Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Risk & Compliance
SBOM
Secure Remote Access
Technology & Solutions
Threat Landscape
Vulnerabilities
Zero Trust

Critical infrastructure continues to call for more attention two years after Colonial Pipeline ransomware attack

May 06, 2023
Critical infrastructure continues to call for more attention two years after Colonial Pipeline ransomware attack

Two years ago, ransomware hackers struck Colonial Pipeline systems, forcing one of the United States’ most important fuel pipeline companies to go offline, resulting in an operational disruption in an abundance of caution to contain the DarkSide ransomware attack. The disruption prompted a regional emergency declaration along the East Coast, apart from highlighting the nation’s need for enhanced security of its most critical fuel pipelines. 

The Colonial Pipeline attack in May 2021 was executed by DarkSide, a Russian-based cybercriminal group, and led to the pipeline company being shut down for several days, resulting in a fuel shortage and price hikes. The attack began when the hackers gained access to the Colonial Pipeline’s computer systems through a compromised password. They then encrypted the company’s data, preventing access to critical systems, and demanded a ransom payment in return for the decryption of the data.

The fuel pipeline company’s IT networks were compromised and faced incapacitation, preventing millions of barrels of petrol, diesel, and jet fuel from being delivered following the cyberattack. Colonial Pipeline paid US$4.4 million in Bitcoin to the attackers, as ransom to the cybercrime syndicate to regain access to its computer network. However, federal agencies could recover a significant chunk of the digital funds paid.

Following the attack, the U.S. government formed a task force to investigate the incident and strengthen critical infrastructure cyber defenses, including the transportation network. The attack highlighted the vulnerability of critical infrastructure systems in the U.S. It also raised concerns about the growing threat of ransomware attacks, particularly on critical systems, and the need for increased cybersecurity measures to protect against them.

The Colonial Pipeline attack led President Joe Biden to issue Executive Order 14028 which focuses on improving the nation’s cybersecurity. The administration also rolled out a National Cybersecurity Strategy that identifies a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem. The move serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. 

Advancing the priorities outlined in Biden’s E.O. 14028, the Cybersecurity and Infrastructure Security Agency (CISA) released last October a Binding Operational Directive to make more measurable progress toward enhancing visibility into assets and associated vulnerabilities across all federal civilian executive branches (FCEB) and the agencies operating those systems.

The CISA also issued in March stakeholder-based updates to the Cybersecurity Performance Goals (CPGs). In response to feedback received directly from the critical infrastructure community, these CPGs have been reorganized, reordered, and renumbered to align closely with NIST Cybersecurity Framework functions to help organizations use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF.

Following the Colonial Pipeline incident, organizations in the U.S. witnessed other critical incidents that made national headlines, including the Kaseya ransomware attack and the discovery of the Log4j vulnerability that was baked within the foundations of the software applications deployed across global installations.

Last July, the Transportation Security Administration (TSA) division revised and re-issued its Security Directive concerning cybersecurity to oil and natural gas pipeline owners and operators. The directive also extends cybersecurity requirements for another year and focuses on performance-based rather than prescriptive measures to achieve critical cybersecurity outcomes.

Data released by the FBI’s Internet Crime Complaint Center (IC3) in March has seen an increase in an additional extortion tactic used to facilitate ransomware in 2022, as the number of reported ransomware incidents has decreased. Of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least one member that fell victim to a ransomware attack in 2022. It also revealed that the three top ransomware variants reported to the IC3 that victimized a member of a critical infrastructure sector included Lockbit, ALPHV/Blackcoats, and Hive.

The IC3 report comes in the wake of the cyber landscape providing ample opportunities for criminals and adversaries to target U.S. networks, attack critical infrastructure, hold money and data for ransom, facilitate large-scale fraud schemes, and threaten national security.

The Colonial Pipeline incident was a significant wake-up call for organizations managing critical infrastructure installations, including those responsible for energy, water supply, healthcare, and transportation sectors. It pushed cybersecurity experts to study the threats and attacks faced by critical infrastructure sectors, while also analyzing how they impacted the approach to securing critical infrastructure installations. 

Data released by industrial cybersecurity firm Dragos in February showed that ransomware attacks on industrial infrastructure organizations nearly doubled in 2022, with over 70 percent of all ransomware activity focused on manufacturing. Hackers also continue to broadly target many manufacturing sectors and subsectors. As ransomware activity increases, it results in more risk for OT (operational technology) networks, particularly networks with poor segmentation.

Industrial Cyber reached out to cybersecurity experts to analyze how the Colonial Pipeline incident changed the approach to securing critical infrastructure installations. 

