policies that allow users only the minimum necessary rights. Furthermore, to mitigate the risk associated with remote access, IT admins must extend the network perimeter to all touchpoints between technology, administrative, operations, and public-facing infrastructures. 

But even with all these measures in place, attackers can still find a way in. IT professionals must therefore look for ways of detecting attacks early and prepare detailed response and remediation plans. Continual training and security drills of security administrators is a must in order to assure their awareness of response protocols and prepare them for a swift and decisive response.

Attacks on critical infrastructure can be expected to rise in both frequency and magnitude as global tensions rise. The digital space is becoming a hot battleground and is likely to become hotter still as war rages on land, and critical infrastructure operators need to prepare themselves not just to counter profit-oriented ransomware attacks but also sabotage by state-sponsored groups.

Peter Stelzhammer, Co-founder of AV-Comparatives had this to say:

“Looking at the Colonial Pipeline disaster, it reminds a little bit of the Conficker disaster, which occurred in 2008. Both attacks could have been prevented with proper Enterprise Endpoint Security and Patch Management, as well as following the basic security advice every CISO should follow. Update the operating system, patch all third-party software, check for known CVEs and use multi-layered security systems. For Conficker, a Microsoft out-of-band patch was released on October 23, 2008, to close this vulnerability, however, a large number of Windows PCs (estimated at 30%) were not patched as of January 2009. Even in the Colonial pipeline disaster, only the billing system was hit by the Darkside Group, the pipeline was shut down by the operators. Maybe to prevent delivering fossil fuels without being able to send an invoice? So, keep in mind, do frequent rolling backups of your systems, have a disaster recovery plan and UPDATE and user Security systems. IT security belongs to the CEO and the board, it is that important.”

Hopefully organizations learn from what happened with Colonial Pipelines so that they don’t become the next Colonial Pipeline that I have to write about a year from now or sooner.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: