Threat Management, Threat Intelligence, Malware, Ransomware

What we’ve learned from the Colonial Pipeline cyberattack, and what to do about it

View Post

Today’s columnist, Grant Geyer of Claroty, offers some actionable advice in the wake of the Colonial Pipeline cyberattack.
Today’s columnist, Grant Geyer of Claroty, offers some actionable advice in the wake of the Colonial Pipeline cyberattack. OrbitalJoe CreativeCommons CC BY-NC-ND 2.0

Last year a friend was preparing for a cybersecurity roundtable and asked me a thought-provoking question: What “black swan” event will make the world take stock of cybersecurity as an existential risk to the world? My response: It won’t be a single event – it has been more like a frog that’s been slowly heating in the pot for the past three decades. Every year, cyber events nudge up the digital risk level and we’ve become desensitized to the increasing temperature. So with the most recent Colonial Pipeline attack, we’re in a fast boil as cyber events are causing real world problems.

Let’s recap: Colonial Pipeline confirmed the ransomware attack occurred, and that it proactively took its systems offline to contain the threat. Meanwhile, on Monday the FBI confirmed that DarkSide was responsible for the attack. Late yesterday around 5 p.m. Eastern, the company said it was restarting its pipeline operations.

While few details have been made available, the attack illuminated several issues impacting the security of industrial control systems (ICS). Many have compared this to the attack against the Oldsmar water treatment facility – but there are important differences: While the damage in Oldsmar was quickly contained by operators and did not result in any disruption to water treatment processes, the Colonial attack will have real economic impact on supply chains and consumers.

Here are some of the important takeaways from this cyberattack:

  • The emergence of targeted ransomware. While we don’t know exactly how DarkSide introduced ransomware into Colonial Pipeline’s IT network, we do know that DarkSide targets specific high-value companies. Once an infection occurs, improper segmentation between IT and OT environments enables OT ransomware infections. By isolating and segmenting OT, organizations can stop the lateral spread of ransomware.
  • Technological obsolescence. The number of attacks against critical infrastructure has been increasing in frequency and severity. As cybercriminals seek opportunities for extortion, our reliance on emerging technology makes our critical infrastructure highly vulnerable based on its enormous attack surface area. Many ICS environments operate with obsolete technology that’s patched infrequently if at all. This leads to a situation where cybersecurity risk levels are below acceptable tolerances. Thus, updating technology and improving governance can go a long way in mitigating risk.
  • The need to secure distributed environments. Pipelines are highly distributed environments and the tools used to grant asset operators remote connectivity are optimized for easy access, rather than security. This gives attackers opportunities to sneak through cyber defenses, as we saw in the Oldsmar attack.
  • Energy companies are especially at risk.  Claroty researchers have found that energy companies are one of the most highly impacted by ICS vulnerabilities. The energy sector experienced a 74% increase in ICS vulnerabilities disclosed during the second half of 2020 compared to second half 2018. This shows that cybercriminals have many ways of exploiting the controls of industrial networks.

How should security teams respond?

There are several ways to mitigate an event like this and ensure proper preparedness:

  • Patch all systems or maintain compensating controls. While patching systems in OT environments requires maintenance windows, attackers are most commonly targeting obsolete or unpatched Windows systems. If it’s not possible to patch, ensure there are compensating controls (e.g. firewall rules, ACLs) in place to reduce the inherent risk.
  • Implement strong authentication for all OT users. Despite the sensitivity of OT environments, many organizations use single-factor user names and passwords to access assets. In some cases, they use shared passwords. Implement strong multifactor authentication to ensure that users are who they say they are and establish least privilege’ access for users.
  • Segment the network. Many OT environments were designed primarily for access and not for security, meaning they are “flat” and therefore would allow for a ransomware infection to propagate quickly. Implementing network segmentation would limit the scope and impact of a ransomware attack.
  • Conduct a tabletop exercise. Running a tabletop exercise can help various stakeholders understand organizational and technical preparedness for an event of this nature. Are the backup and restore capabilities in place? Are board members prepared to act? Does the company have cyber insurance in place to pay a ransom?

On a broader level, improving the nation’s critical infrastructure will require public-private sector partnerships to close the current gaps and potential risk to the U.S. supply chain and national security. For example, the Biden administration recently announced a 100-day sprint to improve cybersecurity within electric utilities. Since many critical infrastructure operators are privately owned, joint initiatives like this are imperative for keeping our most vital systems safe and reliable.

Grant Geyer, chief product officer, Claroty

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.