Duncan Greatwood - Xage Security
Duncan Greatwood, CEO of Xage Security

Following the Colonial Pipeline ransomware incident in May 2021, critical infrastructure organizations have been bringing modern preventative cybersecurity into physical operations at scale for the first time, Duncan Greatwood, CEO of Xage Security highlighted to Industrial Cyber. “Both operators and government regulators have made significant progress in stepping up cybersecurity efforts. Government directives from the likes of TSA, CISA, and NIST have embraced preventative identity-based approaches.” 

He also added that operators are prioritizing identity-first defense-in-depth strategies. “The hurdles that previously slowed cyber-hardening are now being addressed, and new technologies are being embraced. A major transformation is happening among prominent, established, and traditional critical infrastructure players.”

Robin Berthier, Co-Founder and CEO of Network Perception
Robin Berthier, Co-Founder and CEO of Network Perception

Robin Berthier, co-founder and CEO of Network Perception said that most importantly, the Colonial Pipeline incident awoke the nation and the OT industry to the cybersecurity vulnerabilities that exist and made protecting our nation’s critical infrastructure a greater priority. “It led the Biden-Harris administration to set a National Cybersecurity Strategy and for leaders of critical infrastructure and technology to establish industry security standards and to form coalitions, like OTCC and ETHOS, that are aligned on matters of national security.” 

“Additionally, it has brought IT and OT security practices closer together – an important forcing function to modernize OT infrastructure,” Berthier told Industrial Cyber. “As an industry that has large volumes of geographically-dispersed legacy equipment and that is disrupted by complex and pervasive communication technology, the attack exposed where organizations in charge of critical infrastructure have to significantly invest and raise the bar for cyber hygiene and asset protection.”

Jori VanAntwerp, CEO and co-founder at SynSaber
Jori VanAntwerp, CEO and co-founder at SynSaber

“The Colonial Pipeline incident highlighted how vital segmentation, visibility, monitoring, and OT/IT collaboration are,” Jori VanAntwerp, CEO and co-founder at SynSaber, told Industrial Cyber. “The incident also reinforced that these pillars of OT security need to be considered not only in new environments but also within existing infrastructure.”

Industrial organizations targeted with ransomware often claim the ransomware vector did not make it through to the operational network, but they took systems offline in an abundance of caution. In other words, they could not be certain they weren’t compromised. The experts investigate what measures organizations have implemented over the last two years to increase visibility into their systems, as well as how things have changed in the same timeframe.

Greatwood said that there are a growing number of organizations that have embraced technological advancements to support zero-trust cybersecurity that prevents attacks rather than only detecting them. “For example, a leading North American energy infrastructure corporation, Kinder Morgan, has successfully embedded new technologies to cyber harden and comply with regulatory mandates. With these preventative defense-in-depth approaches, even hard-to-detect attacks can be blocked and contained, greatly reducing the need for precautionary shutdowns,” he added.

Network visibility is paramount to gain situational awareness and reduce the exposure of our critical assets, Berthier said, adding that the majority of organizations still lack proper visibility to efficiently defend themselves. “Over the last two years, two important building blocks to a comprehensive network visibility program have emerged. Those two building blocks are part of a larger risk assessment strategy to develop cyber resiliency, which means the ability to keep running mission-critical operations despite being under threat,” he added. 

Internal network security monitoring (INSM) and network access modeling (NAM) provide two sides of network visibility that are both crucial and complementary to each other, Berthier highlighted. 

INSM means understanding which assets are connecting to which services in real-time. It’s a detection technique that relies on network instrumentation such as Test Access Points (TAP) or Switch Port Analyzers (SPAN) to collect live traffic and dissect protocols through deep packet inspection, according to Berthier. “It provides visibility on all active endpoints that communicate through network paths on which a sensor has been deployed. It’s the go-to approach for threat hunting and intrusion detection. Network monitoring platforms that are specifically designed for OT environments include Claroty, Dragos, Nozomi Networks, and Microsoft Defender for IoT (formerly CyberX),” he added. 

Network access modeling (NAM) means understanding which assets can connect to which services, Berthier said. “It’s a proactive technique that relies on configuration files from firewalls, routers, and layer-3 switches to model the network topology and analyze connectivity paths. It provides accurate visibility of the network architecture and enables risk assessment without having to deploy any sensor or agent in the environment. Network modeling platforms include modern firewall management software on the IT side and NP-View on the OT side.” 

Berthier added that there is no doubt that to become cyber resilient and to confidently assess risks of attacks spreading from IT to OT, organizations have to invest in both techniques so they eliminate all blind spots through a comprehensive network visibility program.

