The Colonial Pipeline returned to normal operations over the weekend after the Federal Bureau of Investigation (FBI) detected that the DarkSide ransomware attack was responsible for the compromise of the fuel pipeline company’s IT networks. The fuel pipeline company has not provided any details of the exact cause of the cybersecurity incident, the number of systems affected by the ransomware, or if any data was stolen in the cybersecurity attack.
This has led to criticism of the way Colonial Pipeline handled its DarkSide ransomware attack. “I find it incredible and inexcusable that the federal government doesn’t require corporations that control more than 80 percent of the nation’s critical infrastructure to adopt minimal levels of cybersecurity,” wrote Robert Reich, Professor of Public Policy at UC Berkeley in a Facebook post.
“Even now, Colonial Pipeline has said nothing about how the cyberattack unfolded, didn’t admit it paid the ransom, waited four days before alerting the administration, and hasn’t explained why there wasn’t a total separation between its data management and its pipeline operation,” added Reich, who was also former U.S. Secretary of Labor in the Bill Clinton administration.
The fuel pipeline company is reported to have paid close to nearly $5 million as a ransom to the DarkSide ransomware attackers, after its operations were hit on May 7.
In a Twitter message, Colonial Pipeline confirmed that it has returned to normal operations, “delivering millions of gallons per hour” to the markets it serves, including Texas, Louisiana, Mississippi, Alabama, Tennessee, Georgia, South and North Carolina, Virginia, Maryland, DC., Delaware, Pennsylvania, and New Jersey. “All of these markets are now receiving product from our pipeline,” according to a Twitter message from the company.
After the fuel pipeline company fell victim to a cybersecurity attack that critically affected its operations, Colonial Pipeline took certain systems offline to contain the threat, which led to temporarily halting all pipeline operations, and affected some of its IT systems.
Calling for the need to do more and ensure the safety of energy infrastructure, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) have established and enforced mandatory cybersecurity standards for the bulk electric system. But such comparable mandatory standards are missing for the nearly 3 million miles of natural gas, oil, and hazardous liquid pipelines that traverse the United States.
In light of this oversight, the FERC has called for mandatory cybersecurity standards for the nation’s pipeline infrastructure. “It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector, FERC Chairman Richard Glick said in a statement. “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”
The U.S government released last week an Executive Order that will bring about decisive steps to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.
The order also covers the protection and security of the IT systems that process data, and the OT (operational technology) environments that run the vital machinery to ensure safety, while incorporating the scope of its authorities and resources to protect and secure its computer systems, irrespective of whether they are cloud-based, on-premises or hybrid.
“As the nation’s lead agency for protecting the federal civilian government and critical infrastructure against cybersecurity threats, CISA serves a central role in implementing this executive order,” said Brandon Wales, CISA’s acting director in a statement. “This executive order will bolster our efforts to secure the federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.”
“The recent Colonial, SolarWinds, and Hafnium attacks have highlighted what has become increasingly obvious in recent years—that the United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage,” said U.S. Senator Mark R. Warner, a Democrat from Virginia, and chairman of the Senate Select Committee on Intelligence in a statement. “This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the Administration and my colleagues on both sides of the aisle to close those gaps.”
The presidential order aims to centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, while investing in both technology and personnel to match these modernization goals. The migration to cloud technology shall adopt zero trust architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with zero trust architecture.
Industry reacted positively to the executive order from the Biden administration following the DarkSide ransomware attack on Colonial Pipeline. “This is the most promising, farthest-reaching move we’ve seen the federal government take to secure the U.S.,” said Kelly Bissell, Lead at Accenture Security in a blog post. “If we can operationalize these changes, it’s a major strike against cybercriminals, one that will increase their cost of doing business while reducing our costs.
“Unlike traditional techniques, under which an attacker can search broadly for and exploit cyber weaknesses upon gaining access inside a network segment perimeter, zero trust treats the identity of each machine, application, user, and data stream as its own independent “perimeter,” allowing fine-grained access policy enforcement,” according to a Xage Security blog post, following the DarkSide ransomware attack.
“Particularly in distributed industrial environments, this identity-based approach ensures that the actions of users, applications, and machines are verified and specifically authorized before being permitted. Rather than halting operations completely, it would have been possible to identify, investigate, and stabilize the matter – all without ever interrupting pipeline operations,” the post added.
“The incidents of the past week have confirmed the lack of cyber resilience in many industrial companies and is another reminder of the benefits of Zero Trust in mitigating the effects of ransomware,” wrote Brian Kime, Forrester Research’s senior analyst in a blog post. “With a Zero Trust strategy primarily focused on protecting industrial processes, industrial companies are better positioned to withstand a ransomware attack and maintain operational uptime,” he added.
“For ransomware to succeed, attackers must first gain an initial foothold and then find a way to move laterally within an organization by exploiting vulnerabilities and misconfigurations in systems such as Active Directory,” wrote Renaud Deraison, co-founder and CTO at Tenable, in a company blog post.
“While strong authentication mechanisms such as zero-trust are heavily adopted in new IT infrastructures, they are much less prevalent in operational technology (OT) environments – where industrial processes such as oil transportation and water treatment actually happen,” wrote Grant Geyer, a Claroty executive in a blog post. The broad adoption of Zero Trust Network Architectures (ZTNA) by the federal government sets a good, high bar for enterprises to protect their industrial control systems, as it treats all users as untrusted unless they prove that they are trusted, he added.
Colonial’s decision to shut down all operations, following the DarkSide ransomware attack, was also condemned. “If an industrial company shuts down operation because of a cyber attack this does not by any means indicate that ICS was compromised, let alone a safety risk,” Ralph Langner, an OT/ICS security expert, wrote in a LinkedIn post on Thursday. “We have seen this over and over again with Norsk Hydro, Maersk, Saudi Aramco and others. Any speculation about ICS impact or even safety risks is baseless. Unfortunately, this will not prevent media and vendors to hype the incident up as OT related.”
Sharing a similar opinion, Matthew Loong, KPMG’s associate director, wrote in a LinkedIn post that if “the Darkside ransomware had indeed corrupted not only the IT network but also breached into the OT network, I am keen to know how and why. Based on statements by Colonial Pipeline, only the IT network had been infected. In that case, I am not sure why they had to shut the OT system,” he added.