VanAntwerp said he thinks that it is important to understand that ransomware in OT environments is very different from IT. “A critical question to ask is, what would be ransomed? The ladder logic on a PLC? Not to make light of the concern, as it can cause disruption, in most cases not to the extent that it does in IT, where critical data can be held for ransom.” 

He added that the major change in the last two years is that organizations now recognize the visibility gap and have identified some single points of failure, and are either architecting or deploying solutions to decrease that gap in their specific environments.

The executives look into whether industrial environments that fall victim to ransomware attacks targeting IT systems feel confident that their OT systems have not been compromised and can continue to service/produce while they respond to the incident.

IT and OT are converging, with many processes and applications spanning the two domains. Even a technician who connects a laptop first to an IT network, then to OT, can unwittingly carry malware between the two,” Greatwood said. “The old days of ‘air-gapped’ operational networks are over, and the risk of contagion between IT and OT is ever-present.”

However, those contagion risks can be addressed using a zero-trust approach, according to Greatwood. “It is crucial to focus on blocking attacks before systems are compromised and continuing to block attacks even if attackers gain a foothold within the operational network. With multi-factor authentication at every layer, automated credential rotation, granular access control, and protection for legacy systems, ransomware can be blocked from entering OT systems without the need to halt operations.”

Berthier said that only by preparing for an attack can network administrators feel confident in the event of an attack. “Combining network access modeling with traditional network traffic monitoring is the most comprehensive approach to achieving network visibility – and cyber resiliency.” 

If an IT or OT network were to be attacked, the ability to identify compromised assets and exploited vulnerabilities, and detect if sensitive information is being exfiltrated, or if a connected service is misconfigured, is incredibly helpful, according to Berthier. “Having the ability to measure risks related to remote access and to simulate possible network attack paths is critical. And, having the proactive verification that the network is correctly segmented, and an understanding of critical vulnerabilities are exposed on the network, is essential.”

VanAntwerp said that with the proper level of segmentation, collaboration, and visibility/monitoring, those organizations can absolutely feel more confident about their ability to continue service and production while responding to an incident.

Given the regulatory measures that followed the Colonial Pipeline attacks, the executives weigh in on how they would assess the adaptability of these initiatives by critical infrastructure organizations. They also estimate if global regulators are now in a better position to address such attack vectors.

The TSA – the regulator for oil and gas pipelines like Colonial – pressed ahead, and became (along with NERC/FERC in the power industry) the first critical infrastructure regulator to compel regulated operators to adopt preventive cybersecurity at scale, Greatwood said. “After some back and forth, the regulation settled in a good place, requiring a strong security standard but without trying to dictate exactly how that standard should be achieved. In our view, this has been key to achieving industry acceptance and unleashing innovation in cybersecurity technology for the pipeline sector.”

“We now see that play out across more critical infrastructure sectors, with CISA pressing ‘performance goals’ on a sector-by-sector basis,”  according to Greatwood. “Although the threat environment has continued to worsen, with a blurring of the line between nation-state attacks and criminal/ransomware attacks – and though some sectors, such as water utilities, still have a long way to travel – it is clear that both regulators and infrastructure operators are making progress. Now we need to see that progress accelerate further to stay ahead of the hackers.”

Berthier said that there is lots of great work underway to enhance the security of our nation’s critical infrastructure, but there’s still a long way to go. “Although OT environments are now being much more closely monitored, it is crucial to continue taking measures to become resilient to cyber disruptions.”  

“Regulators have already instituted severe consequences for those that are not holding to security measures, or being proactive about network resilience – they are already making their presence felt,” according to Berthier. “We can expect new cybersecurity regulations, such as the TSA security directives for pipelines, being enforced across all critical infrastructure sectors in the next few years.” 

He also pointed out that the government also passed the Cyber Incident Reporting for Critical Infrastructure Act in March 2022 (CIRCIA), requiring the CISA to develop and implement regulations requiring critical infrastructure asset owners to report cyber incidents and ransomware payments within 72 hours.

“Over the past two decades, we have lived in a time of assuming that organizations would voluntarily implement best practices for cybersecurity controls. However, that time is now unequivocally over,” Berthier said. “The stakes are too high, and the threat landscape is too complex to rely on voluntary measures. Organizations must prioritize cybersecurity and take deliberate steps to safeguard their assets. Failure to do so is no longer an option.”

VanAntwerp said that regulation is only one part of the solution, and unfortunately, it is only in the beginning stages. “I believe that regulators are doing their best to address these concerns, but it will take time for organizations to comply with new regulations, especially in critical infrastructure. It’s just too early in the journey to judge,” he added.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base